asyncrat | ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

services.png.exe
Size

264KB
MD5

d397a1de162f332782fe3205a07792dd
SHA1

44793b3a374c3cb453bbd87a2fd28d8a4c408002
SHA256

ea251bf7fcc0a42cb9e954a45d925ef379ef1ffca39e482f44af701b4ace8560
SHA512

6be10fc6ebabffadd89a72862c5d292e2939d165298019fe684de4efb3284603756c8764810835c12651ad49f608dd3345c8d778b7fd795683f0fcceeaa3f659
SSDEEP

6144:VtjNiEZdoTD3wad4eq5OxUatA04d0drsFp2A4AG5uU:VTdS3Uek0WchA2D

Score

10^/10

asyncrat gurcu stormkitty default defense_evasion discovery execution persistence privilege_escalation rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendMessage?chat_id=1075483951

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendMessage?chat_id=1075483951

https://api.telegram.org/bot6987227198:AAGW8xEs5eNdfO7EF-8152h-RqJkKbn52BE/sendDocument?chat_id=107548395

https://api.telegram.org/bot1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8/sendDocument?chat_id=109642586

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c5d-114.dat	family_stormkitty
behavioral2/memory/3488-124-0x0000000000D20000-0x0000000000D50000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c5d-114.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3188	powershell.exe
1036	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Downloads MZ/PE file 3 IoCs

flow	pid	Process
47	2832	faepzoveify.exe
50	2832	faepzoveify.exe
45	2832	faepzoveify.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	smbhost.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5116	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
2832	faepzoveify.exe
3488	UIServices.exe
2336	smbhost.exe
2576	SearchUI.exe
2344	updater.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
432	services.png.exe
432	services.png.exe
2832	faepzoveify.exe
2832	faepzoveify.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gavycia = "C:\\Users\\Admin\\AppData\\Roaming\\Yvysteotatut\\faepzoveify.exe"	faepzoveify.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	UIServices.exe
File opened for modification	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	UIServices.exe
File created	C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	UIServices.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4508	powercfg.exe
4868	powercfg.exe
4724	powercfg.exe
4708	powercfg.exe
3984	powercfg.exe
3712	powercfg.exe
4476	powercfg.exe
4740	powercfg.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\MRT.exe	smbhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
3412	tasklist.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 432 set thread context of 4420	432	services.png.exe	87
PID 3488 set thread context of 2940	3488	UIServices.exe	103
PID 2940 set thread context of 5040	2940	cmd.exe	105
PID 2940 set thread context of 3832	2940	cmd.exe	106
PID 2940 set thread context of 3416	2940	cmd.exe	107
PID 3488 set thread context of 4916	3488	UIServices.exe	108
PID 4916 set thread context of 2596	4916	cmd.exe	110
PID 4916 set thread context of 4020	4916	cmd.exe	111
PID 2336 set thread context of 1904	2336	smbhost.exe	131
PID 2344 set thread context of 980	2344	updater.exe	167
PID 2344 set thread context of 4420	2344	updater.exe	170
PID 2344 set thread context of 3472	2344	updater.exe	173

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3488-125-0x0000000003710000-0x000000000377C000-memory.dmp	upx
behavioral2/memory/3488-126-0x0000000003710000-0x000000000377C000-memory.dmp	upx
behavioral2/memory/3488-127-0x0000000003710000-0x000000000377C000-memory.dmp	upx
behavioral2/files/0x0007000000023c64-147.dat	upx
behavioral2/memory/2576-150-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2576-154-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2940-307-0x0000000003790000-0x00000000037FC000-memory.dmp	upx
behavioral2/memory/2940-306-0x0000000003790000-0x00000000037FC000-memory.dmp	upx
behavioral2/memory/2940-311-0x0000000003790000-0x00000000037FC000-memory.dmp	upx
behavioral2/memory/5040-318-0x0000000002690000-0x00000000026FC000-memory.dmp	upx
behavioral2/memory/5040-317-0x0000000002690000-0x00000000026FC000-memory.dmp	upx

