c858e10e29b769ca86445ba1bebdf708e88245da4e96c4afc967818e8293e099

Resubmissions

02-01-2025 21:33

250102-1ejbvswpcv 10

08-12-2024 01:12

241208-bkq68azkep 10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCK360.exe
Size

250KB
MD5

7ab51c2e2fdac53f3360bb5c8b73734e
SHA1

076d233ef06971a64f9b009c03627a491444a422
SHA256

8a7ad72fd6d3936ea3ad0ecadc063b382c6f0f8ff65b4839df1f3169f0135216
SHA512

35a6247f16a0295140782d0ea73754a37aafa09ba62d1f2be0a822d7f1b548921bad94b563ff16f1c817060544560f3c66856f0a85862cdbdfd85e29462abfee
SSDEEP

6144:XaLSyXt5iZ6hyebe81XrTE4/Cw5E2XppJZxA:qLtyGe81XU4rttQ

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\umqeiy.exe = "C:\\Windows\\umqeiy.exe:*:enabled:@shell32.dll,-1"	umqeiy.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral19/files/0x000a000000023c87-2.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	FUCK360.exe

Executes dropped EXE 64 IoCs

pid	Process
4472	umqeiy.exe
2664	umqeiy.exe
1268	umqeiy.exe
624	umqeiy.exe
3964	umqeiy.exe
3860	umqeiy.exe
4628	umqeiy.exe
3456	umqeiy.exe
5080	umqeiy.exe
984	umqeiy.exe
184	umqeiy.exe
1424	umqeiy.exe
3588	umqeiy.exe
4592	umqeiy.exe
4028	umqeiy.exe
2624	umqeiy.exe
1192	umqeiy.exe
2848	umqeiy.exe
908	umqeiy.exe
1788	umqeiy.exe
2992	umqeiy.exe
4984	umqeiy.exe
3848	umqeiy.exe
4092	umqeiy.exe
2136	umqeiy.exe
4992	umqeiy.exe
4484	umqeiy.exe
4580	umqeiy.exe
232	umqeiy.exe
3956	umqeiy.exe
5048	umqeiy.exe
3528	umqeiy.exe
1916	umqeiy.exe
3104	umqeiy.exe
2284	umqeiy.exe
2128	umqeiy.exe
4536	umqeiy.exe
1032	umqeiy.exe
2664	umqeiy.exe
4872	umqeiy.exe
4408	umqeiy.exe
616	umqeiy.exe
400	umqeiy.exe
912	umqeiy.exe
536	umqeiy.exe
2916	umqeiy.exe
2144	umqeiy.exe
1964	umqeiy.exe
3820	umqeiy.exe
3400	umqeiy.exe
4984	umqeiy.exe
3940	umqeiy.exe
3108	umqeiy.exe
4840	umqeiy.exe
4760	umqeiy.exe
3076	umqeiy.exe
1064	umqeiy.exe
384	umqeiy.exe
2920	umqeiy.exe
460	umqeiy.exe
2224	umqeiy.exe
2616	umqeiy.exe
956	umqeiy.exe
4440	umqeiy.exe

