asyncrat | ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

services.png.exe
Size

264KB
MD5

d397a1de162f332782fe3205a07792dd
SHA1

44793b3a374c3cb453bbd87a2fd28d8a4c408002
SHA256

ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560
SHA512

6be10fc6ebabffadd89a72862c5d292e2939d165298019fe684de4efb3284603756c8764810835c12651ad49f608dd3345c8d778b7fd795683f0fcceeaa3f659
SSDEEP

6144:VtjNiEZdoTD3wad4eq5OxUatA04d0drsFp2A4AG5uU:VTdS3Uek0WchA2D

Score

10^/10

asyncrat gurcu stormkitty default defense_evasion discovery execution persistence privilege_escalation rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendMessage?chat_id=1075483951

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendMessage?chat_id=1075483951

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendDocument?chat_id=107548395

https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=109642586

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c5f-114.dat	family_stormkitty
behavioral2/memory/4452-127-0x0000000000CE0000-0x0000000000D10000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023c5f-114.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4848	powershell.exe
1524	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 3 IoCs

flow	pid	Process
54	1976	cuasaraxuf.exe
56	1976	cuasaraxuf.exe
48	1976	cuasaraxuf.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	smbhost.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4396	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
1976	cuasaraxuf.exe
4452	UIServices.exe
5036	smbhost.exe
5052	SearchUI.exe
3200	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
4424	services.png.exe
4424	services.png.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ziunercio = "C:\\Users\\Admin\\AppData\\Roaming\\Ywdyivro\\cuasaraxuf.exe"	cuasaraxuf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	UIServices.exe
File opened for modification	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	UIServices.exe
File opened for modification	C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	UIServices.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4396	powercfg.exe
264	powercfg.exe
3180	powercfg.exe
404	powercfg.exe
1648	powercfg.exe
880	powercfg.exe
2532	powercfg.exe
3880	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	smbhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1220	tasklist.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 832	4424	services.png.exe	87
PID 4452 set thread context of 3200	4452	UIServices.exe	103
PID 3200 set thread context of 3788	3200	cmd.exe	105
PID 3200 set thread context of 2332	3200	cmd.exe	106
PID 3200 set thread context of 2388	3200	cmd.exe	107
PID 4452 set thread context of 4768	4452	UIServices.exe	108
PID 4768 set thread context of 4700	4768	cmd.exe	110
PID 4768 set thread context of 4952	4768	cmd.exe	111
PID 5036 set thread context of 984	5036	smbhost.exe	132
PID 3200 set thread context of 1644	3200	updater.exe	167
PID 3200 set thread context of 4396	3200	updater.exe	171
PID 3200 set thread context of 4356	3200	updater.exe	173