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
556	sc.exe
1388	sc.exe
4952	sc.exe
2392	sc.exe
1332	sc.exe
2028	sc.exe
2880	sc.exe
2676	sc.exe
4016	sc.exe
4192	sc.exe
2132	sc.exe
2428	sc.exe
4012	sc.exe
3212	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchUI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	services.png.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	faepzoveify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HOSTNAME.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UIServices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2940	cmd.exe
3832	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	UIServices.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UIServices.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchUI.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	UIServices.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Intel(R) Core(TM) i7-8750H CPU @ 5.00 GHz"	SearchUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1388	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Software\Microsoft\Internet Explorer\Privacy	services.png.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	services.png.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1738317894"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Fri, 31 Jan 2025 10:04:54 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={57617E98-A763-40BC-BBA0-8F33852EE9EE}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
432	services.png.exe
432	services.png.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
3488	UIServices.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2832	faepzoveify.exe
2336	smbhost.exe
3188	powershell.exe
3188	powershell.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe
2336	smbhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	432	services.png.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	4420	cmd.exe
Token: SeSecurityPrivilege	4420	cmd.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeDebugPrivilege	3412	tasklist.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe
Token: SeSecurityPrivilege	2832	faepzoveify.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
3444	Explorer.EXE
3924	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 2832	432	services.png.exe	86
PID 432 wrote to memory of 2832	432	services.png.exe	86
PID 432 wrote to memory of 2832	432	services.png.exe	86
PID 2832 wrote to memory of 2624	2832	faepzoveify.exe	44
PID 2832 wrote to memory of 2624	2832	faepzoveify.exe	44
PID 2832 wrote to memory of 2624	2832	faepzoveify.exe	44
PID 2832 wrote to memory of 2624	2832	faepzoveify.exe	44
PID 2832 wrote to memory of 2624	2832	faepzoveify.exe	44
PID 2832 wrote to memory of 2648	2832	faepzoveify.exe	45
PID 2832 wrote to memory of 2648	2832	faepzoveify.exe	45
PID 2832 wrote to memory of 2648	2832	faepzoveify.exe	45
PID 2832 wrote to memory of 2648	2832	faepzoveify.exe	45
PID 2832 wrote to memory of 2648	2832	faepzoveify.exe	45
PID 2832 wrote to memory of 2972	2832	faepzoveify.exe	51
PID 2832 wrote to memory of 2972	2832	faepzoveify.exe	51
PID 2832 wrote to memory of 2972	2832	faepzoveify.exe	51
PID 2832 wrote to memory of 2972	2832	faepzoveify.exe	51
PID 2832 wrote to memory of 2972	2832	faepzoveify.exe	51
PID 2832 wrote to memory of 3444	2832	faepzoveify.exe	56
PID 2832 wrote to memory of 3444	2832	faepzoveify.exe	56
PID 2832 wrote to memory of 3444	2832	faepzoveify.exe	56
PID 2832 wrote to memory of 3444	2832	faepzoveify.exe	56
PID 2832 wrote to memory of 3444	2832	faepzoveify.exe	56
PID 2832 wrote to memory of 3588	2832	faepzoveify.exe	57
PID 2832 wrote to memory of 3588	2832	faepzoveify.exe	57
PID 2832 wrote to memory of 3588	2832	faepzoveify.exe	57
PID 2832 wrote to memory of 3588	2832	faepzoveify.exe	57
PID 2832 wrote to memory of 3588	2832	faepzoveify.exe	57
PID 2832 wrote to memory of 3768	2832	faepzoveify.exe	58
PID 2832 wrote to memory of 3768	2832	faepzoveify.exe	58
PID 2832 wrote to memory of 3768	2832	faepzoveify.exe	58
PID 2832 wrote to memory of 3768	2832	faepzoveify.exe	58
PID 2832 wrote to memory of 3768	2832	faepzoveify.exe	58
PID 2832 wrote to memory of 3864	2832	faepzoveify.exe	59
PID 2832 wrote to memory of 3864	2832	faepzoveify.exe	59
PID 2832 wrote to memory of 3864	2832	faepzoveify.exe	59
PID 2832 wrote to memory of 3864	2832	faepzoveify.exe	59
PID 2832 wrote to memory of 3864	2832	faepzoveify.exe	59
PID 2832 wrote to memory of 3924	2832	faepzoveify.exe	60
PID 2832 wrote to memory of 3924	2832	faepzoveify.exe	60
PID 2832 wrote to memory of 3924	2832	faepzoveify.exe	60
PID 2832 wrote to memory of 3924	2832	faepzoveify.exe	60
PID 2832 wrote to memory of 3924	2832	faepzoveify.exe	60
PID 2832 wrote to memory of 4056	2832	faepzoveify.exe	61
PID 2832 wrote to memory of 4056	2832	faepzoveify.exe	61
PID 2832 wrote to memory of 4056	2832	faepzoveify.exe	61
PID 2832 wrote to memory of 4056	2832	faepzoveify.exe	61
PID 2832 wrote to memory of 4056	2832	faepzoveify.exe	61
PID 2832 wrote to memory of 3988	2832	faepzoveify.exe	62
PID 2832 wrote to memory of 3988	2832	faepzoveify.exe	62
PID 2832 wrote to memory of 3988	2832	faepzoveify.exe	62
PID 2832 wrote to memory of 3988	2832	faepzoveify.exe	62
PID 2832 wrote to memory of 3988	2832	faepzoveify.exe	62
PID 2832 wrote to memory of 3560	2832	faepzoveify.exe	74
PID 2832 wrote to memory of 3560	2832	faepzoveify.exe	74
PID 2832 wrote to memory of 3560	2832	faepzoveify.exe	74
PID 2832 wrote to memory of 3560	2832	faepzoveify.exe	74
PID 2832 wrote to memory of 3560	2832	faepzoveify.exe	74
PID 2832 wrote to memory of 1628	2832	faepzoveify.exe	76
PID 2832 wrote to memory of 1628	2832	faepzoveify.exe	76
PID 2832 wrote to memory of 1628	2832	faepzoveify.exe	76
PID 2832 wrote to memory of 1628	2832	faepzoveify.exe	76
PID 2832 wrote to memory of 1628	2832	faepzoveify.exe	76
PID 2832 wrote to memory of 3296	2832	faepzoveify.exe	80

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1216
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1480
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1884

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2752

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2812

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3444
- C:\Users\Admin\AppData\Local\Temp\services.png.exe
  "C:\Users\Admin\AppData\Local\Temp\services.png.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Roaming\Yvysteotatut\faepzoveify.exe
    "C:\Users\Admin\AppData\Roaming\Yvysteotatut\faepzoveify.exe"
    3⤵
    - Downloads MZ/PE file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4028
    - - C:\Windows\SysWOW64\HOSTNAME.EXE
        
        hostname
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1388
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall set opmode disable
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5116
    - - C:\Windows\SysWOW64\net.exe
        
        net share
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 share
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
  - - C:\Users\Admin\AppData\Local\Temp\tmp255119ae\UIServices.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp255119ae\UIServices.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2940
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3832
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3416
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4916
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3492
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4020
  - - C:\Users\Admin\AppData\Local\Temp\tmp18a74618\smbhost.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp18a74618\smbhost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2336
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1872
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:3048
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:4016
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2392
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2880
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1332
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:2028
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:4740
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:4508
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:4868
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:4724
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:1904
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:556
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:4192
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:2428
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
        5⤵
        Launches sc.exe
        
        PID:2132
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp18a74618\smbhost.exe"
        5⤵
        
        PID:1128
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5084
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:2164
  - - C:\Users\Admin\AppData\Local\Temp\tmp65dcd429\SearchUI.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp65dcd429\SearchUI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp3eb69053.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3864

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3924

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3988

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2792

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4268

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1528

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1628

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3296

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1356

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:1440

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:2344
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1036
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1360
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:736
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2676
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1388
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4596
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4012
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1948
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3212
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4316
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4708
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4416
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3092
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:3712
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2904
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4476
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1084
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:980
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:4420
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
e2d45eb7f29f0324b7d6073176609a13

SHA1
71b6d1ec9bae8a4fbfe972cb348ab632fe2e6020

SHA256
3283574da7bec31ce2276f969cdd5ba445f60b37c756f0bcc14d18c0a1b4794f

SHA512
3b04cb5af67efbe3ae23734901b537ea82a40a2fd810c7b53f9994c7ecbae47f8f1d77a677948b89c9849e3afec93739828caa348c4de3c80d488607211da681

Download Submit
C:\Users\Admin\AppData\Local\61b9bfd5b475b2dfd4b61e2eaba6b406\Admin@ZOHHKDLF_en-US\System\Process.txt

Filesize
4KB

MD5
6f641ffa3ce36d4a08fcf99887f825e9

SHA1
4e8b0687af2b737e9b0d20750c6f307c483a2953

SHA256
e58781ac8892261d492647dd677ae654fc9a639544d65138d262dac527403e05

SHA512
0ae3ad62be9e3f194bdcaa5db99725665d88f43a0913838597b2004b373d6cb751f4faf30ba85d3aae7f36d98943309257dab06bff0c5d2f2a25c9b861a0d003

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxlxjpmd.esl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp18a74618\smbhost.exe

Filesize
5.3MB

MD5
b7c617a44000e6e30462ffdd5a27ba4f

SHA1
dffbd2089913059c730f751c9349d98dbc5e4f3f

SHA256
f2b0f9d4f4109891d7a92f3c9e22c0fb748d36bf564eebf74a0055056e307b45

SHA512
74fbc1b3ebd412c501b787974a0a7b597934accfb2eb2f47ae697bbb93db2de6824ae4cae3cb2b0783b592b4337d3eebce1a4748201653a143d326a238612181

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp255119ae\UIServices.exe

Filesize
170KB

MD5
4376ea4b5ba0f8a061dc18342267e85c

SHA1
8d99fa9673835644c641ae4533f005dca4522f6c

SHA256
6508dd74c69d399050b07256b4b25cd66cfd774848d55fe330a9d77ad09ce03f

SHA512
24811d6dd05df0000b5d0948a833c49ef32a7e5fc3a5cab6c61e9331b6966026f03254eb1a8a9945e8a4e43d1e38bdebed2ec0e8337873de3386c4c4b5bde0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3eb69053.bat

Filesize
203B

MD5
a500185c2511ab11a3d959b76c5af912

SHA1
6e991a9e630055ea44570648441135744d5e5c4e

SHA256
f8c24c34d2507a27c9fbaaf6d4893c99224cad5774d1f3113512bd68de18eb48

SHA512
af748dada8a673feed487cd81ffef8703099bdb9e941abc066eb5b3b8346103012bb94cdf73c346921472253bd086e940d57339988115b8a81b208601ce89b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp65dcd429\SearchUI.exe

Filesize
17KB

MD5
d72791d9eb757581772716a7573c4a4c

SHA1
8fa5d920023a9ff0b5329fd605d4b176783cc32d

SHA256
b87870c36a1c770960979d8958aeb12c0537b5287bd420555931e6f4a28bbebf

SHA512
b9a6c55c9fdc85e63e7228dfe260993f45cb492bbca6c90beb2c9e9f31e54406d7774292a4c19b7b12514d688bec41cf19c60a75ce16703158bf0edac3013563

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB72.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAB83.tmp

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
C:\Users\Admin\AppData\Local\f4c3fcadf38deab6fbd04a802faed858\msgid.dat

Filesize
4B

MD5
f2f446980d8e971ef3da97af089481c3

SHA1
5d7b162d270753003f4f17dd2e0a8018eac9f0fc

SHA256
54e54c775717bcde0f4bb957efcb1b702d1438aad989231c60fddb85fb6c5119

SHA512
6305cabbe6d833c81453790e87f42c0322b9a1c2de1af72de01dffae56d117fc729712aeb0cde0c60518b25e7b463c5a0624d0a7d4af878f5d8c37bd823795e4

Download Submit
C:\Users\Admin\AppData\Roaming\Ugnyimzaynim\geudydized.usr

Filesize
2KB

MD5
2f89f7eeee231545e16183720b2f0c0c

SHA1
444d1b2f08bd705adb1d03c9b715ca8991efe57c

SHA256
229e8f2e6fac9c66c74c74cb67b2c6a5e68f80ecd4b0af1a7db07659eff80995

SHA512
03801e22719ac5c49a1c3615f663512e58b212c46dc221c2064983b68f47b84d4fba97cafc25b309e05de6a5439c5dfa4a5b4b10316b0f090ab4010db2c3d5c5

Download Submit
C:\Users\Admin\AppData\Roaming\Xihoypxubeva\goakboemeqy.ime

Filesize
606KB

MD5
cff720aa0590fa32d11bf6695b271f2a

SHA1
dfc1f72b71e419c40688162c99a3830757d08b81

SHA256
2ed95c1b819b4b24abcf9e2b9a113b0ac45d0a08771307f687ad148e1fd3196b

SHA512
f99bafa88124cb9c34544fe477c233cc7597dd877b4a2ffb370edf4eb78677f119df576e891a71a69f636344ba030a4eb2da53fea85839d856f1d66a11ab3d55

Download Submit
C:\Users\Admin\AppData\Roaming\Xihoypxubeva\goakboemeqy.ime

Filesize
386KB

MD5
dd060fc2795e699c184996b137850100

SHA1
c5f239678391df7847451f2128f05fcccb7782fb

SHA256
f31f5941766365c54b2e9275554862756a0e0a6fa90e0eeece5bfda4c745a643

SHA512
8c3ff4752b30d227e5aa549fc05c45c7f149bb9778d14521616f0dc642862d747850e8e74cdf0e7161bca8b9ac5c91fba3027c2eca137f32cc55e6e8b3554c6a

Download Submit
C:\Users\Admin\AppData\Roaming\Yvysteotatut\faepzoveify.exe

Filesize
264KB

MD5
a426709a98f20c27aeb6b6eab4d0935b

SHA1
f4b8bf5954a02e06f4df8462a05cb09ef96016a6

SHA256
6bd78e030287e79f12707b395469f7edd74cdafa76beb7b638069fe74ce521be

SHA512
4b26e6e31b2a83204243055a29e9bb4192a1cfc500773692726c3c17d2fa1344f3063f5695e176714fd68c974ae1b418eb1636f65cfe6be61ef3b2b9c02f7254

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2082b195c152af46507ecfa80955b64b

SHA1
ac4164f48a10fdc59e8249f98be3771a0186eee6

SHA256
2534e6e3246d38c1aaeefbb72beed327e4cd430432293b508dcc23404e15eeae

SHA512
3636baebbd311b2e3f144dfe1c42ea6e4509cfe27251bf4efa96fc12f16e8ac6ee32f0239955a7f36b1bd7f53df35ec7758390fb20e4912ae747db3a2e11bf32

Download Submit
memory/432-25-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-28-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-48-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-29-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-30-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-31-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-46-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-32-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/432-33-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/432-36-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-26-0x0000000002300000-0x0000000002347000-memory.dmp

Filesize
284KB

Download
memory/432-27-0x0000000077E23000-0x0000000077E24000-memory.dmp

Filesize
4KB

Download
memory/432-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1036-746-0x000001F09EF50000-0x000001F09EF6A000-memory.dmp

Filesize
104KB

Download
memory/1036-747-0x000001F09EF00000-0x000001F09EF08000-memory.dmp

Filesize
32KB

Download
memory/1036-736-0x000001F09EDA0000-0x000001F09EDAA000-memory.dmp

Filesize
40KB

Download
memory/1036-734-0x000001F09ECC0000-0x000001F09ECDC000-memory.dmp

Filesize
112KB

Download
memory/1036-737-0x000001F09EF10000-0x000001F09EF2C000-memory.dmp

Filesize
112KB

Download
memory/1036-749-0x000001F09EF40000-0x000001F09EF4A000-memory.dmp

Filesize
40KB

Download
memory/1036-740-0x000001F09EEF0000-0x000001F09EEFA000-memory.dmp

Filesize
40KB

Download
memory/1036-748-0x000001F09EF30000-0x000001F09EF36000-memory.dmp

Filesize
24KB

Download
memory/1036-735-0x000001F09ECE0000-0x000001F09ED95000-memory.dmp

Filesize
724KB

Download
memory/2576-148-0x0000000000410000-0x0000000000457000-memory.dmp

Filesize
284KB

Download
memory/2576-154-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2576-152-0x0000000000410000-0x0000000000457000-memory.dmp

Filesize
284KB

Download
memory/2576-150-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2940-311-0x0000000003790000-0x00000000037FC000-memory.dmp

Filesize
432KB

Download
memory/2940-303-0x0000000000F70000-0x0000000000FB7000-memory.dmp

Filesize
284KB

Download
memory/2940-304-0x0000000000F70000-0x0000000000FB7000-memory.dmp

Filesize
284KB

Download
memory/2940-306-0x0000000003790000-0x00000000037FC000-memory.dmp

Filesize
432KB

Download
memory/2940-308-0x0000000000F70000-0x0000000000FB7000-memory.dmp

Filesize
284KB

Download
memory/2940-307-0x0000000003790000-0x00000000037FC000-memory.dmp

Filesize
432KB

Download
memory/2940-305-0x0000000000F70000-0x0000000000FB7000-memory.dmp

Filesize
284KB

Download
memory/2940-302-0x0000000000F70000-0x0000000000FB7000-memory.dmp

Filesize
284KB

Download
memory/3188-396-0x0000020B6D830000-0x0000020B6D852000-memory.dmp

Filesize
136KB

Download
memory/3488-127-0x0000000003710000-0x000000000377C000-memory.dmp

Filesize
432KB

Download
memory/3488-115-0x0000000001110000-0x0000000001157000-memory.dmp

Filesize
284KB

Download
memory/3488-299-0x0000000006500000-0x0000000006592000-memory.dmp

Filesize
584KB

Download
memory/3488-157-0x0000000001330000-0x0000000001396000-memory.dmp

Filesize
408KB

Download
memory/3488-128-0x0000000001110000-0x0000000001157000-memory.dmp

Filesize
284KB

Download
memory/3488-126-0x0000000003710000-0x000000000377C000-memory.dmp

Filesize
432KB

Download
memory/3488-125-0x0000000003710000-0x000000000377C000-memory.dmp

Filesize
432KB

Download
memory/3488-300-0x0000000006B50000-0x00000000070F4000-memory.dmp

Filesize
5.6MB

Download
memory/3488-117-0x0000000001110000-0x0000000001157000-memory.dmp

Filesize
284KB

Download
memory/3488-119-0x0000000001110000-0x0000000001157000-memory.dmp

Filesize
284KB

Download
memory/3488-702-0x00000000073E0000-0x00000000073F2000-memory.dmp

Filesize
72KB

Download
memory/3488-118-0x0000000001110000-0x0000000001157000-memory.dmp

Filesize
284KB

Download
memory/3488-388-0x0000000006730000-0x000000000673A000-memory.dmp

Filesize
40KB

Download
memory/3488-124-0x0000000000D20000-0x0000000000D50000-memory.dmp

Filesize
192KB

Download
memory/3488-121-0x0000000001110000-0x0000000001157000-memory.dmp

Filesize
284KB

Download
memory/4420-65-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/4420-63-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/4420-59-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/4420-60-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/4420-61-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/4420-64-0x0000000077E23000-0x0000000077E24000-memory.dmp

Filesize
4KB

Download
memory/4420-62-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/4420-51-0x0000000000B40000-0x0000000000B87000-memory.dmp

Filesize
284KB

Download
memory/5040-317-0x0000000002690000-0x00000000026FC000-memory.dmp

Filesize
432KB

Download
memory/5040-318-0x0000000002690000-0x00000000026FC000-memory.dmp

Filesize
432KB

Download
memory/5040-314-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/5040-313-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download
memory/5040-316-0x0000000000360000-0x00000000003A7000-memory.dmp

Filesize
284KB

Download