Loads dropped DLL 64 IoCs

pid	Process
736	FUCK360.exe
736	FUCK360.exe
4472	umqeiy.exe
4472	umqeiy.exe
4276	WerFault.exe
4472	umqeiy.exe
3548	WerFault.exe
2664	umqeiy.exe
2664	umqeiy.exe
2664	umqeiy.exe
1268	umqeiy.exe
1268	umqeiy.exe
1268	umqeiy.exe
624	umqeiy.exe
624	umqeiy.exe
624	umqeiy.exe
3964	umqeiy.exe
3964	umqeiy.exe
3964	umqeiy.exe
3860	umqeiy.exe
3860	umqeiy.exe
3860	umqeiy.exe
4628	umqeiy.exe
4628	umqeiy.exe
4628	umqeiy.exe
3456	umqeiy.exe
3456	umqeiy.exe
3456	umqeiy.exe
5080	umqeiy.exe
5080	umqeiy.exe
5080	umqeiy.exe
984	umqeiy.exe
984	umqeiy.exe
984	umqeiy.exe
184	umqeiy.exe
184	umqeiy.exe
184	umqeiy.exe
1424	umqeiy.exe
1424	umqeiy.exe
1424	umqeiy.exe
3588	umqeiy.exe
3588	umqeiy.exe
3588	umqeiy.exe
4592	umqeiy.exe
4592	umqeiy.exe
4592	umqeiy.exe
4028	umqeiy.exe
4028	umqeiy.exe
4028	umqeiy.exe
2624	umqeiy.exe
2624	umqeiy.exe
2624	umqeiy.exe
1192	umqeiy.exe
1192	umqeiy.exe
1192	umqeiy.exe
2848	umqeiy.exe
2848	umqeiy.exe
2848	umqeiy.exe
908	umqeiy.exe
908	umqeiy.exe
908	umqeiy.exe
1788	umqeiy.exe
1788	umqeiy.exe
1788	umqeiy.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe
File opened for modification	C:\Windows\SysWOW64\hra33.dll	umqeiy.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\umqeiy.exe	FUCK360.exe
File opened for modification	C:\Windows\umqeiy.exe	FUCK360.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3548	736	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FUCK360.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	umqeiy.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
736	FUCK360.exe
736	FUCK360.exe
4472	umqeiy.exe
4472	umqeiy.exe
2664	umqeiy.exe
2664	umqeiy.exe
1268	umqeiy.exe
1268	umqeiy.exe
624	umqeiy.exe
624	umqeiy.exe
3964	umqeiy.exe
3964	umqeiy.exe
3860	umqeiy.exe
3860	umqeiy.exe
4628	umqeiy.exe
4628	umqeiy.exe
3456	umqeiy.exe
3456	umqeiy.exe
5080	umqeiy.exe
5080	umqeiy.exe
984	umqeiy.exe
984	umqeiy.exe
184	umqeiy.exe
184	umqeiy.exe
1424	umqeiy.exe
1424	umqeiy.exe
3588	umqeiy.exe
3588	umqeiy.exe
4592	umqeiy.exe
4592	umqeiy.exe
4028	umqeiy.exe
4028	umqeiy.exe
2624	umqeiy.exe
2624	umqeiy.exe
1192	umqeiy.exe
1192	umqeiy.exe
2848	umqeiy.exe
2848	umqeiy.exe
908	umqeiy.exe
908	umqeiy.exe
1788	umqeiy.exe
1788	umqeiy.exe
2992	umqeiy.exe
2992	umqeiy.exe
4984	umqeiy.exe
4984	umqeiy.exe
3848	umqeiy.exe
3848	umqeiy.exe
4092	umqeiy.exe
4092	umqeiy.exe
2136	umqeiy.exe
2136	umqeiy.exe
4992	umqeiy.exe
4992	umqeiy.exe
4484	umqeiy.exe
4484	umqeiy.exe
4580	umqeiy.exe
4580	umqeiy.exe
232	umqeiy.exe
232	umqeiy.exe
3956	umqeiy.exe
3956	umqeiy.exe
5048	umqeiy.exe
5048	umqeiy.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe
736	FUCK360.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	736	FUCK360.exe
Token: SeDebugPrivilege	4472	umqeiy.exe
Token: SeTakeOwnershipPrivilege	736	FUCK360.exe
Token: SeRestorePrivilege	736	FUCK360.exe
Token: SeBackupPrivilege	736	FUCK360.exe
Token: SeChangeNotifyPrivilege	736	FUCK360.exe
Token: SeDebugPrivilege	2664	umqeiy.exe
Token: SeDebugPrivilege	1268	umqeiy.exe
Token: SeDebugPrivilege	624	umqeiy.exe
Token: SeDebugPrivilege	3964	umqeiy.exe
Token: SeDebugPrivilege	3860	umqeiy.exe
Token: SeDebugPrivilege	4628	umqeiy.exe
