Malware Analysis Report

2024-09-22 23:44

Sample ID 240516-23j4qsdd33
Target release_lava.exe.3
SHA256 5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0
Tags
asyncrat stormkitty default evasion execution persistence rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c571eab4831d78279edf3ed574a10e42b877b430815b08b83bc2f18141d3ad0

Threat Level: Known bad

The file release_lava.exe.3 was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default evasion execution persistence rat stealer

StormKitty

StormKitty payload

AsyncRat

Async RAT payload

Drops file in Drivers directory

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up geolocation information via web service

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-16 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 23:06

Reported

2024-05-16 23:09

Platform

win7-20240221-en

Max time kernel

25s

Max time network

153s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\release.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\release.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 580 set thread context of 2068 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 580 set thread context of 1568 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe
PID 580 set thread context of 2116 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\dialer.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b0f5f0d1e5a7da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 3048 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 3048 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 3048 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 3048 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3048 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3048 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 3048 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2424 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2424 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2424 wrote to memory of 2540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2712 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 2788 wrote to memory of 420 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2788 wrote to memory of 464 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\services.exe
PID 2788 wrote to memory of 480 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2788 wrote to memory of 488 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsm.exe
PID 2788 wrote to memory of 596 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 680 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 744 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2788 wrote to memory of 828 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2788 wrote to memory of 868 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 1004 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 340 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 880 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 2788 wrote to memory of 1080 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 1116 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhost.exe
PID 2788 wrote to memory of 1172 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\Dwm.exe
PID 2788 wrote to memory of 1200 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 2788 wrote to memory of 1288 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2788 wrote to memory of 1700 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sppsvc.exe
PID 2788 wrote to memory of 2712 N/A C:\Windows\system32\dialer.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 2788 wrote to memory of 1608 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2788 wrote to memory of 1708 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2788 wrote to memory of 1716 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2788 wrote to memory of 584 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\powercfg.exe
PID 2788 wrote to memory of 1720 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2788 wrote to memory of 1640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2788 wrote to memory of 1836 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2788 wrote to memory of 1772 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2788 wrote to memory of 1580 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2788 wrote to memory of 2112 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2788 wrote to memory of 2808 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2788 wrote to memory of 2716 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sc.exe
PID 2788 wrote to memory of 2756 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 2788 wrote to memory of 2728 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 464 wrote to memory of 580 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 464 wrote to memory of 580 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 464 wrote to memory of 580 N/A C:\Windows\system32\services.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2788 wrote to memory of 580 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2788 wrote to memory of 580 N/A C:\Windows\system32\dialer.exe C:\ProgramData\Google\Chrome\updater.exe
PID 2788 wrote to memory of 1944 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2788 wrote to memory of 772 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\conhost.exe
PID 596 wrote to memory of 2012 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 2012 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 596 wrote to memory of 2012 N/A C:\Windows\system32\svchost.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2788 wrote to memory of 2012 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 2788 wrote to memory of 2012 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\wmiprvse.exe
PID 952 wrote to memory of 2268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\release_lava.exe

"C:\Users\Admin\AppData\Local\Temp\release_lava.exe"

C:\Users\Admin\AppData\Local\Temp\release.exe

"C:\Users\Admin\AppData\Local\Temp\release.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-18237594422133150531-20890575613759639834939764421945325631345340727-1478893566"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-41116485213605310571514321279-15075208031895767840-1155100725-258591749650985982"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-856929385-179606736419524133001431211038920731983537800541-1313304825180508076"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "370077944-20518257691520760588-908565812107864572279624012-533621391-1321068417"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-13363665803320021349484747261644818983-1428237589-145830877-541079801-340984676"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "7740238451726744703-1063767130-12663027241269580522-8264778561066041798-1676260555"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3135020752117266124-366161957185113743539289141510822353-7783978522103892537"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "244421765180213350016687911111916628637-3777134962093119163-136113116885756581"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1522142610-2139769887551558456-38221410020547467871562950107274669699-1051696429"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "81514970795972621319589554221955306621-11323596931627060437947183831-1131982455"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-15744179081789607288914335307-1229793302-1256922551486209352-1253872106-1705458046"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1016970427941292305-1506222477-1588836131033096297-1455587307-1936851166903810326"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-7248048839871683681117056641100862988-1172972055135354390-288655695-1031512084"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1295576559-281365745-1845270677-18225838367289248281107806699184462218933989801"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "845333281-510201943-1483853956-51811015522087671527183625-3529712531510230812"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9568115521710800000405855699-2726591487603610451392443036107088134-1478395924"

