asyncrat | b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
11-11-2020 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
Size

1.1MB
MD5

6d01213c51ed2570b263b28fa4b9f320
SHA1

aa5aa4142ff6de7e5560424d252c2bf234f14651
SHA256

b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261
SHA512

0ca8354473740c4f6212159f98571eaf3041ea895a3e067b52c9b5e380c948cc5df0fa18171674c35afd5f0bdeb75e676b41a548be1a3e05ed5f7906a8365766

Score

10^/10

asyncrat azorult modiloader discovery evasion infostealer persistence rat spyware trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Extracted

Family

azorult

http://195.245.112.115/index.php

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 8 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1672-146-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/1672-147-0x000000000040616E-mapping.dmp	disable_win_def
behavioral1/memory/1672-149-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/744-155-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/1672-151-0x0000000000400000-0x000000000040C000-memory.dmp	disable_win_def
behavioral1/memory/744-159-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/744-161-0x0000000000400000-0x0000000000408000-memory.dmp	disable_win_def
behavioral1/memory/744-156-0x0000000000403BEE-mapping.dmp	disable_win_def

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Async RAT payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/288-136-0x000000000040C76E-mapping.dmp	asyncrat
behavioral1/memory/288-135-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/288-138-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral1/memory/288-139-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2020-205-0x0000000003D50000-0x0000000003DAC000-memory.dmp	modiloader_stage1

ModiLoader Second Stage 1 IoCs

resource	yara_rule
behavioral1/memory/2020-237-0x0000000004DA0000-0x0000000004DED000-memory.dmp	modiloader_stage2

Executes dropped EXE 10 IoCs

pid	Process
1632	axcjgfhwvvas.exe
976	3037XUZjcz.exe
2020	VoYVJTDpfe.exe
1640	BqK8uXSN7z.exe
1908	v7Y8OM7gGu.exe
288	3037XUZjcz.exe
1672	BqK8uXSN7z.exe
744	v7Y8OM7gGu.exe
896	oscjgfhwvvas.exe
1404	axcjgfhwvvas.exe

Deletes itself 1 IoCs

pid	Process
1568	cmd.exe

Loads dropped DLL 19 IoCs

pid	Process
308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
976	3037XUZjcz.exe
1640	BqK8uXSN7z.exe
1908	v7Y8OM7gGu.exe
1632	axcjgfhwvvas.exe
1632	axcjgfhwvvas.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	v7Y8OM7gGu.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7Y8OM7gGu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
File opened for modification	C:\Users\Admin\AppData\LocalLow\n9h9r91h8fna789q\desktop.ini	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001310f-98.dat	js

Modifies service 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names\WaJxZi5Mg3OcVY83Z8Ifbg1NTEy9uud7IYWRnWdt62W85RwnxBpp46BHYtwOtNzUbuCdB1h1vAdySjGVlDDMZdBPbXmbqedsoFHiUA34Vg4Z3kzx1SF7RZ = "308"	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names\AxhD0VRFVn9pTjitCvs4Lr7LcAd9iR45VKE5edA6UrIqYBuHrSLg2K4uIaUoDCk5oDMVrbQ6BLJJ1PPiSucHoRz5LeUsuRXND1cf4DwS1qVPcCQSli2W5T = "1632"	axcjgfhwvvas.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ASP.NET_4.0.30319\Names\7cHypFF7Jqc05ha9LST04jjf6xZZPOHPgz8qkryzulAk0scSL8DBNCCNaDLN2ctt3VAQf0RAvioiKQpJWH8h0Hn5L3uyiwYDC7Q4GzSEZzb6TWBhAgJEjQ = "896"	oscjgfhwvvas.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 308 set thread context of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 976 set thread context of 288	976	3037XUZjcz.exe	40
PID 1640 set thread context of 1672	1640	BqK8uXSN7z.exe	41
PID 1908 set thread context of 744	1908	v7Y8OM7gGu.exe	42
PID 1632 set thread context of 1404	1632	axcjgfhwvvas.exe	47

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1136	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VoYVJTDpfe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	VoYVJTDpfe.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	VoYVJTDpfe.exe