Token: SeDebugPrivilege	3456	umqeiy.exe
Token: SeDebugPrivilege	5080	umqeiy.exe
Token: SeDebugPrivilege	984	umqeiy.exe
Token: SeDebugPrivilege	184	umqeiy.exe
Token: SeDebugPrivilege	1424	umqeiy.exe
Token: SeDebugPrivilege	3588	umqeiy.exe
Token: SeDebugPrivilege	4592	umqeiy.exe
Token: SeDebugPrivilege	4028	umqeiy.exe
Token: SeDebugPrivilege	2624	umqeiy.exe
Token: SeDebugPrivilege	1192	umqeiy.exe
Token: SeDebugPrivilege	2848	umqeiy.exe
Token: SeDebugPrivilege	908	umqeiy.exe
Token: SeDebugPrivilege	1788	umqeiy.exe
Token: SeDebugPrivilege	2992	umqeiy.exe
Token: SeDebugPrivilege	4984	umqeiy.exe
Token: SeDebugPrivilege	3848	umqeiy.exe
Token: SeDebugPrivilege	4092	umqeiy.exe
Token: SeDebugPrivilege	2136	umqeiy.exe
Token: SeDebugPrivilege	4992	umqeiy.exe
Token: SeDebugPrivilege	4484	umqeiy.exe
Token: SeDebugPrivilege	4580	umqeiy.exe
Token: SeDebugPrivilege	232	umqeiy.exe
Token: SeDebugPrivilege	3956	umqeiy.exe
Token: SeDebugPrivilege	5048	umqeiy.exe
Token: SeDebugPrivilege	3528	umqeiy.exe
Token: SeDebugPrivilege	1916	umqeiy.exe
Token: SeDebugPrivilege	3104	umqeiy.exe
Token: SeDebugPrivilege	2284	umqeiy.exe
Token: SeDebugPrivilege	2128	umqeiy.exe
Token: SeDebugPrivilege	4536	umqeiy.exe
Token: SeDebugPrivilege	1032	umqeiy.exe
Token: SeDebugPrivilege	2664	umqeiy.exe
Token: SeDebugPrivilege	4872	umqeiy.exe
Token: SeDebugPrivilege	4408	umqeiy.exe
Token: SeDebugPrivilege	616	umqeiy.exe
Token: SeDebugPrivilege	400	umqeiy.exe
Token: SeDebugPrivilege	912	umqeiy.exe
Token: SeDebugPrivilege	536	umqeiy.exe
Token: SeDebugPrivilege	2916	umqeiy.exe
Token: SeDebugPrivilege	2144	umqeiy.exe
Token: SeDebugPrivilege	1964	umqeiy.exe
Token: SeDebugPrivilege	3820	umqeiy.exe
Token: SeDebugPrivilege	3400	umqeiy.exe
Token: SeDebugPrivilege	4984	umqeiy.exe
Token: SeDebugPrivilege	3940	umqeiy.exe
Token: SeDebugPrivilege	3108	umqeiy.exe
Token: SeDebugPrivilege	4840	umqeiy.exe
Token: SeDebugPrivilege	4760	umqeiy.exe
Token: SeDebugPrivilege	3076	umqeiy.exe
Token: SeDebugPrivilege	1064	umqeiy.exe
Token: SeDebugPrivilege	384	umqeiy.exe
Token: SeDebugPrivilege	2920	umqeiy.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
736	FUCK360.exe
4472	umqeiy.exe
2664	umqeiy.exe
1268	umqeiy.exe
624	umqeiy.exe
3964	umqeiy.exe
3860	umqeiy.exe
4628	umqeiy.exe
3456	umqeiy.exe
5080	umqeiy.exe
984	umqeiy.exe
184	umqeiy.exe
1424	umqeiy.exe
3588	umqeiy.exe
4592	umqeiy.exe
4028	umqeiy.exe
2624	umqeiy.exe
1192	umqeiy.exe
2848	umqeiy.exe
908	umqeiy.exe
1788	umqeiy.exe
2992	umqeiy.exe
4984	umqeiy.exe
3848	umqeiy.exe
4092	umqeiy.exe
2136	umqeiy.exe
4992	umqeiy.exe
4484	umqeiy.exe
4580	umqeiy.exe
232	umqeiy.exe
3956	umqeiy.exe
5048	umqeiy.exe
3528	umqeiy.exe
1916	umqeiy.exe
3104	umqeiy.exe
2284	umqeiy.exe
2128	umqeiy.exe
4536	umqeiy.exe
1032	umqeiy.exe
2664	umqeiy.exe
4872	umqeiy.exe
4408	umqeiy.exe
616	umqeiy.exe
400	umqeiy.exe
912	umqeiy.exe
536	umqeiy.exe
2916	umqeiy.exe
2144	umqeiy.exe
1964	umqeiy.exe
3820	umqeiy.exe
3400	umqeiy.exe
4984	umqeiy.exe
3940	umqeiy.exe
3108	umqeiy.exe
4840	umqeiy.exe
4760	umqeiy.exe
3076	umqeiy.exe
1064	umqeiy.exe
384	umqeiy.exe
2920	umqeiy.exe
460	umqeiy.exe
2224	umqeiy.exe
2616	umqeiy.exe
956	umqeiy.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 604	736	FUCK360.exe	5