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.200.133:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
CA 51.222.12.201:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.145.154:443 archangeladmindashboard.000webhostapp.com tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.145.114:443 archangeladmindashboard.000webhostapp.com tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.145.192:443 archangeladmindashboard.000webhostapp.com tcp

Files

\Users\Admin\AppData\Local\Temp\release.exe

MD5 f0c677d565a3299f693a68cdea0a4998
SHA1 4cd1ee7321e4c64bad5cabb01a7d56efccd4e058
SHA256 be9a43dffd8fa5ca2e10ef5493cbb1c647d8fefa829866f00c99162c45ccf456
SHA512 87986f5a4a2342cbf147c665e3f625ed44ea8e775fb770e2801fbdbac0d0b4817bfb08fdb76fdcb62724b7ab915673cb8f795c803a7525dfea3689b2c134337d

\Users\Admin\AppData\Local\Temp\Server.exe

MD5 df96a0997b631e96c050382b96804ebb
SHA1 9d3b7dfd52eb72bf1c124f0cf1574dc0ba174d90
SHA256 4408d454808a4e3ca0361423f310c3e6b4754c2d0c2be4973d39dea722409430
SHA512 6954f887f1a0d8224503c9585274aef3bf510b41f8f133a4dfc133e147c4a65a819b4fd35e3d78d8ac70397679fa6299bf441d9a9016ab6ac29b837887ce41cf

memory/2864-15-0x000000007484E000-0x000000007484F000-memory.dmp

memory/2864-16-0x0000000000F90000-0x0000000000FC2000-memory.dmp

memory/2104-21-0x000000001B050000-0x000000001B332000-memory.dmp

memory/2104-22-0x0000000002530000-0x0000000002538000-memory.dmp

memory/2788-31-0x0000000077770000-0x000000007788F000-memory.dmp

memory/2788-30-0x0000000077990000-0x0000000077B39000-memory.dmp

memory/2788-32-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2788-27-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2788-26-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2788-25-0x0000000140000000-0x000000014002B000-memory.dmp

memory/464-54-0x00000000008F0000-0x000000000091B000-memory.dmp

memory/480-50-0x00000000379D0000-0x00000000379E0000-memory.dmp

memory/480-49-0x000007FEBDC80000-0x000007FEBDC90000-memory.dmp

memory/480-48-0x0000000000100000-0x000000000012B000-memory.dmp

memory/680-77-0x00000000379D0000-0x00000000379E0000-memory.dmp

memory/680-76-0x000007FEBDC80000-0x000007FEBDC90000-memory.dmp

memory/680-75-0x0000000000320000-0x000000000034B000-memory.dmp

memory/596-73-0x00000000379D0000-0x00000000379E0000-memory.dmp

memory/596-72-0x000007FEBDC80000-0x000007FEBDC90000-memory.dmp

memory/596-71-0x00000000004E0000-0x000000000050B000-memory.dmp

memory/488-69-0x00000000379D0000-0x00000000379E0000-memory.dmp

memory/488-68-0x000007FEBDC80000-0x000007FEBDC90000-memory.dmp

memory/488-67-0x0000000000710000-0x000000000073B000-memory.dmp

memory/420-46-0x00000000379D0000-0x00000000379E0000-memory.dmp

memory/420-45-0x000007FEBDC80000-0x000007FEBDC90000-memory.dmp

memory/420-44-0x00000000008F0000-0x000000000091B000-memory.dmp

memory/420-37-0x00000000008C0000-0x00000000008E4000-memory.dmp

memory/420-35-0x00000000008C0000-0x00000000008E4000-memory.dmp

memory/2788-24-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2788-29-0x0000000140000000-0x000000014002B000-memory.dmp

memory/1944-305-0x0000000019DA0000-0x000000001A082000-memory.dmp

memory/1944-306-0x00000000003D0000-0x00000000003D8000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Users\Admin\AppData\Local\11c1e4f12170bcc080c7154a083c4dbe\Admin@KXIPPCKF_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Temp\Cab1D59.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar1E5A.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d466df52f0e807cc67ebed8a16a879c
SHA1 1c9e803e9d794cfaaba745b4c6330d2a7913c294
SHA256 95ddfeee7c5633f431ca68533da6db9a20a27e4b5dac3633d09025c6f63166aa
SHA512 177604de157eb56f2cc05710081035d892c595a7b61708e40b1be35a70a565613351bd6ac3247d77ba4a4b7a68622dbf3b3649423e336c168b63bdbebe9b6a07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\429d5f666422b546eb844244560c95cf\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/2864-1377-0x000000007484E000-0x000000007484F000-memory.dmp

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 46d08e3a55f007c523ac64dce6dcf478
SHA1 62edf88697e98d43f32090a2197bead7e7244245
SHA256 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512 b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

C:\Windows\System32\perfc011.dat

MD5 1f998386566e5f9b7f11cc79254d1820
SHA1 e1da5fe1f305099b94de565d06bc6f36c6794481
SHA256 1665d97fb8786b94745295feb616a30c27af84e8a5e1d25cd1bcaf70723040ea
SHA512 a7c9702dd5833f4d6d27ce293efb9507948a3b05db350fc9909af6a48bd649c7578f856b4d64d87df451d0efbe202c62da7fffcac03b3fe72c7caaea553de75f

C:\Windows\System32\perfc00A.dat

MD5 f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1 961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256 cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512 116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

C:\Windows\System32\perfh009.dat

MD5 aecab86cc5c705d7a036cba758c1d7b0
SHA1 e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA256 9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512 e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

C:\Windows\System32\perfh007.dat

MD5 b69ab3aeddb720d6ef8c05ff88c23b38
SHA1 d830c2155159656ed1806c7c66cae2a54a2441fa
SHA256 24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA512 4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

C:\Windows\System32\perfh011.dat

MD5 24da30cbb5f0fe4939862880e72cc32c
SHA1 9132497736f52dae62b79be1677c05e32a7ba2ab
SHA256 a11a4228f8485db2f90466651f6cab07245a8ff5b3448636ab0abc4d618a4a1f
SHA512 332a57e8f0e8d7f82044f90388afd7509768ecb3f657c6be12d1f51ec1c66b8886c30d4b4a42d3a64c3e0d8b76d7cc86a1ac3b92713a68a62c12fdae6a77d6c2

C:\Windows\System32\perfh010.dat

MD5 4623482c106cf6cc1bac198f31787b65
SHA1 5abb0decf7b42ef5daf7db012a742311932f6dad
SHA256 eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512 afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

C:\Windows\System32\perfc010.dat

MD5 d73172c6cb697755f87cd047c474cf91
SHA1 abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA256 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA512 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

C:\Windows\System32\perfh00C.dat

MD5 5f684ce126de17a7d4433ed2494c5ca9
SHA1 ce1a30a477daa1bac2ec358ce58731429eafe911
SHA256 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA512 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

C:\Windows\System32\perfc00C.dat

MD5 831dbe568992299e589143ee8898e131
SHA1 737726173aab8b76fe1f98104d72bb91abd273bf
SHA256 4f22ef1625fb2a2370779d0992f80b8e5e5da8dc727aa99ade152044d28e9405
SHA512 39015d29d593c9df59cdafbff95a6ddc000a5dbf767665b65f8ec65751e70315918c93d3583b922d32e9b6261b8c07023da660098ca79c5420b782c150b5c139

C:\Windows\System32\perfh00A.dat

MD5 7d0bac4e796872daa3f6dc82c57f4ca8
SHA1 b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256 ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

C:\Windows\System32\perfc007.dat

MD5 6f56831d92bd26950a97eeaeedcf2158
SHA1 09cc4fd972db97ef101de1035a7f895d6b23a10a
SHA256 c414bcd75b0bcd809f41443ac61b3a8858b91c18480e5a01ff99d6e21d43101c
SHA512 c5a366df849e94207b168238a595551a70c99e9d280f0209d1d38af3f66d05029e40517bdcf8075fa4153f75c881c08f2ae7847c69c5ebc3a650fa000885d751

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 23:06

Reported

2024-05-16 23:09

Platform

win10v2004-20240226-en

Max time kernel

106s

Max time network

158s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\release.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\release_lava.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Server.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\release.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4972 set thread context of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\release.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 1432 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\release.exe
PID 1432 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1432 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 1432 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\release_lava.exe C:\Users\Admin\AppData\Local\Temp\Server.exe
PID 2292 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2292 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 4972 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\release.exe C:\Windows\system32\dialer.exe
PID 3368 wrote to memory of 612 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 3368 wrote to memory of 668 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 3368 wrote to memory of 948 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1020 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 3368 wrote to memory of 1028 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1048 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1056 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1192 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1204 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1256 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1312 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1388 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1412 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1464 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1500 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1512 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1644 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1696 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1724 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1796 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1824 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1872 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1888 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1976 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 1984 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1372 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 3368 wrote to memory of 2056 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 2132 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 2340 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\sihost.exe
PID 3368 wrote to memory of 2360 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2488 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2496 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2508 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2536 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\taskhostw.exe
PID 3368 wrote to memory of 2564 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2640 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2660 N/A C:\Windows\system32\dialer.exe C:\Windows\sysmon.exe
PID 3368 wrote to memory of 2688 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 2696 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2712 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 2648 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 3080 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\wbem\unsecapp.exe
PID 3368 wrote to memory of 3348 N/A C:\Windows\system32\dialer.exe C:\Windows\Explorer.EXE
PID 3368 wrote to memory of 3496 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 3368 wrote to memory of 3732 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\DllHost.exe
PID 3368 wrote to memory of 3924 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3368 wrote to memory of 4124 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3368 wrote to memory of 2040 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\RuntimeBroker.exe
PID 3368 wrote to memory of 4872 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 3368 wrote to memory of 1228 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x2f0,0x7ff980c42e98,0x7ff980c42ea4,0x7ff980c42eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Users\Admin\AppData\Local\Temp\release_lava.exe

"C:\Users\Admin\AppData\Local\Temp\release_lava.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4944 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\release.exe

"C:\Users\Admin\AppData\Local\Temp\release.exe"

C:\Users\Admin\AppData\Local\Temp\Server.exe

"C:\Users\Admin\AppData\Local\Temp\Server.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 xmr-us-east1.nanopool.org udp
CA 51.222.200.133:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 133.200.222.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
CA 51.222.12.201:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 archangeladmindashboard.000webhostapp.com udp
US 145.14.144.92:443 archangeladmindashboard.000webhostapp.com tcp
CA 51.222.106.253:10343 xmr-us-east1.nanopool.org tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 201.12.222.51.in-addr.arpa udp
US 8.8.8.8:53 92.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 253.106.222.51.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\release.exe

MD5 f0c677d565a3299f693a68cdea0a4998
SHA1 4cd1ee7321e4c64bad5cabb01a7d56efccd4e058
SHA256 be9a43dffd8fa5ca2e10ef5493cbb1c647d8fefa829866f00c99162c45ccf456
SHA512 87986f5a4a2342cbf147c665e3f625ed44ea8e775fb770e2801fbdbac0d0b4817bfb08fdb76fdcb62724b7ab915673cb8f795c803a7525dfea3689b2c134337d

C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5 df96a0997b631e96c050382b96804ebb
SHA1 9d3b7dfd52eb72bf1c124f0cf1574dc0ba174d90
SHA256 4408d454808a4e3ca0361423f310c3e6b4754c2d0c2be4973d39dea722409430
SHA512 6954f887f1a0d8224503c9585274aef3bf510b41f8f133a4dfc133e147c4a65a819b4fd35e3d78d8ac70397679fa6299bf441d9a9016ab6ac29b837887ce41cf

memory/2840-22-0x00007FF986453000-0x00007FF986455000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0gfophqs.tpm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2840-32-0x000001536AC10000-0x000001536AC32000-memory.dmp

memory/2840-33-0x00007FF986450000-0x00007FF986F11000-memory.dmp

memory/2840-34-0x00007FF986450000-0x00007FF986F11000-memory.dmp

memory/2248-35-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

memory/2840-36-0x000001536B190000-0x000001536B1A0000-memory.dmp

memory/2248-37-0x0000000000AB0000-0x0000000000AE2000-memory.dmp

memory/2840-40-0x00007FF986450000-0x00007FF986F11000-memory.dmp

memory/3368-44-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3368-43-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3368-48-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

memory/3368-49-0x00007FF9A6630000-0x00007FF9A66EE000-memory.dmp

memory/3368-47-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3368-42-0x0000000140000000-0x000000014002B000-memory.dmp

memory/3368-51-0x0000000140000000-0x000000014002B000-memory.dmp

memory/612-56-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1020-63-0x00000208A8060000-0x00000208A808B000-memory.dmp

memory/1464-103-0x000001167DB90000-0x000001167DBBB000-memory.dmp

memory/1512-107-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1512-106-0x000001F4B3E90000-0x000001F4B3EBB000-memory.dmp

memory/1464-104-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1312-101-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1312-100-0x00000261DDDD0000-0x00000261DDDFB000-memory.dmp

memory/1256-97-0x0000015927770000-0x000001592779B000-memory.dmp

memory/1256-98-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1204-95-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1204-94-0x0000024416150000-0x000002441617B000-memory.dmp

memory/1048-92-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/1048-91-0x0000018BE0C90000-0x0000018BE0CBB000-memory.dmp

memory/668-66-0x000001C6F8920000-0x000001C6F894B000-memory.dmp

memory/1020-64-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/612-54-0x000001F1130C0000-0x000001F1130E4000-memory.dmp

memory/668-68-0x00007FF9667B0000-0x00007FF9667C0000-memory.dmp

memory/612-55-0x000001F1130F0000-0x000001F11311B000-memory.dmp

memory/3368-45-0x0000000140000000-0x000000014002B000-memory.dmp

memory/5168-334-0x0000020635370000-0x000002063538C000-memory.dmp

memory/5168-335-0x0000020635390000-0x0000020635445000-memory.dmp

memory/5168-336-0x0000020635450000-0x000002063545A000-memory.dmp

memory/5168-345-0x00000206355C0000-0x00000206355DC000-memory.dmp

memory/5168-346-0x00000206355A0000-0x00000206355AA000-memory.dmp

memory/5168-347-0x0000020635600000-0x000002063561A000-memory.dmp

memory/5168-348-0x00000206355B0000-0x00000206355B8000-memory.dmp

memory/5168-349-0x00000206355E0000-0x00000206355E6000-memory.dmp

memory/5168-350-0x00000206355F0000-0x00000206355FA000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

memory/2248-613-0x00000000055E0000-0x0000000005646000-memory.dmp

C:\Users\Admin\AppData\Local\f9f38ed25bb74d569ff07fd0fb2a1e6d\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2248-700-0x0000000074F4E000-0x0000000074F4F000-memory.dmp

C:\Users\Admin\AppData\Local\f9f38ed25bb74d569ff07fd0fb2a1e6d\Admin@OAILVCNY_en-US\System\Process.txt

MD5 0571cef225f4b24c216ba356d5f21de5
SHA1 97ece6e2a62494692dcea085633335e1aee18450
SHA256 d1182ac8e18dda8d78dfac030cd6e852608ba2a56e2da4ea35855340ff7a67b0
SHA512 2e9714e0b37e7300114ce51aec1e3e8ad6b7ed9d87133837f821df7ea8d4703adf84e784344203f44b53a6b56b9809ccf1831aba185189eddb92eb2766d3af5a

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

MD5 1037913c0ac0cdd12d88da683f572ab4
SHA1 2fcce1293ad221e9bbbe9fdcf7af7b33e30f875a
SHA256 09ad2308b6b73066b1266b28ae6c8160d48f6d389897a009ab195c1d8efae725
SHA512 c361caf82da6f692c6f91319f58a30393af7256c3a8e7907cd01b35c93a788d78953235a21f8e055667328aaf17949e91366da46f3e9657a69e1c343b1ed178b

memory/2248-770-0x0000000006400000-0x0000000006492000-memory.dmp

memory/2248-771-0x0000000006A50000-0x0000000006FF4000-memory.dmp