390d7472201e8ea9bdc6c7fa2b4ab1f6faca02071f1f997037cc5f52759a9cb6

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

max time kernel
195s
max time network
194s
platform
windows10_x64
resource
win10-en-20211104
submitted
12-11-2021 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Score

10^/10

discovery persistence ransomware upx

Malware Config

Extracted

Path

C:\_readme.txt

Ransom Note

ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: blower@india.com Reserve e-mail address to contact us: blower@firemail.cc Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

Emails

blower@india.com

blower@firemail.cc

URLs

https://we.tl/t-T9WE5uiVT6

Signatures

Executes dropped EXE 4 IoCs

Processes:

pid	process
3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1532	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4772	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4952	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SwitchStep.raw => C:\Users\Admin\Pictures\SwitchStep.raw.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\CompleteHide.tif => C:\Users\Admin\Pictures\CompleteHide.tif.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\ConvertToCompress.png => C:\Users\Admin\Pictures\ConvertToCompress.png.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\DismountComplete.crw => C:\Users\Admin\Pictures\DismountComplete.crw.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\ExpandPush.raw => C:\Users\Admin\Pictures\ExpandPush.raw.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\FormatPing.crw => C:\Users\Admin\Pictures\FormatPing.crw.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\SaveCheckpoint.tif => C:\Users\Admin\Pictures\SaveCheckpoint.tif.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File renamed	C:\Users\Admin\Pictures\SkipSplit.crw => C:\Users\Admin\Pictures\SkipSplit.crw.kropun	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4640 icacls.exe

pid	process
4640	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Drops desktop.ini file(s) 34 IoCs

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu Places\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 api.2ip.ua
36 api.2ip.ua
37 api.2ip.ua
47 api.2ip.ua
54 api.2ip.ua
56 api.2ip.ua
12 api.2ip.ua
13 api.2ip.ua
39 api.2ip.ua
55 api.2ip.ua
Drops file in Windows directory 1 IoCs

Processes:

explorer.exe

description ioc process

File created C:\Windows\rescache\_merged\2717123927\1713683155.pri explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4724 2236 WerFault.exe
5092 5024 WerFault.exe explorer.exe

flow	ioc
18	api.2ip.ua
36	api.2ip.ua
37	api.2ip.ua
47	api.2ip.ua
54	api.2ip.ua
56	api.2ip.ua
12	api.2ip.ua
13	api.2ip.ua
39	api.2ip.ua
55	api.2ip.ua

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1713683155.pri	explorer.exe

pid	pid_target	process	target process
4724	2236	WerFault.exe
5092	5024	WerFault.exe	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exeWerFault.exeWerFault.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

pid	process
4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1092	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1092	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1500	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1500	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
4724	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
5092	WerFault.exe
1532	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1532	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4772	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4772	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4952	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4952	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

WerFault.exeexplorer.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4724	WerFault.exe
Token: SeShutdownPrivilege	5024	explorer.exe
Token: SeCreatePagefilePrivilege	5024	explorer.exe
Token: SeShutdownPrivilege	5024	explorer.exe
Token: SeCreatePagefilePrivilege	5024	explorer.exe
Token: SeShutdownPrivilege	5024	explorer.exe
Token: SeCreatePagefilePrivilege	5024	explorer.exe
Token: SeShutdownPrivilege	5024	explorer.exe
Token: SeCreatePagefilePrivilege	5024	explorer.exe
Token: SeShutdownPrivilege	5024	explorer.exe
Token: SeCreatePagefilePrivilege	5024	explorer.exe
Token: SeDebugPrivilege	5092	WerFault.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

explorer.exe

pid process

5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
5024 explorer.exe
5024 explorer.exe

pid	process
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe

pid	process
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe
5024	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:4640

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 868 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4520 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3868

C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1532

C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1532 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3868 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2236 -s 7176
1⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Windows\explorer.exe
explorer.exe
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5024

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5024 -s 2056
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.kropun
MD5
08973c6103fe896a7802c9a2f8d01b9e

SHA1
f785bcd5ca3a0ea4d44ed47637e2f47c1e5ffd5d

SHA256
edae9a70e766f7c4a3d004045d580c5e8172264700119511723c83dc72aaed8d

SHA512
86b4180c7597264b150a71178bd7cc46cda52929815ca573205c066535687294961d93b90dfc5b5e2ecd59b979bbfaff9ce3d61c81d022e4bd7da22c1d457ad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
d823eeda7e2e77ce8f48bbbdbf872f72