PID 736 wrote to memory of 604	736	FUCK360.exe	5
PID 736 wrote to memory of 604	736	FUCK360.exe	5
PID 736 wrote to memory of 604	736	FUCK360.exe	5
PID 736 wrote to memory of 604	736	FUCK360.exe	5
PID 736 wrote to memory of 604	736	FUCK360.exe	5
PID 736 wrote to memory of 668	736	FUCK360.exe	7
PID 736 wrote to memory of 668	736	FUCK360.exe	7
PID 736 wrote to memory of 668	736	FUCK360.exe	7
PID 736 wrote to memory of 668	736	FUCK360.exe	7
PID 736 wrote to memory of 668	736	FUCK360.exe	7
PID 736 wrote to memory of 668	736	FUCK360.exe	7
PID 736 wrote to memory of 772	736	FUCK360.exe	8
PID 736 wrote to memory of 772	736	FUCK360.exe	8
PID 736 wrote to memory of 772	736	FUCK360.exe	8
PID 736 wrote to memory of 772	736	FUCK360.exe	8
PID 736 wrote to memory of 772	736	FUCK360.exe	8
PID 736 wrote to memory of 772	736	FUCK360.exe	8
PID 736 wrote to memory of 780	736	FUCK360.exe	9
PID 736 wrote to memory of 780	736	FUCK360.exe	9
PID 736 wrote to memory of 780	736	FUCK360.exe	9
PID 736 wrote to memory of 780	736	FUCK360.exe	9
PID 736 wrote to memory of 780	736	FUCK360.exe	9
PID 736 wrote to memory of 780	736	FUCK360.exe	9
PID 736 wrote to memory of 792	736	FUCK360.exe	10
PID 736 wrote to memory of 792	736	FUCK360.exe	10
PID 736 wrote to memory of 792	736	FUCK360.exe	10
PID 736 wrote to memory of 792	736	FUCK360.exe	10
PID 736 wrote to memory of 792	736	FUCK360.exe	10
PID 736 wrote to memory of 792	736	FUCK360.exe	10
PID 736 wrote to memory of 884	736	FUCK360.exe	11
PID 736 wrote to memory of 884	736	FUCK360.exe	11
PID 736 wrote to memory of 884	736	FUCK360.exe	11
PID 736 wrote to memory of 884	736	FUCK360.exe	11
PID 736 wrote to memory of 884	736	FUCK360.exe	11
PID 736 wrote to memory of 884	736	FUCK360.exe	11
PID 736 wrote to memory of 944	736	FUCK360.exe	12
PID 736 wrote to memory of 944	736	FUCK360.exe	12
PID 736 wrote to memory of 944	736	FUCK360.exe	12
PID 736 wrote to memory of 944	736	FUCK360.exe	12
PID 736 wrote to memory of 944	736	FUCK360.exe	12
PID 736 wrote to memory of 944	736	FUCK360.exe	12
PID 736 wrote to memory of 64	736	FUCK360.exe	13
PID 736 wrote to memory of 64	736	FUCK360.exe	13
PID 736 wrote to memory of 64	736	FUCK360.exe	13
PID 736 wrote to memory of 64	736	FUCK360.exe	13
PID 736 wrote to memory of 64	736	FUCK360.exe	13
PID 736 wrote to memory of 64	736	FUCK360.exe	13
PID 736 wrote to memory of 508	736	FUCK360.exe	14
PID 736 wrote to memory of 508	736	FUCK360.exe	14
PID 736 wrote to memory of 508	736	FUCK360.exe	14
PID 736 wrote to memory of 508	736	FUCK360.exe	14
PID 736 wrote to memory of 508	736	FUCK360.exe	14
PID 736 wrote to memory of 508	736	FUCK360.exe	14
PID 736 wrote to memory of 860	736	FUCK360.exe	15
PID 736 wrote to memory of 860	736	FUCK360.exe	15
PID 736 wrote to memory of 860	736	FUCK360.exe	15
PID 736 wrote to memory of 860	736	FUCK360.exe	15
PID 736 wrote to memory of 860	736	FUCK360.exe	15
PID 736 wrote to memory of 860	736	FUCK360.exe	15
PID 736 wrote to memory of 940	736	FUCK360.exe	16
PID 736 wrote to memory of 940	736	FUCK360.exe	16
PID 736 wrote to memory of 940	736	FUCK360.exe	16
PID 736 wrote to memory of 940	736	FUCK360.exe	16

