11c712b2b16eeb1652793fc8bad16d9177ef161398dceb95e136f8f2a349e56c

Analysis

max time kernel
150s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OHT1k0.exe
Size

13.7MB
MD5

deeb1ac61b724f2298efedccc11e550f
SHA1

46aa7dd63305dbce00f8949991ffb23f18abdfc2
SHA256

85b2e9865d7382519e64d6c8f4c828b9fcf384d8db988af14ba172fb3704c857
SHA512

0300b978bb01ea09b66577558a810276a5d18a3643ed3dc322d4ed17043da7e49db64d2bfbbee38a33b37924262fbe3d0c5de4bc2de63e688b6ecd24467eef58
SSDEEP

393216:tiGxXoBUjMI4XFCyhJmM1WJ1ckpXeeKeKapRCe:tim3jP4wyjvUckh3K2RCe

Score

7^/10

bootkit defense_evasion persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	OHT1k0.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	rgtch.exe

Deletes itself 1 IoCs

pid	Process
2552	rgtch.exe

Executes dropped EXE 1 IoCs

pid	Process
2552	rgtch.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	OHT1k0.exe
File opened for modification	\??\PhysicalDrive0	rgtch.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1216	OHT1k0.exe
1216	OHT1k0.exe
2552	rgtch.exe
2552	rgtch.exe