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4452-123-0x0000000003010000-0x000000000307C000-memory.dmp	upx
behavioral2/memory/4452-122-0x0000000003010000-0x000000000307C000-memory.dmp	upx
behavioral2/memory/4452-126-0x0000000003010000-0x000000000307C000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-255.dat	upx
behavioral2/memory/5052-257-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/5052-259-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/3200-309-0x0000000002FE0000-0x000000000304C000-memory.dmp	upx
behavioral2/memory/3200-308-0x0000000002FE0000-0x000000000304C000-memory.dmp	upx
behavioral2/memory/3200-310-0x0000000002FE0000-0x000000000304C000-memory.dmp	upx
behavioral2/memory/3788-316-0x0000000002F70000-0x0000000002FDC000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4808	sc.exe
2140	sc.exe
3700	sc.exe
748	sc.exe
2996	sc.exe
5092	sc.exe
4776	sc.exe
1340	sc.exe
2248	sc.exe
4492	sc.exe
2940	sc.exe
4988	sc.exe
1272	sc.exe
4152	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOSTNAME.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuasaraxuf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UIServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchUI.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3200	cmd.exe
2332	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	UIServices.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UIServices.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchUI.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Intel(R) Core(TM) i7-8750H CPU @ 5.00 GHz"	SearchUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	UIServices.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3180	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Internet Explorer\Privacy	services.png.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	services.png.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={9794D94A-29BB-475B-B468-9AE6B57CD9BD}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738317701"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 31 Jan 2025 10:01:42 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	services.png.exe
4424	services.png.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
4452	UIServices.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
5036	smbhost.exe
4848	powershell.exe
4848	powershell.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
1976	cuasaraxuf.exe
5036	smbhost.exe
5036	smbhost.exe
5036	smbhost.exe
5036	smbhost.exe
5036	smbhost.exe
5036	smbhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	4424	services.png.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	832	cmd.exe
Token: SeSecurityPrivilege	832	cmd.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe
Token: SeSecurityPrivilege	1976	cuasaraxuf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3996	RuntimeBroker.exe
3452	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1976	4424	services.png.exe	86
PID 4424 wrote to memory of 1976	4424	services.png.exe	86
PID 4424 wrote to memory of 1976	4424	services.png.exe	86
PID 1976 wrote to memory of 2672	1976	cuasaraxuf.exe	44
PID 1976 wrote to memory of 2672	1976	cuasaraxuf.exe	44
PID 1976 wrote to memory of 2672	1976	cuasaraxuf.exe	44
PID 1976 wrote to memory of 2672	1976	cuasaraxuf.exe	44
PID 1976 wrote to memory of 2672	1976	cuasaraxuf.exe	44
PID 1976 wrote to memory of 2692	1976	cuasaraxuf.exe	45
PID 1976 wrote to memory of 2692	1976	cuasaraxuf.exe	45
PID 1976 wrote to memory of 2692	1976	cuasaraxuf.exe	45
PID 1976 wrote to memory of 2692	1976	cuasaraxuf.exe	45
PID 1976 wrote to memory of 2692	1976	cuasaraxuf.exe	45
PID 1976 wrote to memory of 2952	1976	cuasaraxuf.exe	51
PID 1976 wrote to memory of 2952	1976	cuasaraxuf.exe	51
PID 1976 wrote to memory of 2952	1976	cuasaraxuf.exe	51
PID 1976 wrote to memory of 2952	1976	cuasaraxuf.exe	51
PID 1976 wrote to memory of 2952	1976	cuasaraxuf.exe	51
PID 1976 wrote to memory of 3452	1976	cuasaraxuf.exe	56
PID 1976 wrote to memory of 3452	1976	cuasaraxuf.exe	56
PID 1976 wrote to memory of 3452	1976	cuasaraxuf.exe	56
PID 1976 wrote to memory of 3452	1976	cuasaraxuf.exe	56
PID 1976 wrote to memory of 3452	1976	cuasaraxuf.exe	56
PID 1976 wrote to memory of 3612	1976	cuasaraxuf.exe	57
PID 1976 wrote to memory of 3612	1976	cuasaraxuf.exe	57
PID 1976 wrote to memory of 3612	1976	cuasaraxuf.exe	57
PID 1976 wrote to memory of 3612	1976	cuasaraxuf.exe	57
PID 1976 wrote to memory of 3612	1976	cuasaraxuf.exe	57
PID 1976 wrote to memory of 3800	1976	cuasaraxuf.exe	58
PID 1976 wrote to memory of 3800	1976	cuasaraxuf.exe	58
PID 1976 wrote to memory of 3800	1976	cuasaraxuf.exe	58
PID 1976 wrote to memory of 3800	1976	cuasaraxuf.exe	58
PID 1976 wrote to memory of 3800	1976	cuasaraxuf.exe	58
PID 1976 wrote to memory of 3896	1976	cuasaraxuf.exe	59
PID 1976 wrote to memory of 3896	1976	cuasaraxuf.exe	59
PID 1976 wrote to memory of 3896	1976	cuasaraxuf.exe	59
PID 1976 wrote to memory of 3896	1976	cuasaraxuf.exe	59
PID 1976 wrote to memory of 3896	1976	cuasaraxuf.exe	59
PID 1976 wrote to memory of 3996	1976	cuasaraxuf.exe	60
PID 1976 wrote to memory of 3996	1976	cuasaraxuf.exe	60
PID 1976 wrote to memory of 3996	1976	cuasaraxuf.exe	60
PID 1976 wrote to memory of 3996	1976	cuasaraxuf.exe	60
PID 1976 wrote to memory of 3996	1976	cuasaraxuf.exe	60
PID 1976 wrote to memory of 4084	1976	cuasaraxuf.exe	61
PID 1976 wrote to memory of 4084	1976	cuasaraxuf.exe	61
PID 1976 wrote to memory of 4084	1976	cuasaraxuf.exe	61
PID 1976 wrote to memory of 4084	1976	cuasaraxuf.exe	61
PID 1976 wrote to memory of 4084	1976	cuasaraxuf.exe	61
PID 1976 wrote to memory of 4108	1976	cuasaraxuf.exe	62
PID 1976 wrote to memory of 4108	1976	cuasaraxuf.exe	62
PID 1976 wrote to memory of 4108	1976	cuasaraxuf.exe	62
PID 1976 wrote to memory of 4108	1976	cuasaraxuf.exe	62
PID 1976 wrote to memory of 4108	1976	cuasaraxuf.exe	62
PID 1976 wrote to memory of 4756	1976	cuasaraxuf.exe	74
PID 1976 wrote to memory of 4756	1976	cuasaraxuf.exe	74
PID 1976 wrote to memory of 4756	1976	cuasaraxuf.exe	74
PID 1976 wrote to memory of 4756	1976	cuasaraxuf.exe	74
PID 1976 wrote to memory of 4756	1976	cuasaraxuf.exe	74
PID 1976 wrote to memory of 2568	1976	cuasaraxuf.exe	76
PID 1976 wrote to memory of 2568	1976	cuasaraxuf.exe	76
PID 1976 wrote to memory of 2568	1976	cuasaraxuf.exe	76
PID 1976 wrote to memory of 2568	1976	cuasaraxuf.exe	76
PID 1976 wrote to memory of 2568	1976	cuasaraxuf.exe	76
PID 1976 wrote to memory of 1544	1976	cuasaraxuf.exe	80