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:772
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:668

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:792
- C:\Windows\system32\wbem\unsecapp.exe
  C:\Windows\system32\wbem\unsecapp.exe -Embedding
  2⤵
  PID:2880
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3736
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3836
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3904
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3992
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3872
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:5108
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:1684
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:2416
- C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
  2⤵
  PID:1904
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  2⤵
  PID:1036
- C:\Windows\System32\mousocoreworker.exe
  C:\Windows\System32\mousocoreworker.exe -Embedding
  2⤵
  PID:2732
- C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
  C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
  2⤵
  PID:2272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1152
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1500
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1968

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2480

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\FUCK360.exe
  "C:\Users\Admin\AppData\Local\Temp\FUCK360.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 1712
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:3548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1400

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2148

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4472

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 736 -ip 736
  2⤵
  - Loads dropped DLL
  PID:4276

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:624

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3964

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f5ed7c128717a45e72259e1aada5bd11 R8Yiulew0U2f7OQHzJ7SWA.0.1.0.0.0
1⤵
PID:4328
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:1064

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2032

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:984

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:184

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1600

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1424

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:1228

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2624

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2848

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1788

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3848

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4092

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2136

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4580

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:232

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3956

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5048

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3528

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2284

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2128

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4536

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2664

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4872

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:616

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:912

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:536

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3400

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4840

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3076

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1064

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2920

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:460

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:956

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3448

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:3512

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3648

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:3884

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1628

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2024

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4204

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:2224

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3528

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:3640

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:4440

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3448

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:1920

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1064

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:3884

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1268

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1652

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:2804

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:432

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:312

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1708

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1520

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1096

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2908

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:112

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1344

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1304

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:2108

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4812

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3012

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1820

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:1208

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:3448

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:1048

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4504

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:3148

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:2936

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1936

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4476

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:3968

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1792

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:912

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1224

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4920

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4820

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:2128

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3576

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3000

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3844

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2660

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4696

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:400

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1552

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3528

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:2156

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4992

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3364

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3448

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1416

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4576

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1508

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4708

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:5036

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1956

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:4764

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3832

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:4020

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:3012

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3928

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:632

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4264

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:2548

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:3240

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:2300

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4036

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:2936

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:2412

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3204

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:3556

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3040

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:1532

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:3960

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4228

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:3648

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1964

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:3628

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2988

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1896

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4984

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:2596

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1120

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4956

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1300

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3500

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:1032

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1744

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:2664

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1408

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:1936

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4988

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1444

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4516

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:2188

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4880

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:1604

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4840

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:2028

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:2132

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:708

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1508

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4128

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4912

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:4724

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:624

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:1216

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3040

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1760

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4880

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1604

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:4840

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:3512

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1032

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
PID:3648

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
PID:4636

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Modifies firewall policy service
PID:1268