SHA1
2036f108b49ccd101e86dbb64594877f484bc827

SHA256
f47188fa36cca192459fba05a15b61eb97f7899d1d084a77e8b49ef619f6e226

SHA512
32295de98d64ae5d8bc44b14e25d2604f145dad3e39ebee12d10de47c51caa9814c20c078fb851a7018e0b7746700dfae853e6fcc9f0b95c096aeaa5ab6eb718

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
c026f0cefed02193d3bf7078c32c1f4b

SHA1
74357c790437e708d6152492f14f9a308a41c1ee

SHA256
a2293aa5e0cba820827fe6cbecf5d053a12c5cd625971c6470a5fc5079b95d8e

SHA512
f0e718e04dbd20c150659251786bd363f5aceb0a789f6e03b84e43405aebd3487e682a9fdfaf68c9f55e260a632fde553d0c85f317dd80960aec547632f6874a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
59af3461c8fe2079e3ff862c64d4fbad

SHA1
3435d61e63064227e71bdf0378ce31a0a3e0efde

SHA256
b3684badb8c56346d6de415fffc6447422656563d0f0376b687dabdd6a23f24b

SHA512
d62b8b34ec95d06ed17fddbe1e217d2db87ddc9a1f0fac1ef532803c7813cec284f5b9a2ae6a745b608bce07dc074ce6957925566b8e4f9c4bcb2bee30b23338

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
a305307c7612564f8347a8e87dfbb7b5

SHA1
41e0d973f098ac2926f3b358de86861348c1ffb1

SHA256
7ca6ff86fe65b19b31c0aeb53501ff6b79df7f1c5466e26651ea3525ede0de89

SHA512
97d87f95e8155fc084dd6eaed8151bd7fbdcdbf504945c990b946696e1f3a6f6f5c52b850751b2fca59afa28db834fbff0c681e1f2add5f312faf4c0b06b4b03

Download Submit
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\Admin\AppData\Local\b9df14eb-f11b-41f1-aad6-8b4f24fb0725\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\Report.wer
MD5
51bdc6297e331ef82d97f0406ddcc608

SHA1
a63d4bd842692cce4b62cd52cfa8acce361f422d

SHA256
50ce6b8be662e2ed78df4adeb7e836d1cbc16f390601fadb253aa7c57fddf791

SHA512
381489231f1fb8cf9e9f495ffcba5c1bf479030800517e41366924449d9ba9ba1ffd1d2a4f9057e09079446964fadd2d5ecf3febdedb0437951b61e9e6cdaf11

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\WER3962.tmp.WERInternalMetadata.xml
MD5
88fe892e575a15fcbc783765f2ba9391

SHA1
3cdcc0e2a1c138630e7ed3fc61db14d0b66fc2b7

SHA256
8d323d94b17a3f2331277d3423a18592a68b37c39f1b8e3f16109b567d7afc9a

SHA512
ba822bfd5bd976bdd2fac16fa84137386a00eb3c468d8c104f32160d925a3cddab9c2b609b3158266ca1b1f8557e6cec29d6751cb2b164e4e27695d6f185dd42

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\WER3971.tmp.csv
MD5
99e5f73b73887917515c44918574294c

SHA1
dba8cf82e4eaa3d2943b7a98ba95ad6733b2ec13

SHA256
9b75d3f24d11ff481d58a42260aa2af15213ef7c590a9c66e8a36025118f426e

SHA512
471736af6849390cb1e1a12fbfd4ff786a79f303eea4f607519e51740708579e571208d605810c5cff237f4da9561757dfc41697e3bbbbbb34c00c20c99d576f

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\WER3982.tmp.txt
MD5
925d889192ce4a9ae56e5dba4073e1e8

SHA1
8bfeedd69847bebb0687f8120ddf209447cf5c8e

SHA256
b40a206642e9098c89f78755c96311fc26c7f1582d74eb028446fcb5a3447b24

SHA512
25488c2d0ea0ddee1f89dbec66047dfdcd8dc69abb1b295796b304e871686359263b4d0933f26650b364519c0e8194dc373cce7cf94fa4c301a2d254ef52583c

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\WER3ACB.tmp.appcompat.txt
MD5
eface37a5f6d83741bdd222c3ac88789