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1164
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1528
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1792

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2796

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:388

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3408

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3452
- C:\Users\Admin\AppData\Local\Temp\services.png.exe
  "C:\Users\Admin\AppData\Local\Temp\services.png.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Users\Admin\AppData\Roaming\Ywdyivro\cuasaraxuf.exe
    "C:\Users\Admin\AppData\Roaming\Ywdyivro\cuasaraxuf.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4884
    - - C:\Windows\SysWOW64\HOSTNAME.EXE
        
        hostname
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:212
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3180
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1220
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4396
    - - C:\Windows\SysWOW64\net.exe
        
        net share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\tmp31ab4d34\UIServices.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp31ab4d34\UIServices.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4452
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3200
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2332
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2388
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4768
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\tmpc17f4f0a\smbhost.exe
      "C:\Users\Admin\AppData\Local\Temp\tmpc17f4f0a\smbhost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:5036
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4848
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4280
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:3700
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:4868
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4492
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2940
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:748
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:4808
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1272
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:3880
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:3180
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:264
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:4396
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:984
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:2140
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4988
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:4776
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:4152
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:1376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmpc17f4f0a\smbhost.exe"
        5⤵
        
        PID:4588
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4796
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:4248
  - - C:\Users\Admin\AppData\Local\Temp\tmp4a7a7ea4\SearchUI.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp4a7a7ea4\SearchUI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:5052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp6e5bd2b1.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3612

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3800

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3896

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1144

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2524

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3560

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3884

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2420

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1276

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2568

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1544

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1624

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4760

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:380

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3200
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1524
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4196
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4492
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5092
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1340
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1120
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:3700
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2248
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3052
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:404
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1592
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:1648
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3568
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:880
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1936
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:2532
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2264
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1644
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4396
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zn51ju0p.upl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31ab4d34\UIServices.exe