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
PID:1896

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4548

C:\Windows\umqeiy.exe
C:\Windows\umqeiy.exe
1⤵
- System Location Discovery: System Language Discovery
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCXB41F.tmp

Filesize
86KB

MD5
056588be5f0740dce439dee300cd6280

SHA1
64b5833cd9ec2eb41c91acff2af878b11d7beb50

SHA256
66e27ae4cbd3ea341542c40fc80507afd7a20371a8231787f96e090c7cab9453

SHA512
84a14876d42a8514cfd2458d2b1f589898ecc7f92c13d577cc367784aba6493df86a21b24b54b8761c19db9c250b425c1e63b41f3fc36e94c123720a1b70eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoi8CCF.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
C:\Windows\SysWOW64\hra33.dll

Filesize
8KB

MD5
aabeb05e642b2f9acb86a5dc1a600813

SHA1
abba695b782c0e644b971b65d4dc7b8349714488

SHA256
8b1d4870fdc940da538f225251996794f2f10ab7fff718d1aa884be8468dcfce

SHA512
730fd04e4624f4db8c7c92e786148139d457c5bdc28badb3b1cbb70b61fd7b20655c2feab90c5c91b0d30f42a2d7bccb2ce0120752e223e6df2139c371b4be8a

Download Submit
C:\Windows\Temp\csiB41E.tmp

Filesize
128KB

MD5
088d5d421f7024ae0e53e8f1bf7d00d6

SHA1
992dedc0b60f70d48c790202c795935e5f8d16b2

SHA256
9546105854a396028596b3caf7e2ba3eb51a0795f16b6ad84e46afd00efd65df

SHA512
5389a025e51ed9031ebec5fcdd01b7012e0ffb6283ba772b1fb2963734ff4bda33791c388ad8df529b6a944ca9cbe0d825fd784e22bfcf3c6486a7692946936a

Download Submit
C:\Windows\Temp\goi923E.tmp

Filesize
77KB

MD5
06be485186b658a88dfb242611651506

SHA1
bcdfb1d45086ba1bfac457b3007ccd4b870091a0

SHA256
33b73b618d55a90d2a20e4a3abfdc4abdc24a39105b849b3074c4601b4fd65bf

SHA512
63c896d37800f1f0dd50f92c23665f7030c9a5954b25a2e7286059acfc6aed12446566c83feb4b3c822680a6d3d91bf6746006f3fdd109e2ae993e2d2c3e8bfe

Download Submit
C:\Windows\umqeiy.exe

Filesize
250KB

MD5
7ab51c2e2fdac53f3360bb5c8b73734e

SHA1
076d233ef06971a64f9b009c03627a491444a422

SHA256
8a7ad72fd6d3936ea3ad0ecadc063b382c6f0f8ff65b4839df1f3169f0135216

SHA512
35a6247f16a0295140782d0ea73754a37aafa09ba62d1f2be0a822d7f1b548921bad94b563ff16f1c817060544560f3c66856f0a85862cdbdfd85e29462abfee

Download Submit
memory/184-341-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/184-342-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/184-365-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/184-366-0x00000000004A0000-0x0000000000513000-memory.dmp

Filesize
460KB

Download
memory/624-124-0x0000000000D40000-0x0000000000DB3000-memory.dmp

Filesize
460KB

Download
memory/624-147-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/624-146-0x0000000000D40000-0x0000000000DB3000-memory.dmp

