valleyrat_s2 | 2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
Size

3.8MB
MD5

220aae5d05fd2cc172ddb78e3b5a79d8
SHA1

7f66e1d9d3bb81eb4df045ca7ece093ca166a595
SHA256

2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245
SHA512

3252348ade86c5913648c041ce58e438b7be7ca8b1554ba64f1024a4d9e126d19bb8a58536f5a4a1d0b2c93d472393f32336fac800c1b8b66a82bd274e0fc2c2
SSDEEP

49152:MhbFk85ulG4dJXY5UeD1jWs1O/BP4YPpPAPGPpPVP6PJP8P8P9PdPdPRPfPdPlPl:WRk85ulG4XywJxFTsmBm

Score

10^/10

valleyrat_s2 backdoor defense_evasion discovery evasion privilege_escalation trojan

Malware Config

Extracted

Family

valleyrat_s2

Version

1.0

154.219.97.191:6666

Attributes

campaign_date
2025. 3.14

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

UAC bypass 3 TTPs 2 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

ValleyRat
ValleyRat stage2 is a backdoor written in C++.
backdoor valleyrat_s2
Valleyrat_s2 family
valleyrat_s2

Blocklisted process makes network request 22 IoCs

flow	pid	Process
28	4576	cmd.exe
29	396	cmd.exe
30	5400	cmd.exe
32	5400	cmd.exe
34	4576	cmd.exe
40	396	cmd.exe
42	5400	cmd.exe
43	4576	cmd.exe
68	5400	cmd.exe
69	4576	cmd.exe
70	5400	cmd.exe
71	4576	cmd.exe
76	5400	cmd.exe
77	4576	cmd.exe
78	5400	cmd.exe
79	4576	cmd.exe
88	5400	cmd.exe
90	4576	cmd.exe
91	5400	cmd.exe
92	4576	cmd.exe
93	5400	cmd.exe
94	4576	cmd.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	qusdjcxzzsa.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ebIvyJi.lnk	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe

Executes dropped EXE 5 IoCs

pid	Process
2276	qusdjcxzzsa.exe
864	qusdjcxzzsa.exe
1748	asdccx.exe
3992	asdccx.exe
3328	asdccx.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\G:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\J:	cmd.exe
File opened (read-only)	\??\Q:	cmd.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\W:	cmd.exe
File opened (read-only)	\??\I:	cmd.exe
File opened (read-only)	\??\S:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\Y:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\V:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\X:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\P:	cmd.exe
File opened (read-only)	\??\L:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\U:	cmd.exe
File opened (read-only)	\??\Z:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe
File opened (read-only)	\??\K:	cmd.exe
File opened (read-only)	\??\N:	cmd.exe
File opened (read-only)	\??\M:	cmd.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 864 set thread context of 396	864	qusdjcxzzsa.exe	103
PID 864 set thread context of 5400	864	qusdjcxzzsa.exe	104
PID 864 set thread context of 4576	864	qusdjcxzzsa.exe	106
PID 864 set thread context of 1748	864	qusdjcxzzsa.exe	107
PID 864 set thread context of 3992	864	qusdjcxzzsa.exe	108
PID 864 set thread context of 3328	864	qusdjcxzzsa.exe	109

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2656	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3608	3104	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qusdjcxzzsa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qusdjcxzzsa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	subst.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	mshta.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
8	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
864	qusdjcxzzsa.exe
864	qusdjcxzzsa.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe
5400	cmd.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3104	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
3104	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
3104	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
2276	qusdjcxzzsa.exe
2276	qusdjcxzzsa.exe
2276	qusdjcxzzsa.exe
864	qusdjcxzzsa.exe
864	qusdjcxzzsa.exe
864	qusdjcxzzsa.exe
5400	cmd.exe
4576	cmd.exe
396	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2640	3104	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe	89
PID 3104 wrote to memory of 2640	3104	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe	89
PID 3104 wrote to memory of 2640	3104	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe	89
PID 2640 wrote to memory of 2276	2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe	98
PID 2640 wrote to memory of 2276	2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe	98
PID 2640 wrote to memory of 2276	2640	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe	98
PID 2276 wrote to memory of 864	2276	qusdjcxzzsa.exe	101
PID 2276 wrote to memory of 864	2276	qusdjcxzzsa.exe	101
PID 2276 wrote to memory of 864	2276	qusdjcxzzsa.exe	101
PID 864 wrote to memory of 1780	864	qusdjcxzzsa.exe	102
PID 864 wrote to memory of 1780	864	qusdjcxzzsa.exe	102
PID 864 wrote to memory of 1780	864	qusdjcxzzsa.exe	102
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 396	864	qusdjcxzzsa.exe	103
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 5400	864	qusdjcxzzsa.exe	104
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 4576	864	qusdjcxzzsa.exe	106
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 1748	864	qusdjcxzzsa.exe	107
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3992	864	qusdjcxzzsa.exe	108
PID 864 wrote to memory of 3328	864	qusdjcxzzsa.exe	109
PID 864 wrote to memory of 3328	864	qusdjcxzzsa.exe	109
PID 864 wrote to memory of 3328	864	qusdjcxzzsa.exe	109
PID 864 wrote to memory of 3328	864	qusdjcxzzsa.exe	109

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe

C:\Users\Admin\AppData\Local\Temp\2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
"C:\Users\Admin\AppData\Local\Temp\2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe
  "C:\Users\Admin\AppData\Local\Temp\2730464d9dd8281efae4a02efc3bedb74567883b81b90c4198250545a1d40245.exe" shouciyunxing
  2⤵
  - UAC bypass
  - Drops startup file
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2640
- - C:\Users\Public\TpzoczV\qusdjcxzzsa.exe
    C:/Users/Public/TpzoczV\qusdjcxzzsa.exe zhuruxitong
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Users\Public\TpzoczV\qusdjcxzzsa.exe
      "C:\Users\Public\TpzoczV\qusdjcxzzsa.exe" Kdiaoni
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Public\TpzoczV\62310.cmd
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
      - C:\Windows\SysWOW64\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Public\TpzoczV\62310.cmd","::","","runas",0)(window.close)
        6⤵
        Checks computer location settings
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Public\TpzoczV\62310.cmd" ::
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\subst.exe
        
        subst o: /d
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:8
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Devices" /v O: /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
        8⤵
        Modifies Windows Defender DisableAntiSpyware settings
        System Location Discovery: System Language Discovery
        
        PID:3632
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe
        5⤵
        Blocklisted process makes network request
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe
        5⤵
        Blocklisted process makes network request
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe
        5⤵
        Blocklisted process makes network request
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4576
    - - C:\Users\Public\TpzoczV\asdccx.exe
        
        C:\Users\Public\TpzoczV\asdccx.exe
        5⤵
        Executes dropped EXE
        
        PID:1748
    - - C:\Users\Public\TpzoczV\asdccx.exe
        
        C:\Users\Public\TpzoczV\asdccx.exe
        5⤵
        Executes dropped EXE
        
        PID:3992
    - - C:\Users\Public\TpzoczV\asdccx.exe
        
        C:\Users\Public\TpzoczV\asdccx.exe
        5⤵
        Executes dropped EXE
        
        PID:3328
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 1412
  2⤵
  - Program crash
  PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3104 -ip 3104
1⤵
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\TpzoczV\62310.cmd

Filesize
527B

MD5
34ac662d5343e07bcb06d373e737252f

SHA1
d304ebfd043c4eb09f7c193c3562f94590221211

SHA256
777690549389083ce6807b077ee3bb5410cc1a6f0ee73e6afa7d424471ceb173

SHA512
60e71ead901bd0fb8cc856ba6a09b2e8dda0eca583e40d44fee9ecb632872054d0b7571a315f990915b52b5fc399bce67e0f2b8468210faef3516f399a0ee80e

Download Submit
C:\Users\Public\TpzoczV\asdccx.exe

Filesize
231KB

MD5
d0fce3afa6aa1d58ce9fa336cc2b675b

SHA1
4048488de6ba4bfef9edf103755519f1f762668f

SHA256
4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22

SHA512
80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2

Download Submit
C:\Users\Public\TpzoczV\asvv.txt

Filesize
108KB

MD5
d442c9efaf31a91319116ef17e0022e7

SHA1
2809f71775ac044c9e50cf24e2ce1ff3bd16e576

SHA256
5662b6f42fcf97143d252c0f43b2d345a53866f0fe737115ecc99ccfc4370eeb

SHA512
6ad96ab748b31109661357b9dfc0b5c53e6bab6d8c0ca90273d07c438933bf65a5d81b1257774f104c485ac22c50da4832e509f63b107da6055aa31a509f9eae

Download Submit
memory/396-22-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-54-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-82-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-50-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-55-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-83-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-23-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-24-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-21-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/396-20-0x00000000007A0000-0x00000000007C2000-memory.dmp

Filesize
136KB

Download
memory/1748-58-0x0000000000800000-0x00000000008FC000-memory.dmp

Filesize
1008KB

Download
memory/1748-57-0x0000000000800000-0x00000000008FC000-memory.dmp

Filesize
1008KB

Download
memory/1748-59-0x0000000000800000-0x00000000008FC000-memory.dmp

Filesize
1008KB

Download
memory/1748-60-0x0000000000800000-0x00000000008FC000-memory.dmp

Filesize
1008KB

Download
memory/4576-90-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4576-49-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4576-81-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4576-80-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4576-44-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4576-48-0x0000000000700000-0x0000000000722000-memory.dmp

Filesize
136KB

Download
memory/4576-91-0x0000000002B60000-0x0000000002B98000-memory.dmp

Filesize
224KB

Download
memory/5400-78-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/5400-36-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/5400-37-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/5400-85-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/5400-86-0x0000000002C60000-0x0000000002C98000-memory.dmp

Filesize
224KB

Download
memory/5400-87-0x0000000002C60000-0x0000000002C98000-memory.dmp

Filesize
224KB

Download
memory/5400-88-0x0000000002C60000-0x0000000002C98000-memory.dmp

Filesize
224KB

Download
memory/5400-89-0x0000000002C60000-0x0000000002C98000-memory.dmp

Filesize
224KB

Download
memory/5400-79-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download
memory/5400-32-0x0000000000800000-0x0000000000822000-memory.dmp

Filesize
136KB

Download