Filesize
170KB

MD5
4376ea4b5ba0f8a061dc18342267e85c

SHA1
8d99fa9673835644c641ae4533f005dca4522f6c

SHA256
6508dd74c69d399050b07256b4b25cd66cfd774848d55fe330a9d77ad09ce03f

SHA512
24811d6dd05df0000b5d0948a833c49ef32a7e5fc3a5cab6c61e9331b6966026f03254eb1a8a9945e8a4e43d1e38bdebed2ec0e8337873de3386c4c4b5bde0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4a7a7ea4\SearchUI.exe

Filesize
17KB

MD5
d72791d9eb757581772716a7573c4a4c

SHA1
8fa5d920023a9ff0b5329fd605d4b176783cc32d

SHA256
b87870c36a1c770960979d8958aeb12c0537b5287bd420555931e6f4a28bbebf

SHA512
b9a6c55c9fdc85e63e7228dfe260993f45cb492bbca6c90beb2c9e9f31e54406d7774292a4c19b7b12514d688bec41cf19c60a75ce16703158bf0edac3013563

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6e5bd2b1.bat

Filesize
203B

MD5
2710fbc20bb7d992f610d3c7679d75a3

SHA1
7525e2d94e2e5ee4faac7f24b3ecd533fd6f8b2b

SHA256
814d0297eccc172950e134fb763991e2b38bca3ceb5a7bb579c0375ac5fdc766

SHA512
e0db3c0daedcfb9915b4c8a81e366e3612feee903c0ac59ea4fd8dcbfd743630917c025b662207a9026a0800890d98eeb5be22b1baa77e499f613a3568408411

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE1B.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDE2C.tmp

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpc17f4f0a\smbhost.exe

Filesize
5.3MB

MD5
b7c617a44000e6e30462ffdd5a27ba4f

SHA1
dffbd2089913059c730f751c9349d98dbc5e4f3f

SHA256
f2b0f9d4f4109891d7a92f3c9e22c0fb748d36bf564eebf74a0055056e307b45

SHA512
74fbc1b3ebd412c501b787974a0a7b597934accfb2eb2f47ae697bbb93db2de6824ae4cae3cb2b0783b592b4337d3eebce1a4748201653a143d326a238612181

Download Submit
C:\Users\Admin\AppData\Local\a7ab6012033be9ffc0c60b58a45c8fc0\Admin@BRWCNDMR_en-US\System\Process.txt

Filesize
4KB

MD5
148af5b8a997d21d331477703890be20

SHA1
d700f6331358703d1e03fb4dc42ca01de8dd9165

SHA256
3c28e7da18aa32d75dbd58f14e99a8ea6e1274adfe4fd197b9374e9492adde5a

SHA512
e4de9ed4bd098f5dada8dec42170e95d4d6c26cf83c99f2ca6a8a4b85b85ba4d21b77bfdc6abd0df97e7a23279e8a8ac3dc031d4ff9c4d29cb40fa71a4d173b7

Download Submit
C:\Users\Admin\AppData\Local\fef16254c81b3fc76ea5f6f084e851c9\msgid.dat

Filesize
4B

MD5
5bd844f11fa520d54fa5edec06ea2507

SHA1
2c53c377c20a3f2c14b79f7bf32b179f57e39085

SHA256
14b2f094410528924d7d11ecfcd8ac7b9b5ed956511c34972ed397891cae48c0

SHA512
1a503d4204dd9a76270eb001da90e02f71319d517051d9868b5e0d748c26e8c5d092d1c86bbaacd6e63fc1aed2f68d60e531b5033c17bba12241286fe096f103

Download Submit
C:\Users\Admin\AppData\Roaming\Egalbaetil\lyzofiuptih.cuo

Filesize
2KB

MD5
f1f13c2726af7665c01be1a420e462ce

SHA1
622d25501eacaf724e312f9f873aa53c39d670e4

SHA256
16c1fdcb727b8d616c8904d8adf807dd5d57f3dcbdb305818571b7f7c6691eda

SHA512
d6d0d2aa30050b32d62a2cd68eb9cc14a610d6f89b2bb1c07f9237783fca7df3f12410b65a3aa54b49c6cb9a1770a5fb2a5e6f2b955099a1ca9fd16c8ca19f6b

Download Submit
C:\Users\Admin\AppData\Roaming\Ihloqyatibe\aquvcuixovf.izl

Filesize
606KB

MD5
95c00ca3f56705565e46d8aa91137b9e

SHA1
1a7be62ed39ccca69de539e9c98e1ce38840b32e

SHA256
f71ccfbdd38c899168f368cb4252cf54f1315b6e1e45262a58c27e3652d58371

SHA512
fee9c42acda2b5cf0b8e97a00bc1a87001152342dac926cfcea70f7e11123e766a048a91c42bff21ac2f6352be4d527a8784874c21dfad43c6811e833f420033

Download Submit
C:\Users\Admin\AppData\Roaming\Ihloqyatibe\aquvcuixovf.izl

Filesize
170KB

MD5
b6c3931dcfff308ef9142990c3a5eed2

SHA1
bc40d7c8997595ff29d1d3a94a9ab89fa42c9403

SHA256
322751f85aac92d0eefa78ce9522322d2b9a2dafc10b21dfbe7b3b453f8cb25e

SHA512
b31e52d53c64b36809db865cf4a05a5a04cdd9adb3314e87399e39e4f00c15c74555ae6c9b5f9cffb09e4608aa5f7605bfcf84ddc556b8e74960e36005c3d60e

Download Submit
C:\Users\Admin\AppData\Roaming\Ywdyivro\cuasaraxuf.exe

Filesize
264KB

MD5
2a7cf6950a8cd47471b283c83ff86802

SHA1
177711223ab288ea4fa44cc85039a22250681112

SHA256
280a392fc0521f7a3cd284bc2d6bbc44f27a3fdabb639b5b54363a9cc4f85fe3

SHA512
9931a4a1143aa750eac57cdfd433dfde7404b17e9b31922a7306fed527b0cc483fbbdadb1b67c56170d5585474cdf7ac2726246480338a89904a422b41787b87

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2082b195c152af46507ecfa80955b64b

SHA1
ac4164f48a10fdc59e8249f98be3771a0186eee6

SHA256
2534e6e3246d38c1aaeefbb72beed327e4cd430432293b508dcc23404e15eeae

SHA512
3636baebbd311b2e3f144dfe1c42ea6e4509cfe27251bf4efa96fc12f16e8ac6ee32f0239955a7f36b1bd7f53df35ec7758390fb20e4912ae747db3a2e11bf32

Download Submit
memory/832-66-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/832-63-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/832-61-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/832-51-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/832-59-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/832-60-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/832-64-0x0000000076F33000-0x0000000076F34000-memory.dmp

Filesize
4KB

Download
memory/832-62-0x0000000000F40000-0x0000000000F87000-memory.dmp

Filesize
284KB

Download
memory/1524-740-0x000001C0A9A40000-0x000001C0A9A5C000-memory.dmp

Filesize
112KB

Download
memory/1524-737-0x000001C0A9800000-0x000001C0A981C000-memory.dmp

Filesize
112KB

Download
memory/1524-739-0x000001C0A97F0000-0x000001C0A97FA000-memory.dmp

Filesize
40KB

Download
memory/1524-738-0x000001C0A9820000-0x000001C0A98D5000-memory.dmp

Filesize
724KB

Download
memory/1524-741-0x000001C0A9A20000-0x000001C0A9A2A000-memory.dmp

Filesize
40KB

Download
memory/1524-742-0x000001C0A9A80000-0x000001C0A9A9A000-memory.dmp

Filesize
104KB

Download
memory/1524-743-0x000001C0A9A30000-0x000001C0A9A38000-memory.dmp

Filesize
32KB

Download
memory/1524-744-0x000001C0A9A60000-0x000001C0A9A66000-memory.dmp

Filesize
24KB

Download
memory/1524-745-0x000001C0A9A70000-0x000001C0A9A7A000-memory.dmp

Filesize
40KB

Download
memory/3200-311-0x0000000000F10000-0x0000000000F57000-memory.dmp

Filesize
284KB

Download
memory/3200-301-0x0000000000F10000-0x0000000000F57000-memory.dmp

Filesize
284KB

Download
memory/3200-310-0x0000000002FE0000-0x000000000304C000-memory.dmp

Filesize
432KB

Download
memory/3200-305-0x0000000000F10000-0x0000000000F57000-memory.dmp

Filesize
284KB

Download
memory/3200-308-0x0000000002FE0000-0x000000000304C000-memory.dmp

Filesize
432KB

Download
memory/3200-309-0x0000000002FE0000-0x000000000304C000-memory.dmp

Filesize
432KB

Download
memory/3200-302-0x0000000000F10000-0x0000000000F57000-memory.dmp

Filesize
284KB

Download
memory/3200-304-0x0000000000F10000-0x0000000000F57000-memory.dmp

Filesize
284KB

Download
memory/3200-303-0x0000000000F10000-0x0000000000F57000-memory.dmp

Filesize
284KB

Download
memory/3788-312-0x0000000001240000-0x0000000001287000-memory.dmp

Filesize
284KB

Download
memory/3788-314-0x0000000001240000-0x0000000001287000-memory.dmp

Filesize
284KB

Download
memory/3788-313-0x0000000001240000-0x0000000001287000-memory.dmp

Filesize
284KB

Download
memory/3788-315-0x0000000001240000-0x0000000001287000-memory.dmp

Filesize
284KB

Download
memory/3788-316-0x0000000002F70000-0x0000000002FDC000-memory.dmp

Filesize
432KB

Download
memory/4424-30-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-48-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-46-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-36-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-29-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-31-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-34-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4424-28-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-27-0x0000000076F33000-0x0000000076F34000-memory.dmp

Filesize
4KB

Download
memory/4424-26-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-25-0x00000000022E0000-0x0000000002327000-memory.dmp

Filesize
284KB

Download
memory/4424-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4424-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4452-394-0x0000000007390000-0x00000000073A2000-memory.dmp

Filesize
72KB

Download
memory/4452-134-0x00000000012D0000-0x0000000001336000-memory.dmp

Filesize
408KB

Download
memory/4452-298-0x00000000064F0000-0x0000000006582000-memory.dmp

Filesize
584KB

Download
memory/4452-115-0x0000000001100000-0x0000000001147000-memory.dmp

Filesize
284KB

Download
memory/4452-124-0x0000000001100000-0x0000000001147000-memory.dmp

Filesize
284KB

Download
memory/4452-388-0x00000000065A0000-0x00000000065AA000-memory.dmp

Filesize
40KB

Download
memory/4452-123-0x0000000003010000-0x000000000307C000-memory.dmp

Filesize
432KB

Download
memory/4452-118-0x0000000001100000-0x0000000001147000-memory.dmp

Filesize
284KB

Download
memory/4452-122-0x0000000003010000-0x000000000307C000-memory.dmp

Filesize
432KB

Download
memory/4452-127-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/4452-126-0x0000000003010000-0x000000000307C000-memory.dmp

Filesize
432KB

Download
memory/4452-117-0x0000000001100000-0x0000000001147000-memory.dmp

Filesize
284KB

Download
memory/4452-121-0x0000000001100000-0x0000000001147000-memory.dmp

Filesize
284KB

Download
memory/4452-299-0x0000000006B40000-0x00000000070E4000-memory.dmp

Filesize
5.6MB

Download
memory/4452-119-0x0000000001100000-0x0000000001147000-memory.dmp

Filesize
284KB

Download
memory/4848-428-0x000001217B600000-0x000001217B622000-memory.dmp

Filesize
136KB

Download
memory/5052-257-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5052-259-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/5052-256-0x0000000000410000-0x0000000000457000-memory.dmp

Filesize
284KB

Download
memory/5052-253-0x0000000000410000-0x0000000000457000-memory.dmp

Filesize
284KB

Download