Filesize
460KB

Download
memory/624-143-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/624-125-0x0000000000D40000-0x0000000000DB3000-memory.dmp

Filesize
460KB

Download
memory/624-128-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/624-126-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/624-127-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/736-55-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/736-11-0x00000000775E3000-0x00000000775E4000-memory.dmp

Filesize
4KB

Download
memory/736-51-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/736-54-0x0000000002190000-0x0000000002203000-memory.dmp

Filesize
460KB

Download
memory/736-7-0x0000000002190000-0x0000000002203000-memory.dmp

Filesize
460KB

Download
memory/736-5-0x0000000002190000-0x0000000002203000-memory.dmp

Filesize
460KB

Download
memory/736-10-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/736-26-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/736-9-0x00000000775E2000-0x00000000775E3000-memory.dmp

Filesize
4KB

Download
memory/736-12-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/736-13-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/736-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/736-48-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/736-27-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/736-25-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/908-584-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/908-561-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/908-562-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/908-583-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/984-334-0x0000000000CF0000-0x0000000000D63000-memory.dmp

Filesize
460KB

Download
memory/984-333-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/984-309-0x0000000000CF0000-0x0000000000D63000-memory.dmp

Filesize
460KB

Download
memory/984-310-0x0000000000CF0000-0x0000000000D63000-memory.dmp

Filesize
460KB

Download
memory/1192-529-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1192-507-0x0000000000D10000-0x0000000000D83000-memory.dmp

Filesize
460KB

Download
memory/1192-530-0x0000000000D10000-0x0000000000D83000-memory.dmp

Filesize
460KB

Download
memory/1192-508-0x0000000000D10000-0x0000000000D83000-memory.dmp

Filesize
460KB

Download
memory/1268-96-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1268-95-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1268-116-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/1268-113-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1268-97-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/1268-94-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/1268-117-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1268-93-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/1424-397-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1424-374-0x00000000004B0000-0x0000000000523000-memory.dmp

Filesize
460KB

Download
memory/1424-373-0x00000000004B0000-0x0000000000523000-memory.dmp

Filesize
460KB

Download
memory/1424-398-0x00000000004B0000-0x0000000000523000-memory.dmp

Filesize
460KB

Download
memory/1788-611-0x0000000000560000-0x00000000005D3000-memory.dmp

Filesize
460KB

Download
memory/1788-610-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1788-588-0x0000000000560000-0x00000000005D3000-memory.dmp

Filesize
460KB

Download
memory/1788-589-0x0000000000560000-0x00000000005D3000-memory.dmp

Filesize
460KB

Download
memory/2136-742-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2136-721-0x0000000000D20000-0x0000000000D93000-memory.dmp

Filesize
460KB

Download
memory/2136-743-0x0000000000D20000-0x0000000000D93000-memory.dmp

Filesize
460KB

Download
memory/2624-503-0x0000000000D20000-0x0000000000D93000-memory.dmp

Filesize
460KB

Download
memory/2624-502-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2624-481-0x0000000000D20000-0x0000000000D93000-memory.dmp

Filesize
460KB

Download
memory/2624-482-0x0000000000D20000-0x0000000000D93000-memory.dmp

Filesize
460KB

Download
memory/2664-82-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2664-62-0x0000000000670000-0x00000000006E3000-memory.dmp

Filesize
460KB

Download
memory/2664-86-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2664-85-0x0000000000670000-0x00000000006E3000-memory.dmp

Filesize
460KB

Download
memory/2664-63-0x0000000000670000-0x00000000006E3000-memory.dmp

Filesize
460KB

Download
memory/2664-64-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2664-65-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2664-66-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/2848-535-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/2848-534-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/2848-557-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/2848-556-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2992-637-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/2992-615-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/2992-636-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3456-269-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3456-247-0x0000000000D60000-0x0000000000DD3000-memory.dmp

Filesize
460KB

Download
memory/3456-266-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3456-249-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3456-248-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3456-270-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3456-250-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3588-403-0x0000000000570000-0x00000000005E3000-memory.dmp