Delays execution with timeout.exe 64 IoCs

evasion

pid	Process
2152	timeout.exe
3056	timeout.exe
4484	timeout.exe
1592	timeout.exe
1680	timeout.exe
4052	timeout.exe
3456	timeout.exe
2296	timeout.exe
1092	timeout.exe
2732	timeout.exe
2640	timeout.exe
1084	timeout.exe
3124	timeout.exe
3092	timeout.exe
5116	timeout.exe
556	timeout.exe
2884	timeout.exe
3484	timeout.exe
4212	timeout.exe
2536	timeout.exe
4512	timeout.exe
3832	timeout.exe
448	timeout.exe
4252	timeout.exe
928	timeout.exe
3280	timeout.exe
4708	timeout.exe
1396	timeout.exe
3888	timeout.exe
3428	timeout.exe
1032	timeout.exe
868	timeout.exe
456	timeout.exe
952	timeout.exe
4912	timeout.exe
3084	timeout.exe
4932	timeout.exe
3324	timeout.exe
724	timeout.exe
4932	timeout.exe
4076	timeout.exe
3060	timeout.exe
1728	timeout.exe
1220	timeout.exe
2148	timeout.exe
4036	timeout.exe
3960	timeout.exe
3872	timeout.exe
1528	timeout.exe
4248	timeout.exe
2828	timeout.exe
852	timeout.exe
4132	timeout.exe
4604	timeout.exe
3528	timeout.exe
4836	timeout.exe
1504	timeout.exe
892	timeout.exe
1492	timeout.exe
1680	timeout.exe
2200	timeout.exe
1512	timeout.exe
868	timeout.exe
3856	timeout.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1216	OHT1k0.exe
2552	rgtch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
1216	OHT1k0.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
116	powershell.exe
116	powershell.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe
2552	rgtch.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2552	rgtch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1216	OHT1k0.exe
2552	rgtch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 2552	1216	OHT1k0.exe	87
PID 1216 wrote to memory of 2552	1216	OHT1k0.exe	87
PID 2552 wrote to memory of 3720	2552	rgtch.exe	89
PID 2552 wrote to memory of 3720	2552	rgtch.exe	89
PID 2552 wrote to memory of 116	2552	rgtch.exe	90
PID 2552 wrote to memory of 116	2552	rgtch.exe	90
PID 3720 wrote to memory of 1680	3720	cmd.exe	93
PID 3720 wrote to memory of 1680	3720	cmd.exe	93
PID 2552 wrote to memory of 2076	2552	rgtch.exe	94
PID 2552 wrote to memory of 2076	2552	rgtch.exe	94
PID 2076 wrote to memory of 2200	2076	cmd.exe	96
PID 2076 wrote to memory of 2200	2076	cmd.exe	96
PID 2076 wrote to memory of 4128	2076	cmd.exe	97
PID 2076 wrote to memory of 4128	2076	cmd.exe	97
PID 3720 wrote to memory of 3484	3720	cmd.exe	98
PID 3720 wrote to memory of 3484	3720	cmd.exe	98
PID 3720 wrote to memory of 868	3720	cmd.exe	99
PID 3720 wrote to memory of 868	3720	cmd.exe	99
PID 3720 wrote to memory of 2152	3720	cmd.exe	100
PID 3720 wrote to memory of 2152	3720	cmd.exe	100
PID 3720 wrote to memory of 3888	3720	cmd.exe	101
PID 3720 wrote to memory of 3888	3720	cmd.exe	101
PID 3720 wrote to memory of 4212	3720	cmd.exe	103
PID 3720 wrote to memory of 4212	3720	cmd.exe	103
PID 3720 wrote to memory of 4932	3720	cmd.exe	105
PID 3720 wrote to memory of 4932	3720	cmd.exe	105
PID 3720 wrote to memory of 3960	3720	cmd.exe	106
PID 3720 wrote to memory of 3960	3720	cmd.exe	106
PID 3720 wrote to memory of 928	3720	cmd.exe	107
PID 3720 wrote to memory of 928	3720	cmd.exe	107
PID 3720 wrote to memory of 2296	3720	cmd.exe	109
PID 3720 wrote to memory of 2296	3720	cmd.exe	109
PID 3720 wrote to memory of 2536	3720	cmd.exe	110
PID 3720 wrote to memory of 2536	3720	cmd.exe	110
PID 3720 wrote to memory of 4076	3720	cmd.exe	111
PID 3720 wrote to memory of 4076	3720	cmd.exe	111
PID 3720 wrote to memory of 3060	3720	cmd.exe	114
PID 3720 wrote to memory of 3060	3720	cmd.exe	114
PID 3720 wrote to memory of 952	3720	cmd.exe	115
PID 3720 wrote to memory of 952	3720	cmd.exe	115
PID 3720 wrote to memory of 3056	3720	cmd.exe	116
PID 3720 wrote to memory of 3056	3720	cmd.exe	116
PID 3720 wrote to memory of 4512	3720	cmd.exe	117
PID 3720 wrote to memory of 4512	3720	cmd.exe	117
PID 3720 wrote to memory of 3528	3720	cmd.exe	118
PID 3720 wrote to memory of 3528	3720	cmd.exe	118
PID 3720 wrote to memory of 3428	3720	cmd.exe	119
PID 3720 wrote to memory of 3428	3720	cmd.exe	119
PID 3720 wrote to memory of 3832	3720	cmd.exe	120
PID 3720 wrote to memory of 3832	3720	cmd.exe	120
PID 3720 wrote to memory of 4712	3720	cmd.exe	121
PID 3720 wrote to memory of 4712	3720	cmd.exe	121
PID 3720 wrote to memory of 1032	3720	cmd.exe	122
PID 3720 wrote to memory of 1032	3720	cmd.exe	122
PID 3720 wrote to memory of 1728	3720	cmd.exe	123
PID 3720 wrote to memory of 1728	3720	cmd.exe	123
PID 3720 wrote to memory of 3872	3720	cmd.exe	124
PID 3720 wrote to memory of 3872	3720	cmd.exe	124
PID 3720 wrote to memory of 3092	3720	cmd.exe	125
PID 3720 wrote to memory of 3092	3720	cmd.exe	125
PID 3720 wrote to memory of 5116	3720	cmd.exe	126
PID 3720 wrote to memory of 5116	3720	cmd.exe	126
PID 3720 wrote to memory of 448	3720	cmd.exe	127
PID 3720 wrote to memory of 448	3720	cmd.exe	127