Suspicious behavior: EnumeratesProcesses 265 IoCs

pid	Process
308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe
1332	powershell.exe
1332	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
Token: SeDebugPrivilege	976	3037XUZjcz.exe
Token: SeDebugPrivilege	1640	BqK8uXSN7z.exe
Token: SeDebugPrivilege	1908	v7Y8OM7gGu.exe
Token: SeDebugPrivilege	1672	BqK8uXSN7z.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	1632	axcjgfhwvvas.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1672	BqK8uXSN7z.exe
1672	BqK8uXSN7z.exe

Suspicious use of WriteProcessMemory 388 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1632	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	29
PID 308 wrote to memory of 1632	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	29
PID 308 wrote to memory of 1632	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	29
PID 308 wrote to memory of 1632	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	29
PID 308 wrote to memory of 1596	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	30
PID 308 wrote to memory of 1596	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	30
PID 308 wrote to memory of 1596	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	30
PID 308 wrote to memory of 1596	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	30
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 308 wrote to memory of 1716	308	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	31
PID 1716 wrote to memory of 976	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	33
PID 1716 wrote to memory of 976	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	33
PID 1716 wrote to memory of 976	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	33
PID 1716 wrote to memory of 976	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	33
PID 1716 wrote to memory of 2020	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	34
PID 1716 wrote to memory of 2020	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	34
PID 1716 wrote to memory of 2020	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	34
PID 1716 wrote to memory of 2020	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	34
PID 1716 wrote to memory of 1640	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	35
PID 1716 wrote to memory of 1640	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	35
PID 1716 wrote to memory of 1640	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	35
PID 1716 wrote to memory of 1640	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	35
PID 1716 wrote to memory of 1908	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	36
PID 1716 wrote to memory of 1908	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	36
PID 1716 wrote to memory of 1908	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	36
PID 1716 wrote to memory of 1908	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	36
PID 1716 wrote to memory of 1568	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	37
PID 1716 wrote to memory of 1568	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	37
PID 1716 wrote to memory of 1568	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	37
PID 1716 wrote to memory of 1568	1716	b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe	37
PID 1568 wrote to memory of 1136	1568	cmd.exe	39
PID 1568 wrote to memory of 1136	1568	cmd.exe	39
PID 1568 wrote to memory of 1136	1568	cmd.exe	39
PID 1568 wrote to memory of 1136	1568	cmd.exe	39
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 976 wrote to memory of 288	976	3037XUZjcz.exe	40
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1640 wrote to memory of 1672	1640	BqK8uXSN7z.exe	41
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1908 wrote to memory of 744	1908	v7Y8OM7gGu.exe	42
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 1672 wrote to memory of 1228	1672	BqK8uXSN7z.exe	43
PID 744 wrote to memory of 1332	744	v7Y8OM7gGu.exe	44
PID 744 wrote to memory of 1332	744	v7Y8OM7gGu.exe	44
PID 744 wrote to memory of 1332	744	v7Y8OM7gGu.exe	44
PID 744 wrote to memory of 1332	744	v7Y8OM7gGu.exe	44
PID 1632 wrote to memory of 896	1632	axcjgfhwvvas.exe	46
PID 1632 wrote to memory of 896	1632	axcjgfhwvvas.exe	46
PID 1632 wrote to memory of 896	1632	axcjgfhwvvas.exe	46
PID 1632 wrote to memory of 896	1632	axcjgfhwvvas.exe	46
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 1632 wrote to memory of 1404	1632	axcjgfhwvvas.exe	47
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49
PID 2020 wrote to memory of 824	2020	VoYVJTDpfe.exe	49

C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
"C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe"
1⤵
- Loads dropped DLL
- Modifies service
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:308
- C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
  "C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies service
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe
    "C:\Users\Admin\AppData\Local\Temp\oscjgfhwvvas.exe"
    3⤵
    - Executes dropped EXE
    - Modifies service
    PID:896
- - C:\Users\Admin\AppData\Local\Temp\axcjgfhwvvas.exe
    "{path}"
    3⤵
    - Executes dropped EXE
    PID:1404
- C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
  "{path}"
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\3037XUZjcz.exe
    "C:\Users\Admin\AppData\Local\Temp\3037XUZjcz.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:976
  - - C:\Users\Admin\AppData\Local\Temp\3037XUZjcz.exe
      "C:\Users\Admin\AppData\Local\Temp\3037XUZjcz.exe"
      4⤵
      Executes dropped EXE
      PID:288
- - C:\Users\Admin\AppData\Local\Temp\VoYVJTDpfe.exe
    "C:\Users\Admin\AppData\Local\Temp\VoYVJTDpfe.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:2020
  - - C:\Windows\SysWOW64\Notepad.exe
      "C:\Windows\System32\Notepad.exe"
      4⤵
      PID:824
- - C:\Users\Admin\AppData\Local\Temp\BqK8uXSN7z.exe
    "C:\Users\Admin\AppData\Local\Temp\BqK8uXSN7z.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\BqK8uXSN7z.exe
      "C:\Users\Admin\AppData\Local\Temp\BqK8uXSN7z.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1672
    - - \??\c:\windows\SysWOW64\cmstp.exe
        
        "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\vnd2w5gx.inf
        5⤵
        
        PID:1228
- - C:\Users\Admin\AppData\Local\Temp\v7Y8OM7gGu.exe
    "C:\Users\Admin\AppData\Local\Temp\v7Y8OM7gGu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Users\Admin\AppData\Local\Temp\v7Y8OM7gGu.exe
      "C:\Users\Admin\AppData\Local\Temp\v7Y8OM7gGu.exe"
      4⤵
      Executes dropped EXE
      Windows security modification
      PID:744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\b99d5d0e6ebfd38c47b999a704cb2558797ed6b149356075036a0de57fbca261.exe"
    3⤵
    - Deletes itself
    - Suspicious use of WriteProcessMemory
    PID:1568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /T 10 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/288-140-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/288-139-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/288-138-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/288-135-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/308-40-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-10-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-62-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-14-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-65-0x0000000004E10000-0x0000000004ECA000-memory.dmp

Filesize
744KB

Download
memory/308-0-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/308-64-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/308-73-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/308-60-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-58-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-56-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-54-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-52-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-50-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-48-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-44-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-12-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-16-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-8-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-46-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-42-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-38-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-36-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-34-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-6-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-32-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-30-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-4-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-28-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-3-0x0000000004BA0000-0x0000000004C68000-memory.dmp

Filesize
800KB

Download
memory/308-26-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-24-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-1-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/308-22-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-20-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/308-18-0x0000000000600000-0x0000000000611000-memory.dmp

Filesize
68KB

Download
memory/744-162-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/744-155-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/744-161-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/744-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/824-238-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/824-240-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/896-222-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/896-225-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/896-224-0x00000000004C0000-0x000000000051B000-memory.dmp

Filesize
364KB

Download
memory/896-216-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/960-97-0x000007FEF6400000-0x000007FEF667A000-memory.dmp

Filesize
2.5MB

Download
memory/976-132-0x0000000000A70000-0x0000000000AB0000-memory.dmp

Filesize
256KB

Download
memory/976-133-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/976-109-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/976-110-0x0000000000EC0000-0x0000000000EC1000-memory.dmp

Filesize
4KB

Download
memory/1332-181-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/1332-172-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/1332-168-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1332-169-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1332-170-0x00000000047C0000-0x00000000047C1000-memory.dmp

Filesize
4KB

Download
memory/1332-171-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/1332-175-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/1332-180-0x00000000056E0000-0x00000000056E1000-memory.dmp

Filesize
4KB

Download
memory/1332-188-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/1332-189-0x00000000055F0000-0x00000000055F1000-memory.dmp

Filesize
4KB

Download
memory/1332-203-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/1332-204-0x0000000006330000-0x0000000006331000-memory.dmp

Filesize
4KB

Download
memory/1404-217-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1404-220-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1632-79-0x0000000000AC0000-0x0000000000B12000-memory.dmp

Filesize
328KB

Download
memory/1632-77-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/1632-70-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-206-0x0000000005250000-0x0000000005297000-memory.dmp

Filesize
284KB

Download
memory/1640-120-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1640-121-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1640-143-0x0000000000510000-0x0000000000541000-memory.dmp

Filesize
196KB

Download
memory/1672-149-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1672-146-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1672-151-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1672-153-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-74-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1716-71-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1908-127-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1908-150-0x0000000000410000-0x0000000000448000-memory.dmp

Filesize
224KB

Download
memory/1908-129-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2020-205-0x0000000003D50000-0x0000000003DAC000-memory.dmp

Filesize
368KB

Download
memory/2020-237-0x0000000004DA0000-0x0000000004DED000-memory.dmp

Filesize
308KB

Download