Filesize
460KB

Download
memory/3588-424-0x0000000000570000-0x00000000005E3000-memory.dmp

Filesize
460KB

Download
memory/3588-423-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3588-402-0x0000000000570000-0x00000000005E3000-memory.dmp

Filesize
460KB

Download
memory/3848-667-0x0000000000D40000-0x0000000000DB3000-memory.dmp

Filesize
460KB

Download
memory/3848-689-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3848-690-0x0000000000D40000-0x0000000000DB3000-memory.dmp

Filesize
460KB

Download
memory/3848-668-0x0000000000D40000-0x0000000000DB3000-memory.dmp

Filesize
460KB

Download
memory/3860-189-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3860-205-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3860-209-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3860-208-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/3860-188-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3860-186-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/3860-185-0x00000000005A0000-0x0000000000613000-memory.dmp

Filesize
460KB

Download
memory/3860-187-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3964-178-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3964-156-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3964-174-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3964-155-0x0000000000580000-0x00000000005F3000-memory.dmp

Filesize
460KB

Download
memory/3964-177-0x0000000000580000-0x00000000005F3000-memory.dmp

Filesize
460KB

Download
memory/3964-158-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3964-157-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/3964-154-0x0000000000580000-0x00000000005F3000-memory.dmp

Filesize
460KB

Download
memory/4028-476-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4028-455-0x0000000000D10000-0x0000000000D83000-memory.dmp

Filesize
460KB

Download
memory/4028-454-0x0000000000D10000-0x0000000000D83000-memory.dmp

Filesize
460KB

Download
memory/4028-477-0x0000000000D10000-0x0000000000D83000-memory.dmp

Filesize
460KB

Download
memory/4092-716-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4092-695-0x0000000000E40000-0x0000000000EB3000-memory.dmp

Filesize
460KB

Download
memory/4092-694-0x0000000000E40000-0x0000000000EB3000-memory.dmp

Filesize
460KB

Download
memory/4092-717-0x0000000000E40000-0x0000000000EB3000-memory.dmp

Filesize
460KB

Download
memory/4472-45-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4472-24-0x0000000000D70000-0x0000000000DE3000-memory.dmp

Filesize
460KB

Download
memory/4472-23-0x0000000000D70000-0x0000000000DE3000-memory.dmp

Filesize
460KB

Download
memory/4472-46-0x0000000000D70000-0x0000000000DE3000-memory.dmp

Filesize
460KB

Download
memory/4592-450-0x0000000000570000-0x00000000005E3000-memory.dmp

Filesize
460KB

Download
memory/4592-429-0x0000000000570000-0x00000000005E3000-memory.dmp

Filesize
460KB

Download
memory/4592-428-0x0000000000570000-0x00000000005E3000-memory.dmp

Filesize
460KB

Download
memory/4592-449-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4628-219-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4628-240-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4628-239-0x0000000000770000-0x00000000007E3000-memory.dmp

Filesize
460KB

Download
memory/4628-220-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4628-236-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4628-218-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/4628-216-0x0000000000770000-0x00000000007E3000-memory.dmp

Filesize
460KB

Download
memory/4628-217-0x0000000000770000-0x00000000007E3000-memory.dmp

Filesize
460KB

Download
memory/4984-663-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/4984-662-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4984-641-0x0000000000CD0000-0x0000000000D43000-memory.dmp

Filesize
460KB

Download
memory/4992-747-0x0000000000D20000-0x0000000000D93000-memory.dmp

Filesize
460KB

Download
memory/5080-278-0x00000000004C0000-0x0000000000533000-memory.dmp

Filesize
460KB

Download
memory/5080-277-0x00000000004C0000-0x0000000000533000-memory.dmp

Filesize
460KB

Download
memory/5080-279-0x000000007FE40000-0x000000007FE4C000-memory.dmp

Filesize
48KB

Download
memory/5080-301-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/5080-302-0x00000000004C0000-0x0000000000533000-memory.dmp

Filesize
460KB

Download