C:\Users\Admin\AppData\Local\Temp\OHT1k0.exe
"C:\Users\Admin\AppData\Local\Temp\OHT1k0.exe"
1⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\rgtch.exe
  C:\Users\Admin\AppData\Local\Temp\rgtch.exe -asec -upd -rmf=433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f4f4854316b302e657865
  2⤵
  - Checks computer location settings
  - Deletes itself
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /k "(for /L %n in () do (if exist "C:\Users\Admin\AppData\Local\Temp\rgtch.exe" (del /f "C:\Users\Admin\AppData\Local\Temp\rgtch.exe" && timeout /t 2 /nobreak >nul) else (exit)))"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3720
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1680
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3484
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:868
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2152
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3888
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4212
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4932
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3960
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:928
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2296
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2536
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4076
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3060
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:952
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3056
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4512
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3528
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3428
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3832
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:4712
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1032
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1728
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3872
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3092
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:5116
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:448
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2732
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4836
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4912
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1504
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3280
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1220
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3856
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4248
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3084
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2640
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:4972
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1680
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2828
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4052
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2200
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:852
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1092
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:868
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:2248
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:892
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4708
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1512
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:456
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3456
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:556
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1528
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4932
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4484
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4252
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1396
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4132
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1084
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:4160
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2148
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3324
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3124
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4036
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4604
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2884
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:724
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:2252
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1492
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1592
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      PID:1788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command "while ($true) { if (Test-Path 'C:\Users\Admin\AppData\Local\Temp\rgtch.exe') { Remove-Item -Force 'C:\Users\Admin\AppData\Local\Temp\rgtch.exe'; Start-Sleep -Seconds 2 } else { exit } }"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:116
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /k "(reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\rgtch.exe" >nul 2>&1 || reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\etgpu.rkr" >nul 2>&1) && (for /L %n in () do (tasklist | find "2552" >nul && timeout /t 5 /nobreak >nul || (timeout /t 8 /nobreak >nul & reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\rgtch.exe" /f >nul 2>&1 & reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\etgpu.rkr" /f >nul 2>&1 & exit))) || exit"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store" /v "C:\Users\Admin\AppData\Local\Temp\rgtch.exe"
      4⤵
      PID:2200
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\Hfref\Nqzva\NccQngn\Ybpny\Grzc\etgpu.rkr"
      4⤵
      PID:4128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
2aee7f3c1c2f1b7ed81c6b9b30727d33

SHA1
c27a99a39eb13cffecad5ad06d45e564886f38b3

SHA256
c1d559ef7a8b55a4975c2f18558cb6192cd5e4f8eeeb6230b5a27b3d49c0485c

SHA512
ca92dfaf051dfa5529df0d520b1523d24f376f8e06528095ff2288d40c32160a962d16a121c12b6dd0dadb403fa15a52e7e868b3943071a846e80849c8da2b73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
ae072fd903d0b59b7019450f4074ed61

SHA1
2e498c711f6a070913c9a0816dafc10692957905

SHA256
b96a1290ac09e719ebc1038971319d7e085648ef61242c2f14bdb3aaf8bf1fd4

SHA512
088ef109b6272eafc1328b601b63ccba8bacb27052d5ac9ad4b5f90c7600e3388b679af72f0aa95c0fba8428d34b5d2051d3be1a04c721684f6b39ce7ad45e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kj1tuqrc.nzw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgtch.exe

Filesize
14.0MB

MD5
d9c6767c3e7ab481a670056ec309626a

SHA1
31d8473383c44430f6f43467c1abf698809e083c

SHA256
553c095f18011ab0b46a6d8a99c5bf7cf6102d06b125389a215b955c7c4bee1a

SHA512
a7013ac66d3327d0b62f838812687ff6e44e125d2106d669ea877539a2e9fd8b3896f44a83770d0df588caada40941c912d16ce1957cb10332bd00a85d63366d

Download Submit
memory/116-384-0x000001A7598D0000-0x000001A7598F2000-memory.dmp

Filesize
136KB

Download
memory/1216-42-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-65-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-39-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-22-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-38-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-64-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-63-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-62-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-61-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-60-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-59-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-58-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/1216-56-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-55-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-54-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-53-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-52-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-51-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-50-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/1216-48-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-47-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-46-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-45-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-44-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-37-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-2-0x0000000140000000-0x0000000143726000-memory.dmp

Filesize
55.1MB

Download
memory/1216-41-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-40-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-9-0x0000000003720000-0x0000000003922000-memory.dmp

Filesize
2.0MB

Download
memory/1216-7-0x00000000032D0000-0x0000000003712000-memory.dmp

Filesize
4.3MB

Download
memory/1216-43-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-36-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-35-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-34-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-33-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-32-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1216-30-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-29-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-28-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-27-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-26-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-25-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-24-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-23-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-21-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-20-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-19-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-18-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-17-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-16-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-15-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-13-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-0-0x00000001427B1000-0x000000014297B000-memory.dmp

Filesize
1.8MB

Download
memory/1216-1-0x00007FFCC1990000-0x00007FFCC1992000-memory.dmp

Filesize
8KB

Download
memory/1216-12-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-11-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/1216-366-0x00000001427B1000-0x000000014297B000-memory.dmp

Filesize
1.8MB

Download
memory/1216-367-0x0000000140000000-0x0000000143726000-memory.dmp

Filesize
55.1MB

Download