Malware Analysis Report

2024-09-23 01:10

Sample ID 240516-23hkxadd25
Target release_lava.exe.1
SHA256 5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0
Tags
asyncrat stormkitty default evasion execution persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0

Threat Level: Known bad

The file release_lava.exe.1 was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default evasion execution persistence rat spyware stealer

StormKitty

StormKitty payload

Modifies security service

AsyncRat

Async RAT payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Creates new service(s)

Stops running service(s)

Sets service image path in registry

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Enumerates system info in registry

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-16 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 23:06

Reported

2024-05-16 23:08

Platform

win7-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\release.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\GoogleUpdateTaskMachineQC\ImagePath = "C:\\ProgramData\\Google\\Chrome\\updater.exe" C:\Windows\system32\services.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\49c5d0e6340d910ded8f46e15546924b\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\49c5d0e6340d910ded8f46e15546924b\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\49c5d0e6340d910ded8f46e15546924b\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\49c5d0e6340d910ded8f46e15546924b\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
File created C:\Users\Admin\AppData\Local\49c5d0e6340d910ded8f46e15546924b\Admin@UOTHCPHQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\release.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1872 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2716 set thread context of 2956 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2716 set thread context of 2776 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2716 set thread context of 544 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini C:\Windows\system32\wbem\WMIADAP.EXE N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WMIADAP.EXE N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 10598fb1e5a7da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\system32\dialer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates C:\Windows\system32\dialer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\Server.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1240 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 1240 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 1240 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 1240 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1240 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2548 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 1872 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2580 wrote to memory of 428 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2580 wrote to memory of 472 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\services.exe
PID 2580 wrote to memory of 488 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2580 wrote to memory of 496 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsm.exe
PID 2580 wrote to memory of 596 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 676 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 740 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2580 wrote to memory of 812 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2580 wrote to memory of 856 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 964 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 112 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 1012 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 2580 wrote to memory of 1060 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 1108 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhost.exe
PID 2580 wrote to memory of 1160 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\Dwm.exe
PID 2580 wrote to memory of 1224 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 2580 wrote to memory of 2392 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2580 wrote to memory of 2472 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sppsvc.exe
PID 2580 wrote to memory of 1872 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 2580 wrote to memory of 1952 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2580 wrote to memory of 2992 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2580 wrote to memory of 1192 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2580 wrote to memory of 1804 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2580 wrote to memory of 1712 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2580 wrote to memory of 1824 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2580 wrote to memory of 2004 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2580 wrote to memory of 548 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2580 wrote to memory of 3028 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2580 wrote to memory of 2084 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2580 wrote to memory of 2640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2580 wrote to memory of 2736 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2580 wrote to memory of 2996 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2580 wrote to memory of 1608 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 472 wrote to memory of 2716 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 472 wrote to memory of 2716 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 472 wrote to memory of 2716 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2580 wrote to memory of 2716 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2580 wrote to memory of 2716 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2580 wrote to memory of 2136 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2580 wrote to memory of 2196 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2924 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2924 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2924 wrote to memory of 1032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2716 wrote to memory of 2956 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2716 wrote to memory of 2956 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 2716 wrote to memory of 2956 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\release_lava.exe

"C:\Users\Admin\AppData\Local\Temp\release_lava.exe"

C:\Users\Admin\AppData\Local\Temp\release.exe

"C:\Users\Admin\AppData\Local\Temp\release.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1996649126-102804166-1340026351646733210-134350306571688935616722020301397086461"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "19100424323869964541594201601-16223444161662582085-9717969458104745-1904166325"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2023949408-92271941216110468951908679684-21491746-3129435381100066242-436685846"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1762280559755885592-1231079407170309941-10093961586267579111830447021977167917"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1432219979-2132627269-916659810-2136481946814873977-10607449471222013797266919737"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2110878446249670784175660671457152474016291766737761261515396395611503897996"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "13966173231874448282-78980211415967306121616956246611305618-660514856-492904063"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-8156669971148606755-467213788-2032971093-4372864971864807632-221346851697692687"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1704340636-2108516943-177063810-1858327689-16182553981497734189-257235945834003190"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "18031727751576936365182116186743102966916313921361537636121-544117918657945271"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1256573839-976700896-1035419135-920509009112150976-1658847614-1479986004943033680"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1141303541-1973175228-1092104698996744268653882381419174671-1075097335-1843041976"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-513433197-1661323847416835451448960757-16855011781298198787-682151640849346827"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-114039333519001237913809580111161107928-1927048011-150619942649048662-758624262"

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.106.253:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
CA 51.79.71.77:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.144.75:443 archangeladmindashboard.000webhostapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
US 145.14.144.75:443 archangeladmindashboard.000webhostapp.com tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.144.92:443 archangeladmindashboard.000webhostapp.com tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

\Users\Admin\AppData\Local\Temp\release.exe

MD5 f0c677d565a3299f693a68cdea0a4998
SHA1 4cd1ee7321e4c64bad5cabb01a7d56efccd4e058
SHA256 be9a43dffd8fa5ca2e10ef5493cbb1c647d8fefa829866f00c99162c45ccf456
SHA512 87986f5a4a2342cbf147c665e3f625ed44ea8e775fb770e2801fbdbac0d0b4817bfb08fdb76fdcb62724b7ab915673cb8f795c803a7525dfea3689b2c134337d

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 df96a0997b631e96c050382b96804ebb
SHA1 9d3b7dfd52eb72bf1c124f0cf1574dc0ba174d90
SHA256 4408d454808a4e3ca0361423f310c3e6b4754c2d0c2be4973d39dea722409430
SHA512 6954f887f1a0d8224503c9585274aef3bf510b41f8f133a4dfc133e147c4a65a819b4fd35e3d78d8ac70397679fa6299bf441d9a9016ab6ac29b837887ce41cf

memory/2604-15-0x00000000743AE000-0x00000000743AF000-memory.dmp

memory/2604-16-0x0000000000100000-0x0000000000132000-memory.dmp

memory/2604-17-0x00000000743A0000-0x0000000074A8E000-memory.dmp

memory/2816-22-0x000000001B630000-0x000000001B912000-memory.dmp

memory/2816-23-0x0000000001D60000-0x0000000001D68000-memory.dmp

memory/2580-25-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2580-28-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2580-27-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2580-26-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2580-32-0x00000000773E0000-0x00000000774FF000-memory.dmp

memory/2580-31-0x0000000077500000-0x00000000776A9000-memory.dmp

memory/2580-30-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2580-33-0x0000000140000000-0x000000014002B000-memory.dmp

memory/472-83-0x0000000037540000-0x0000000037550000-memory.dmp

memory/472-82-0x000007FEBE2F0000-0x000007FEBE300000-memory.dmp

memory/472-80-0x00000000000A0000-0x00000000000CB000-memory.dmp

memory/488-78-0x0000000037540000-0x0000000037550000-memory.dmp

memory/488-77-0x000007FEBE2F0000-0x000007FEBE300000-memory.dmp

memory/428-75-0x0000000037540000-0x0000000037550000-memory.dmp

memory/428-74-0x000007FEBE2F0000-0x000007FEBE300000-memory.dmp

memory/488-46-0x00000000000E0000-0x000000000010B000-memory.dmp

memory/428-39-0x0000000000D20000-0x0000000000D4B000-memory.dmp

memory/428-38-0x0000000000CF0000-0x0000000000D14000-memory.dmp

memory/428-36-0x0000000000CF0000-0x0000000000D14000-memory.dmp

memory/2136-297-0x000000001A0A0000-0x000000001A382000-memory.dmp

memory/2136-298-0x0000000000520000-0x0000000000528000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Users\Admin\AppData\Local\49c5d0e6340d910ded8f46e15546924b\Admin@UOTHCPHQ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\CabBF04.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarC0BC.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\e2d87b122957094538570b1eeb4c4fef\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2604-1333-0x00000000743AE000-0x00000000743AF000-memory.dmp

C:\Windows\System32\perfc011.dat

MD5 1f998386566e5f9b7f11cc79254d1820
SHA1 e1da5fe1f305099b94de565d06bc6f36c6794481
SHA256 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512 a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 46d08e3a55f007c523ac64dce6dcf478
SHA1 62edf88697e98d43f32090a2197bead7e7244245
SHA256 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512 b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

C:\Windows\System32\perfh011.dat

MD5 54c674d19c0ff72816402f66f6c3d37c
SHA1 2dcc0269545a213648d59dc84916d9ec2d62a138
SHA256 646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA512 4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

C:\Windows\System32\perfh010.dat

MD5 4623482c106cf6cc1bac198f31787b65
SHA1 5abb0decf7b42ef5daf7db012a742311932f6dad
SHA256 eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512 afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

C:\Windows\System32\perfc010.dat

MD5 d73172c6cb697755f87cd047c474cf91
SHA1 abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA256 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA512 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

C:\Windows\System32\perfh00C.dat

MD5 5f684ce126de17a7d4433ed2494c5ca9
SHA1 ce1a30a477daa1bac2ec358ce58731429eafe911
SHA256 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA512 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

C:\Windows\System32\perfc00C.dat

MD5 ce233fa5dc5adcb87a5185617a0ff6ac
SHA1 2e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA256 68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA512 1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

C:\Windows\System32\perfh00A.dat

MD5 7d0bac4e796872daa3f6dc82c57f4ca8
SHA1 b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256 ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

C:\Windows\System32\perfc00A.dat

MD5 f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1 961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256 cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512 116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

C:\Windows\System32\perfh009.dat

MD5 aecab86cc5c705d7a036cba758c1d7b0
SHA1 e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA256 9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512 e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

C:\Windows\System32\perfh007.dat

MD5 b69ab3aeddb720d6ef8c05ff88c23b38
SHA1 d830c2155159656ed1806c7c66cae2a54a2441fa
SHA256 24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA512 4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

C:\Windows\System32\perfc007.dat

MD5 19c7052de3b7281b4c1c6bfbb543c5dc
SHA1 d2e12081a14c1069c89f2cee7357a559c27786e7
SHA256 14ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a
SHA512 289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83

memory/2604-1471-0x00000000743A0000-0x0000000074A8E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 23:06

Reported

2024-05-16 23:09

Platform

win10v2004-20240226-en

Max time kernel

39s

Max time network

160s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\release.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion execution

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\release_lava.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\release.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D C:\Windows\system32\lsass.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5104 set thread context of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4864 set thread context of 4248 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 4864 set thread context of 4012 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 4864 set thread context of 2708 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02ixvrspxsmihruq C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02ixvrspxsmihruq\DeviceId = "<Data LastUpdatedTime=\"1715900814\"><User username=\"02IXVRSPXSMIHRUQ\"/></Data>\r\n" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02ixvrspxsmihruq\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02ixvrspxsmihruq" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ixvrspxsmihruq C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02ixvrspxsmihruq\DeviceId = "<Data LastUpdatedTime=\"1715900814\"><User username=\"02IXVRSPXSMIHRUQ\"><HardwareInfo BoundTime=\"1715900814\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\" LicenseInstallError=\"0\" LicenseKeyVersion=\"2\"/></User></Data>\r\n" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02ixvrspxsmihruq\Provision Thursday, May 16, 2024 23:06:52 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAlOhg+TnVyEqnpU7UmankpgAAAAACAAAAAAAQZgAAAAEAACAAAAC2rw12d/0/+7xG0ztE4YJNkyYSexcmcTnL/GQiGN5uFQAAAAAOgAAAAAIAACAAAACirHmYt3F0P12OA0vJvinmBsm7+Ghhe1Q2HN4aifKmXSAAAAAXv0wDJQYWzNcRpSEl18aMz3fCgMSFfsIA9k8FGChCyEAAAABM8E5JL9+YEr0iYmlI7FfV+UuChpgwGyqaZB6aUNoZ+TS3a45d2He65qYJiw38NbIBLb/z2zrNx498q8jmB4oX" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E594F179D" C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3328 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 3328 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 3328 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3328 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3328 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 5104 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 864 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 864 wrote to memory of 1608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4380 wrote to memory of 632 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 4380 wrote to memory of 680 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 4380 wrote to memory of 956 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 316 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 4380 wrote to memory of 532 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 412 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1036 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1100 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1108 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1192 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1200 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1260 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1336 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1376 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1440 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1456 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1528 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1536 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1664 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 1708 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1756 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1800 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1860 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1932 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1940 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2032 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 1368 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2100 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 4380 wrote to memory of 2180 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 680 wrote to memory of 2844 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 4380 wrote to memory of 2256 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 2420 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sihost.exe
PID 4380 wrote to memory of 2428 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2524 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhostw.exe
PID 4380 wrote to memory of 2544 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2656 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2664 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2784 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2836 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2844 N/A C:\Windows\system32\dialer.exe C:\Windows\sysmon.exe
PID 4380 wrote to memory of 2884 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 4380 wrote to memory of 2896 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 2920 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 3012 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 3244 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\unsecapp.exe
PID 4380 wrote to memory of 3512 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 4380 wrote to memory of 3640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 4380 wrote to memory of 3856 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\DllHost.exe
PID 4380 wrote to memory of 4080 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 4380 wrote to memory of 4220 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ff96bf82e98,0x7ff96bf82ea4,0x7ff96bf82eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Users\Admin\AppData\Local\Temp\release_lava.exe

"C:\Users\Admin\AppData\Local\Temp\release_lava.exe"

C:\Users\Admin\AppData\Local\Temp\release.exe

"C:\Users\Admin\AppData\Local\Temp\release.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.79.71.77:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 77.71.79.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
CA 51.222.106.253:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.145.154:443 archangeladmindashboard.000webhostapp.com tcp
CA 51.222.200.133:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 253.106.222.51.in-addr.arpa udp
US 8.8.8.8:53 154.145.14.145.in-addr.arpa udp
US 8.8.8.8:53 133.200.222.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.144.92:443 archangeladmindashboard.000webhostapp.com tcp
US 8.8.8.8:53 92.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\release.exe

MD5 f0c677d565a3299f693a68cdea0a4998
SHA1 4cd1ee7321e4c64bad5cabb01a7d56efccd4e058
SHA256 be9a43dffd8fa5ca2e10ef5493cbb1c647d8fefa829866f00c99162c45ccf456
SHA512 87986f5a4a2342cbf147c665e3f625ed44ea8e775fb770e2801fbdbac0d0b4817bfb08fdb76fdcb62724b7ab915673cb8f795c803a7525dfea3689b2c134337d

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 df96a0997b631e96c050382b96804ebb
SHA1 9d3b7dfd52eb72bf1c124f0cf1574dc0ba174d90
SHA256 4408d454808a4e3ca0361423f310c3e6b4754c2d0c2be4973d39dea722409430
SHA512 6954f887f1a0d8224503c9585274aef3bf510b41f8f133a4dfc133e147c4a65a819b4fd35e3d78d8ac70397679fa6299bf441d9a9016ab6ac29b837887ce41cf

memory/2672-22-0x00007FF9709D3000-0x00007FF9709D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pcryzlab.apr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2672-29-0x00000215F6FF0000-0x00000215F7012000-memory.dmp

memory/2672-33-0x00007FF9709D0000-0x00007FF971491000-memory.dmp

memory/2672-34-0x00007FF9709D0000-0x00007FF971491000-memory.dmp

memory/1592-35-0x000000007504E000-0x000000007504F000-memory.dmp

memory/2672-36-0x00000215F3140000-0x00000215F3150000-memory.dmp

memory/2672-39-0x00007FF9709D0000-0x00007FF971491000-memory.dmp

memory/1592-40-0x00000000001F0000-0x0000000000222000-memory.dmp

memory/4380-42-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4380-45-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4380-44-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4380-43-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4380-47-0x0000000140000000-0x000000014002B000-memory.dmp

memory/4380-49-0x00007FF98E100000-0x00007FF98E1BE000-memory.dmp

memory/4380-48-0x00007FF98FED0000-0x00007FF9900C5000-memory.dmp

memory/4380-51-0x0000000140000000-0x000000014002B000-memory.dmp

memory/632-59-0x0000028187050000-0x000002818707B000-memory.dmp

memory/316-65-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/316-64-0x000002BF84AF0000-0x000002BF84B1B000-memory.dmp

memory/956-68-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/412-76-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/412-75-0x0000024B0ADC0000-0x0000024B0ADEB000-memory.dmp

memory/1336-104-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1336-103-0x000001E19FFC0000-0x000001E19FFEB000-memory.dmp

memory/1260-101-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1260-100-0x000001FB49B20000-0x000001FB49B4B000-memory.dmp

memory/1200-96-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1200-95-0x0000016BA9F90000-0x0000016BA9FBB000-memory.dmp

memory/1192-93-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1192-92-0x000001EEB8290000-0x000001EEB82BB000-memory.dmp

memory/1108-90-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1108-89-0x000002176EF40000-0x000002176EF6B000-memory.dmp

memory/1100-87-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1100-86-0x000001FC0F860000-0x000001FC0F88B000-memory.dmp

memory/1036-80-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/1036-79-0x00000245FF4D0000-0x00000245FF4FB000-memory.dmp

memory/532-73-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/532-72-0x000001AE9C890000-0x000001AE9C8BB000-memory.dmp

memory/956-67-0x000001AC364D0000-0x000001AC364FB000-memory.dmp

memory/632-60-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/680-57-0x00007FF94FF50000-0x00007FF94FF60000-memory.dmp

memory/632-54-0x0000028187020000-0x0000028187044000-memory.dmp

memory/680-56-0x0000019C8E890000-0x0000019C8E8BB000-memory.dmp

memory/1676-341-0x000001DB53BE0000-0x000001DB53BFC000-memory.dmp

memory/1676-342-0x000001DB53C00000-0x000001DB53CB5000-memory.dmp

memory/1676-344-0x000001DB53CC0000-0x000001DB53CCA000-memory.dmp

memory/1676-345-0x000001DB53E30000-0x000001DB53E4C000-memory.dmp

memory/1676-354-0x000001DB53E10000-0x000001DB53E1A000-memory.dmp

memory/1676-358-0x000001DB53E70000-0x000001DB53E8A000-memory.dmp

memory/1676-359-0x000001DB53E20000-0x000001DB53E28000-memory.dmp

memory/1676-360-0x000001DB53E50000-0x000001DB53E56000-memory.dmp

memory/1676-361-0x000001DB53E60000-0x000001DB53E6A000-memory.dmp

memory/1592-362-0x0000000004CE0000-0x0000000004D46000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

memory/1592-604-0x000000007504E000-0x000000007504F000-memory.dmp

C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\f3140278e571061e2723673cc2507a43\Admin@OAILVCNY_en-US\System\Process.txt

MD5 f070a8a867a0d20ec798321b0ff15521
SHA1 d82c6ac5b19c65c57987efbd6a66abaf1baa385e
SHA256 07a6221c405a5f0f77c628f8f0cbbf43baf751524623e89005c0e486be33bd70
SHA512 227c38792b0d5a4dd378245b97315edda05c20010a7d8b81bde524e31040b4048a6f67ee87cccf7cc883ca54f537ac661e8d5874c6a30605396006cb9fbca28e

memory/1592-768-0x0000000005AC0000-0x0000000005B52000-memory.dmp

memory/1592-769-0x0000000006110000-0x00000000066B4000-memory.dmp

memory/1592-795-0x00000000007C0000-0x00000000007CA000-memory.dmp

C:\Users\Admin\AppData\Local\763ffdff61436986e650aa6d9b9291eb\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/1592-807-0x00000000060F0000-0x0000000006102000-memory.dmp