SHA1
cd417255730af80b55605c757f24e860ee9c7f01

SHA256
9e67a1e1e9b532095d442a9c467e9fc2c38cce9bfa4863046874c29574b8e366

SHA512
7ab26446b1686a5245b452156a994ba5a57585988e475909c3ecfdaa66eccf4cca93e1d16b28b3300ba24b3d1858a7edb408e59ccd88887ea049111a5f6a5880

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\memory.hdmp
MD5
3048612556cd09f8d386670586789157

SHA1
2a49e83ce85fd6f27f595f56d6662df3bdc232bf

SHA256
7f95436f207f58ae2fcd4c9c8db5870d7cb8d5af20964e1ff1f20953beabcafa

SHA512
bce6612b6c80664ead4ee78108af4acf78eec1901be1247b04e43a819d14f4bb8c21e9b0af38a0ed97aeb7018a46863ea221c9bcdb3dcd7759a9fdffb32d04f3

Download Submit
C:\Users\All Users\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_6b16a61a50e0401aa8778e92c6b6b2e2d2b85535_41822faa_cab_1d0c3b27\minidump.mdmp
MD5
891c849b977f4b7e00762a97407b766a

SHA1
e3552aa7987915ce533e2e7837a447ed92c429e2

SHA256
3a2822bd13e3520b4a5d4732984465fa5b1186d03d35d0b81f613d36dc25145d

SHA512
09d27c368738a54c629b24d81b58e8f8c3e98281db10e99a487d3aa01e6191c96a0bc71ea91e59c1de736b280d7d4b2cbb70b0b1ac759ee8a8ba6f09c5ac73e7

Download Submit
memory/868-129-0x0000000000000000-mapping.dmp

Download
memory/868-134-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1092-131-0x00000000005ED000-0x000000000061E000-memory.dmp

Filesize
196KB

Download
memory/1092-133-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1092-130-0x0000000000000000-mapping.dmp

Download
memory/1500-135-0x0000000000000000-mapping.dmp

Download
memory/1500-136-0x000000000052E000-0x000000000055F000-memory.dmp

Filesize
196KB

Download
memory/1500-137-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1532-154-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1532-142-0x0000000000000000-mapping.dmp

Download
memory/1532-153-0x00000000007AE000-0x00000000007DE000-memory.dmp

Filesize
192KB

Download
memory/3868-140-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3868-139-0x0000000000859000-0x0000000000889000-memory.dmp

Filesize
192KB

Download
memory/4388-118-0x00000000007B8000-0x00000000007E9000-memory.dmp

Filesize
196KB

Download
memory/4388-119-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4520-122-0x0000000000000000-mapping.dmp

Download
memory/4520-124-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4520-123-0x00000000006FD000-0x000000000072E000-memory.dmp

Filesize
196KB

Download
memory/4640-120-0x0000000000000000-mapping.dmp

Download
memory/4772-143-0x0000000000000000-mapping.dmp

Download
memory/4772-156-0x000000000077E000-0x00000000007AE000-memory.dmp

Filesize
192KB

Download
memory/4772-158-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4952-155-0x0000000000000000-mapping.dmp

Download
memory/4952-159-0x00000000005EE000-0x000000000061E000-memory.dmp

Filesize
192KB

Download
memory/4952-160-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download

description	pid	process	target process
PID 4388 wrote to memory of 4640	4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 4388 wrote to memory of 4640	4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 4388 wrote to memory of 4640	4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 4388 wrote to memory of 4520	4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4388 wrote to memory of 4520	4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4388 wrote to memory of 4520	4388	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4520 wrote to memory of 868	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4520 wrote to memory of 868	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4520 wrote to memory of 868	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4520 wrote to memory of 1092	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4520 wrote to memory of 1092	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4520 wrote to memory of 1092	4520	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 868 wrote to memory of 1500	868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 868 wrote to memory of 1500	868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 868 wrote to memory of 1500	868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3868 wrote to memory of 1532	3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3868 wrote to memory of 1532	3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3868 wrote to memory of 1532	3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3868 wrote to memory of 4772	3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3868 wrote to memory of 4772	3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3868 wrote to memory of 4772	3868	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1532 wrote to memory of 4952	1532	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1532 wrote to memory of 4952	1532	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1532 wrote to memory of 4952	1532	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe