glupteba | 15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b

Analysis

max time kernel
162s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
22-02-2022 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe
Size

8.0MB
MD5

061e587b37a9fd4d102a8114a953b9bf
SHA1

3b0b27abfdbffba42c9c40a84827e4fae336328e
SHA256

15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b
SHA512

68eacce09e458875d2c52729ba9b3a5dabe5933cc2f2236f8dd62ea18bd107c2cd2b6efaa26f2c38e74ff426ea9b08df5e4ddb03528853876b8ff7657631c767

Score

10^/10

glupteba metasploit onlylogger redline smokeloader socelars tofsee backdoor dropper evasion infostealer loader persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4036-171-0x0000000005190000-0x0000000005AB6000-memory.dmp	family_glupteba
behavioral2/memory/4036-172-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/3824-179-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/1124-253-0x0000000005700000-0x0000000006026000-memory.dmp	family_glupteba
behavioral2/memory/1124-254-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3628 3820 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3820	rUNdlL32.eXe

RedLine Payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2092-193-0x0000000000CC0000-0x0000000000EF1000-memory.dmp	family_redline
behavioral2/memory/2092-228-0x0000000000CC0000-0x0000000000EF1000-memory.dmp	family_redline
behavioral2/memory/2092-229-0x0000000000CC0000-0x0000000000EF1000-memory.dmp	family_redline
behavioral2/memory/2120-233-0x00000000006A0000-0x0000000000857000-memory.dmp	family_redline
behavioral2/memory/3572-242-0x00000000001F2000-0x0000000000225000-memory.dmp	family_redline
behavioral2/memory/3572-247-0x00000000001F0000-0x00000000002E4000-memory.dmp	family_redline
behavioral2/memory/3572-245-0x00000000001F0000-0x00000000002E4000-memory.dmp	family_redline
behavioral2/memory/2120-241-0x00000000006A0000-0x0000000000857000-memory.dmp	family_redline
behavioral2/memory/3572-234-0x00000000001F0000-0x00000000002E4000-memory.dmp	family_redline
behavioral2/memory/2092-263-0x0000000000CC2000-0x0000000000CF8000-memory.dmp	family_redline
behavioral2/memory/2120-270-0x00000000006A2000-0x00000000006D7000-memory.dmp	family_redline
behavioral2/memory/2120-231-0x00000000006A0000-0x0000000000857000-memory.dmp	family_redline
behavioral2/memory/3572-232-0x00000000001F0000-0x00000000002E4000-memory.dmp	family_redline
behavioral2/memory/3844-342-0x0000000003B00000-0x0000000003B2F000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.execmd.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2028 created 400	2028	WerFault.exe	rundll32.exe
PID 4280 created 3912	4280	WerFault.exe	IOHJ5kPN2vegyB6O0_sGJgtb.exe
PID 4288 created 3844	4288	WerFault.exe	e8QM3IM6YbvuqXU3g1CpAiDE.exe
PID 4368 created 3180	4368	cmd.exe	VQki5onfxaB4Pas5qA4uUTeT.exe
PID 4348 created 2692	4348	WerFault.exe	t9Uml7aB5vBCc4ksxjlw_X9f.exe
PID 4664 created 780	4664	WerFault.exe	VajOlnIG9M2SZJBC__7vNsd8.exe
PID 4988 created 780	4988	WerFault.exe	VajOlnIG9M2SZJBC__7vNsd8.exe
PID 460 created 780	460	WerFault.exe	VajOlnIG9M2SZJBC__7vNsd8.exe
PID 3352 created 780	3352	WerFault.exe	VajOlnIG9M2SZJBC__7vNsd8.exe

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/780-252-0x0000000000400000-0x0000000000447000-memory.dmp	family_onlylogger
behavioral2/memory/780-256-0x0000000001AE0000-0x0000000001B24000-memory.dmp	family_onlylogger

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 43 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeInstall.exeFolder.exeFiles.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeInfo.exeKUBHoCoKzLQ8FxQHEAnf_DFC.execsrss.exeVajOlnIG9M2SZJBC__7vNsd8.exenogLpji0lAhn1sZJTNs3GnQL.exeyqeN9ef1716h737PHSbAKH_w.exerT5DiRsu2Qx1Ql_GnXaKaL_2.exeukFBaazk6UuXdhEc0khcJKAr.exeJAlg1tJu7fS473GdaDUzFrew.exeonlWmWW_bbmOfrGOC_gIe3pW.exeqjJZiH1TOix237oHq0qrYl6h.exeAyQCaOs0j1N8eAXuTD6x77uC.exeiClpPs59Gr5MJlD3NnYcwlaL.exee8QM3IM6YbvuqXU3g1CpAiDE.exeMMOVYqpV2YNmB_s43DIu2TkG.exems8hFgiPP5jHXegy535Ghzst.exeaPRDwFlyHH_YADW_P0sL6fgD.exe98tqHz26u601w1XQ3e_ycTZG.exeOTec8MDuJee6gIdKBsgfL7i6.exet9Uml7aB5vBCc4ksxjlw_X9f.exeIOHJ5kPN2vegyB6O0_sGJgtb.exeVQki5onfxaB4Pas5qA4uUTeT.exeBLnKBKdbblara1PO5yrSoBiM.exeQsIbisvnF9gAh7kCncnPvSxt.exeXVMtJGRdM_pjGbsQaSJLFP3e.exeInstall.exepr9dGc3734rqDZKzchIC_fHm.exeaPRDwFlyHH_YADW_P0sL6fgD.exeMMOVYqpV2YNmB_s43DIu2TkG.exeInstall.exeVRigXNGJ2WoUp_WDZj1yiIja.exe

pid	process
2976	SoCleanInst.exe
1488	md9_1sjm.exe
568	Folder.exe
4036	Info.exe
3548	Updbdate.exe
4032	Install.exe
2132	Folder.exe
2520	Files.exe
828	pub2.exe
928	File.exe
3492	jfiag3g_gg.exe
3008	jfiag3g_gg.exe
3824	Info.exe
3288	KUBHoCoKzLQ8FxQHEAnf_DFC.exe
1124	csrss.exe
780	VajOlnIG9M2SZJBC__7vNsd8.exe
3580	nogLpji0lAhn1sZJTNs3GnQL.exe
2092	yqeN9ef1716h737PHSbAKH_w.exe
664	rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
1396	ukFBaazk6UuXdhEc0khcJKAr.exe
4056	JAlg1tJu7fS473GdaDUzFrew.exe
3920	onlWmWW_bbmOfrGOC_gIe3pW.exe
1960	qjJZiH1TOix237oHq0qrYl6h.exe
3604	AyQCaOs0j1N8eAXuTD6x77uC.exe
2992	iClpPs59Gr5MJlD3NnYcwlaL.exe
3844	e8QM3IM6YbvuqXU3g1CpAiDE.exe
740	MMOVYqpV2YNmB_s43DIu2TkG.exe
3768	ms8hFgiPP5jHXegy535Ghzst.exe
3308	aPRDwFlyHH_YADW_P0sL6fgD.exe
2916	98tqHz26u601w1XQ3e_ycTZG.exe
3572	OTec8MDuJee6gIdKBsgfL7i6.exe
2692	t9Uml7aB5vBCc4ksxjlw_X9f.exe
3912	IOHJ5kPN2vegyB6O0_sGJgtb.exe
3180	VQki5onfxaB4Pas5qA4uUTeT.exe
2120	BLnKBKdbblara1PO5yrSoBiM.exe
376	QsIbisvnF9gAh7kCncnPvSxt.exe
4456	XVMtJGRdM_pjGbsQaSJLFP3e.exe
4500	Install.exe
4792	pr9dGc3734rqDZKzchIC_fHm.exe
4896	aPRDwFlyHH_YADW_P0sL6fgD.exe
4352	MMOVYqpV2YNmB_s43DIu2TkG.exe
4788	Install.exe
4976	VRigXNGJ2WoUp_WDZj1yiIja.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\ms8hFgiPP5jHXegy535Ghzst.exe	upx
C:\Users\Admin\Pictures\Adobe Films\ms8hFgiPP5jHXegy535Ghzst.exe	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XVMtJGRdM_pjGbsQaSJLFP3e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XVMtJGRdM_pjGbsQaSJLFP3e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XVMtJGRdM_pjGbsQaSJLFP3e.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exeFolder.exeFile.exerT5DiRsu2Qx1Ql_GnXaKaL_2.exe98tqHz26u601w1XQ3e_ycTZG.exepr9dGc3734rqDZKzchIC_fHm.exeiClpPs59Gr5MJlD3NnYcwlaL.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	98tqHz26u601w1XQ3e_ycTZG.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	pr9dGc3734rqDZKzchIC_fHm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	iClpPs59Gr5MJlD3NnYcwlaL.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exeonlWmWW_bbmOfrGOC_gIe3pW.exe

pid process

400 rundll32.exe
3920 onlWmWW_bbmOfrGOC_gIe3pW.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
400	rundll32.exe
3920	onlWmWW_bbmOfrGOC_gIe3pW.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4456-292-0x0000000000E20000-0x00000000011E3000-memory.dmp	themida
behavioral2/memory/4456-296-0x0000000000E20000-0x00000000011E3000-memory.dmp	themida

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LingeringViolet = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md9_1sjm.exeXVMtJGRdM_pjGbsQaSJLFP3e.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XVMtJGRdM_pjGbsQaSJLFP3e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

260 ipinfo.io
50 ip-api.com
120 ipinfo.io
121 ipinfo.io
240 ipinfo.io
259 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

yqeN9ef1716h737PHSbAKH_w.exeBLnKBKdbblara1PO5yrSoBiM.exeOTec8MDuJee6gIdKBsgfL7i6.exeXVMtJGRdM_pjGbsQaSJLFP3e.exe

pid process

2092 yqeN9ef1716h737PHSbAKH_w.exe
2120 BLnKBKdbblara1PO5yrSoBiM.exe
3572 OTec8MDuJee6gIdKBsgfL7i6.exe
4456 XVMtJGRdM_pjGbsQaSJLFP3e.exe

flow	ioc
260	ipinfo.io
50	ip-api.com
120	ipinfo.io
121	ipinfo.io
240	ipinfo.io
259	ipinfo.io

pid	process
2092	yqeN9ef1716h737PHSbAKH_w.exe
2120	BLnKBKdbblara1PO5yrSoBiM.exe
3572	OTec8MDuJee6gIdKBsgfL7i6.exe
4456	XVMtJGRdM_pjGbsQaSJLFP3e.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

aPRDwFlyHH_YADW_P0sL6fgD.exeMMOVYqpV2YNmB_s43DIu2TkG.exe

description	pid	process	target process
PID 3308 set thread context of 4896	3308	aPRDwFlyHH_YADW_P0sL6fgD.exe	aPRDwFlyHH_YADW_P0sL6fgD.exe
PID 740 set thread context of 4352	740	MMOVYqpV2YNmB_s43DIu2TkG.exe	MMOVYqpV2YNmB_s43DIu2TkG.exe

Drops file in Program Files directory 2 IoCs

Processes:

rT5DiRsu2Qx1Ql_GnXaKaL_2.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	rT5DiRsu2Qx1Ql_GnXaKaL_2.exe

Drops file in Windows directory 3 IoCs

Processes:

WerFault.exeInfo.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 43 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3004	400	WerFault.exe	rundll32.exe
4068	400	WerFault.exe	rundll32.exe
2072	4036	WerFault.exe	Info.exe
1800	4036	WerFault.exe	Info.exe
3744	4036	WerFault.exe	Info.exe
3488	4036	WerFault.exe	Info.exe
3888	4036	WerFault.exe	Info.exe
3228	4036	WerFault.exe	Info.exe
1940	4036	WerFault.exe	Info.exe
2072	4036	WerFault.exe	Info.exe
1800	4036	WerFault.exe	Info.exe
776	4036	WerFault.exe	Info.exe
2440	4036	WerFault.exe	Info.exe
2132	4036	WerFault.exe	Info.exe
3492	4036	WerFault.exe	Info.exe
2612	4036	WerFault.exe	Info.exe
3888	4036	WerFault.exe	Info.exe
3944	4036	WerFault.exe	Info.exe
3572	4036	WerFault.exe	Info.exe
2072	4036	WerFault.exe	Info.exe
3288	4036	WerFault.exe	Info.exe
664	4036	WerFault.exe	Info.exe
3864	3824	WerFault.exe	Info.exe
1784	3824	WerFault.exe	Info.exe
432	3824	WerFault.exe	Info.exe
1664	3824	WerFault.exe	Info.exe
556	3824	WerFault.exe	Info.exe
3428	3824	WerFault.exe	Info.exe
3060	3824	WerFault.exe	Info.exe
2780	3824	WerFault.exe	Info.exe
3308	3824	WerFault.exe	Info.exe
332	3824	WerFault.exe	Info.exe
2968	3824	WerFault.exe	Info.exe
3484	3824	WerFault.exe	Info.exe
1800	3824	WerFault.exe	Info.exe
664	3824	WerFault.exe	Info.exe
740	3824	WerFault.exe	Info.exe
1940	3824	WerFault.exe	Info.exe
4520	3844	WerFault.exe	e8QM3IM6YbvuqXU3g1CpAiDE.exe
4508	3912	WerFault.exe	IOHJ5kPN2vegyB6O0_sGJgtb.exe
4748	2692	WerFault.exe	t9Uml7aB5vBCc4ksxjlw_X9f.exe
4740	3180	WerFault.exe	VQki5onfxaB4Pas5qA4uUTeT.exe
4328	780	WerFault.exe	VajOlnIG9M2SZJBC__7vNsd8.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aPRDwFlyHH_YADW_P0sL6fgD.exepub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aPRDwFlyHH_YADW_P0sL6fgD.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aPRDwFlyHH_YADW_P0sL6fgD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aPRDwFlyHH_YADW_P0sL6fgD.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

5092 schtasks.exe
4948 schtasks.exe

pid	process
5092	schtasks.exe
4948	schtasks.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3572 taskkill.exe

pid	process
3572	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Info.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

File.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	File.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	File.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
828	pub2.exe
828	pub2.exe
3008	jfiag3g_gg.exe
3008	jfiag3g_gg.exe
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416
2416

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2416
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exeaPRDwFlyHH_YADW_P0sL6fgD.exe

pid process

828 pub2.exe
4896 aPRDwFlyHH_YADW_P0sL6fgD.exe

pid	process
2416

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeSoCleanInst.exetaskkill.exeWerFault.exemd9_1sjm.exe

description	pid	process
Token: SeCreateTokenPrivilege	4032	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4032	Install.exe
Token: SeLockMemoryPrivilege	4032	Install.exe
Token: SeIncreaseQuotaPrivilege	4032	Install.exe
Token: SeMachineAccountPrivilege	4032	Install.exe
Token: SeTcbPrivilege	4032	Install.exe
Token: SeSecurityPrivilege	4032	Install.exe
Token: SeTakeOwnershipPrivilege	4032	Install.exe
Token: SeLoadDriverPrivilege	4032	Install.exe
Token: SeSystemProfilePrivilege	4032	Install.exe
Token: SeSystemtimePrivilege	4032	Install.exe
Token: SeProfSingleProcessPrivilege	4032	Install.exe
Token: SeIncBasePriorityPrivilege	4032	Install.exe
Token: SeCreatePagefilePrivilege	4032	Install.exe
Token: SeCreatePermanentPrivilege	4032	Install.exe
Token: SeBackupPrivilege	4032	Install.exe
Token: SeRestorePrivilege	4032	Install.exe
Token: SeShutdownPrivilege	4032	Install.exe
Token: SeDebugPrivilege	4032	Install.exe
Token: SeAuditPrivilege	4032	Install.exe
Token: SeSystemEnvironmentPrivilege	4032	Install.exe
Token: SeChangeNotifyPrivilege	4032	Install.exe
Token: SeRemoteShutdownPrivilege	4032	Install.exe
Token: SeUndockPrivilege	4032	Install.exe
Token: SeSyncAgentPrivilege	4032	Install.exe
Token: SeEnableDelegationPrivilege	4032	Install.exe
Token: SeManageVolumePrivilege	4032	Install.exe
Token: SeImpersonatePrivilege	4032	Install.exe
Token: SeCreateGlobalPrivilege	4032	Install.exe
Token: 31	4032	Install.exe
Token: 32	4032	Install.exe
Token: 33	4032	Install.exe
Token: 34	4032	Install.exe
Token: 35	4032	Install.exe
Token: SeDebugPrivilege	2976	SoCleanInst.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeRestorePrivilege	3004	WerFault.exe
Token: SeBackupPrivilege	3004	WerFault.exe
Token: SeBackupPrivilege	3004	WerFault.exe
Token: SeManageVolumePrivilege	1488	md9_1sjm.exe
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416
Token: SeShutdownPrivilege	2416
Token: SeCreatePagefilePrivilege	2416

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

rT5DiRsu2Qx1Ql_GnXaKaL_2.exeyqeN9ef1716h737PHSbAKH_w.exenogLpji0lAhn1sZJTNs3GnQL.exeVajOlnIG9M2SZJBC__7vNsd8.exe98tqHz26u601w1XQ3e_ycTZG.exeiClpPs59Gr5MJlD3NnYcwlaL.exeaPRDwFlyHH_YADW_P0sL6fgD.exeJAlg1tJu7fS473GdaDUzFrew.exeukFBaazk6UuXdhEc0khcJKAr.exeMMOVYqpV2YNmB_s43DIu2TkG.exeIOHJ5kPN2vegyB6O0_sGJgtb.exeonlWmWW_bbmOfrGOC_gIe3pW.exeBLnKBKdbblara1PO5yrSoBiM.exeOTec8MDuJee6gIdKBsgfL7i6.exet9Uml7aB5vBCc4ksxjlw_X9f.exeVQki5onfxaB4Pas5qA4uUTeT.exeInstall.exepr9dGc3734rqDZKzchIC_fHm.exeXVMtJGRdM_pjGbsQaSJLFP3e.exeMMOVYqpV2YNmB_s43DIu2TkG.exeInstall.exee8QM3IM6YbvuqXU3g1CpAiDE.exe

pid	process
664	rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
2092	yqeN9ef1716h737PHSbAKH_w.exe
3580	nogLpji0lAhn1sZJTNs3GnQL.exe
780	VajOlnIG9M2SZJBC__7vNsd8.exe
2916	98tqHz26u601w1XQ3e_ycTZG.exe
2992	iClpPs59Gr5MJlD3NnYcwlaL.exe
3308	aPRDwFlyHH_YADW_P0sL6fgD.exe
4056	JAlg1tJu7fS473GdaDUzFrew.exe
1396	ukFBaazk6UuXdhEc0khcJKAr.exe
740	MMOVYqpV2YNmB_s43DIu2TkG.exe
3912	IOHJ5kPN2vegyB6O0_sGJgtb.exe
3920	onlWmWW_bbmOfrGOC_gIe3pW.exe
2120	BLnKBKdbblara1PO5yrSoBiM.exe
3572	OTec8MDuJee6gIdKBsgfL7i6.exe
2692	t9Uml7aB5vBCc4ksxjlw_X9f.exe
3180	VQki5onfxaB4Pas5qA4uUTeT.exe
4500	Install.exe
4792	pr9dGc3734rqDZKzchIC_fHm.exe
4456	XVMtJGRdM_pjGbsQaSJLFP3e.exe
4352	MMOVYqpV2YNmB_s43DIu2TkG.exe
4788	Install.exe
3844	e8QM3IM6YbvuqXU3g1CpAiDE.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exeFolder.exeFiles.exerUNdlL32.eXeInstall.execmd.exeWerFault.exerundll32.exeInfo.execmd.exeFile.exe

description	pid	process	target process
PID 3240 wrote to memory of 2976	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	SoCleanInst.exe
PID 3240 wrote to memory of 2976	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	SoCleanInst.exe
PID 3240 wrote to memory of 1488	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	md9_1sjm.exe
PID 3240 wrote to memory of 1488	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	md9_1sjm.exe
PID 3240 wrote to memory of 1488	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	md9_1sjm.exe
PID 3240 wrote to memory of 568	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Folder.exe
PID 3240 wrote to memory of 568	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Folder.exe
PID 3240 wrote to memory of 568	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Folder.exe
PID 3240 wrote to memory of 4036	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Info.exe
PID 3240 wrote to memory of 4036	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Info.exe
PID 3240 wrote to memory of 4036	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Info.exe
PID 3240 wrote to memory of 3548	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Updbdate.exe
PID 3240 wrote to memory of 3548	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Updbdate.exe
PID 3240 wrote to memory of 3548	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Updbdate.exe
PID 3240 wrote to memory of 4032	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Install.exe
PID 3240 wrote to memory of 4032	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Install.exe
PID 3240 wrote to memory of 4032	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Install.exe
PID 568 wrote to memory of 2132	568	Folder.exe	Folder.exe
PID 568 wrote to memory of 2132	568	Folder.exe	Folder.exe
PID 568 wrote to memory of 2132	568	Folder.exe	Folder.exe
PID 3240 wrote to memory of 2520	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Files.exe
PID 3240 wrote to memory of 2520	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Files.exe
PID 3240 wrote to memory of 2520	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	Files.exe
PID 3240 wrote to memory of 828	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	pub2.exe
PID 3240 wrote to memory of 828	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	pub2.exe
PID 3240 wrote to memory of 828	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	pub2.exe
PID 3240 wrote to memory of 928	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	File.exe
PID 3240 wrote to memory of 928	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	File.exe
PID 3240 wrote to memory of 928	3240	15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe	File.exe
PID 2520 wrote to memory of 3492	2520	Files.exe	jfiag3g_gg.exe
PID 2520 wrote to memory of 3492	2520	Files.exe	jfiag3g_gg.exe
PID 2520 wrote to memory of 3492	2520	Files.exe	jfiag3g_gg.exe
PID 3628 wrote to memory of 400	3628	rUNdlL32.eXe	rundll32.exe
PID 3628 wrote to memory of 400	3628	rUNdlL32.eXe	rundll32.exe
PID 3628 wrote to memory of 400	3628	rUNdlL32.eXe	rundll32.exe
PID 4032 wrote to memory of 636	4032	Install.exe	cmd.exe
PID 4032 wrote to memory of 636	4032	Install.exe	cmd.exe
PID 4032 wrote to memory of 636	4032	Install.exe	cmd.exe
PID 636 wrote to memory of 3572	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 3572	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 3572	636	cmd.exe	taskkill.exe
PID 2028 wrote to memory of 400	2028	WerFault.exe	rundll32.exe
PID 2028 wrote to memory of 400	2028	WerFault.exe	rundll32.exe
PID 2520 wrote to memory of 3008	2520	Files.exe	jfiag3g_gg.exe
PID 2520 wrote to memory of 3008	2520	Files.exe	jfiag3g_gg.exe
PID 2520 wrote to memory of 3008	2520	Files.exe	jfiag3g_gg.exe
PID 400 wrote to memory of 3004	400	rundll32.exe	WerFault.exe
PID 400 wrote to memory of 3004	400	rundll32.exe	WerFault.exe
PID 400 wrote to memory of 3004	400	rundll32.exe	WerFault.exe
PID 3824 wrote to memory of 380	3824	Info.exe	cmd.exe
PID 3824 wrote to memory of 380	3824	Info.exe	cmd.exe
PID 380 wrote to memory of 1844	380	cmd.exe	netsh.exe
PID 380 wrote to memory of 1844	380	cmd.exe	netsh.exe
PID 928 wrote to memory of 3288	928	File.exe	KUBHoCoKzLQ8FxQHEAnf_DFC.exe
PID 928 wrote to memory of 3288	928	File.exe	KUBHoCoKzLQ8FxQHEAnf_DFC.exe
PID 3824 wrote to memory of 1124	3824	Info.exe	csrss.exe
PID 3824 wrote to memory of 1124	3824	Info.exe	csrss.exe
PID 3824 wrote to memory of 1124	3824	Info.exe	csrss.exe
PID 928 wrote to memory of 780	928	File.exe	VajOlnIG9M2SZJBC__7vNsd8.exe
PID 928 wrote to memory of 780	928	File.exe	VajOlnIG9M2SZJBC__7vNsd8.exe
PID 928 wrote to memory of 780	928	File.exe	VajOlnIG9M2SZJBC__7vNsd8.exe
PID 928 wrote to memory of 3580	928	File.exe	nogLpji0lAhn1sZJTNs3GnQL.exe
PID 928 wrote to memory of 3580	928	File.exe	nogLpji0lAhn1sZJTNs3GnQL.exe
PID 928 wrote to memory of 3580	928	File.exe	nogLpji0lAhn1sZJTNs3GnQL.exe

C:\Users\Admin\AppData\Local\Temp\15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe
"C:\Users\Admin\AppData\Local\Temp\15adc87b07168a4d4f58816cddf9a6e5b2c9af22e2bf6acb029686cee658e60b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:568

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 372
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 396
3⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 612
3⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 696
3⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 696
3⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 696
3⤵
- Program crash
PID:3228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 752
3⤵
- Program crash
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 744
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 760
3⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 716
3⤵
- Program crash
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 716
3⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 696
3⤵
- Program crash
PID:2132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 748
3⤵
- Program crash
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 632
3⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 632
3⤵
- Program crash
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 604
3⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 876
3⤵
- Program crash
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 908
3⤵
- Program crash
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 616
3⤵
- Program crash
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 840
3⤵
- Program crash
PID:664

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 332
4⤵
- Program crash
PID:3864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 336
4⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 336
4⤵
- Program crash
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 636
4⤵
- Program crash
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 672
4⤵
- Program crash
PID:556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 672
4⤵
- Program crash
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 700
4⤵
- Program crash
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 708
4⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 600
4⤵
- Program crash
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 572
4⤵
- Program crash
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 576
4⤵
- Program crash
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 872
4⤵
- Program crash
PID:3484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 752
4⤵
- Program crash
PID:1800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 872
4⤵
- Program crash
PID:664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 888
4⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 572
4⤵
- Program crash
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:380

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:1844

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:3548

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3008

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:828

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:928

C:\Users\Admin\Pictures\Adobe Films\KUBHoCoKzLQ8FxQHEAnf_DFC.exe
"C:\Users\Admin\Pictures\Adobe Films\KUBHoCoKzLQ8FxQHEAnf_DFC.exe"
3⤵
- Executes dropped EXE
PID:3288

C:\Users\Admin\Pictures\Adobe Films\nogLpji0lAhn1sZJTNs3GnQL.exe
"C:\Users\Admin\Pictures\Adobe Films\nogLpji0lAhn1sZJTNs3GnQL.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Users\Admin\Pictures\Adobe Films\VajOlnIG9M2SZJBC__7vNsd8.exe
"C:\Users\Admin\Pictures\Adobe Films\VajOlnIG9M2SZJBC__7vNsd8.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 876
4⤵
- Program crash
PID:4328

C:\Users\Admin\Pictures\Adobe Films\rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
"C:\Users\Admin\Pictures\Adobe Films\rT5DiRsu2Qx1Ql_GnXaKaL_2.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:664

C:\Users\Admin\Documents\pr9dGc3734rqDZKzchIC_fHm.exe
"C:\Users\Admin\Documents\pr9dGc3734rqDZKzchIC_fHm.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Users\Admin\Pictures\Adobe Films\VRigXNGJ2WoUp_WDZj1yiIja.exe
"C:\Users\Admin\Pictures\Adobe Films\VRigXNGJ2WoUp_WDZj1yiIja.exe"
5⤵
- Executes dropped EXE
PID:4976

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4948

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5092

C:\Users\Admin\Pictures\Adobe Films\ukFBaazk6UuXdhEc0khcJKAr.exe
"C:\Users\Admin\Pictures\Adobe Films\ukFBaazk6UuXdhEc0khcJKAr.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Users\Admin\AppData\Local\Temp\7zSDBA.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Users\Admin\AppData\Local\Temp\7zS2932.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Users\Admin\Pictures\Adobe Films\yqeN9ef1716h737PHSbAKH_w.exe
"C:\Users\Admin\Pictures\Adobe Films\yqeN9ef1716h737PHSbAKH_w.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Users\Admin\Pictures\Adobe Films\MMOVYqpV2YNmB_s43DIu2TkG.exe
"C:\Users\Admin\Pictures\Adobe Films\MMOVYqpV2YNmB_s43DIu2TkG.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:740

C:\Users\Admin\Pictures\Adobe Films\MMOVYqpV2YNmB_s43DIu2TkG.exe
"C:\Users\Admin\Pictures\Adobe Films\MMOVYqpV2YNmB_s43DIu2TkG.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4352

C:\Users\Admin\Pictures\Adobe Films\e8QM3IM6YbvuqXU3g1CpAiDE.exe
"C:\Users\Admin\Pictures\Adobe Films\e8QM3IM6YbvuqXU3g1CpAiDE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 424
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4520

C:\Users\Admin\Pictures\Adobe Films\iClpPs59Gr5MJlD3NnYcwlaL.exe
"C:\Users\Admin\Pictures\Adobe Films\iClpPs59Gr5MJlD3NnYcwlaL.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
4⤵
PID:4936

C:\Users\Admin\Pictures\Adobe Films\qjJZiH1TOix237oHq0qrYl6h.exe
"C:\Users\Admin\Pictures\Adobe Films\qjJZiH1TOix237oHq0qrYl6h.exe"
3⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\Pictures\Adobe Films\AyQCaOs0j1N8eAXuTD6x77uC.exe
"C:\Users\Admin\Pictures\Adobe Films\AyQCaOs0j1N8eAXuTD6x77uC.exe"
3⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\Pictures\Adobe Films\onlWmWW_bbmOfrGOC_gIe3pW.exe
"C:\Users\Admin\Pictures\Adobe Films\onlWmWW_bbmOfrGOC_gIe3pW.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Users\Admin\Pictures\Adobe Films\JAlg1tJu7fS473GdaDUzFrew.exe
"C:\Users\Admin\Pictures\Adobe Films\JAlg1tJu7fS473GdaDUzFrew.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4056

C:\Users\Admin\Pictures\Adobe Films\ms8hFgiPP5jHXegy535Ghzst.exe
"C:\Users\Admin\Pictures\Adobe Films\ms8hFgiPP5jHXegy535Ghzst.exe"
3⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\Pictures\Adobe Films\98tqHz26u601w1XQ3e_ycTZG.exe
"C:\Users\Admin\Pictures\Adobe Films\98tqHz26u601w1XQ3e_ycTZG.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eawdrsny\
4⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hkazsube.exe" C:\Windows\SysWOW64\eawdrsny\
4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4368

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create eawdrsny binPath= "C:\Windows\SysWOW64\eawdrsny\hkazsube.exe /d\"C:\Users\Admin\Pictures\Adobe Films\98tqHz26u601w1XQ3e_ycTZG.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:4336

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description eawdrsny "wifi internet conection"
4⤵
PID:4724

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start eawdrsny
4⤵
PID:664

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:1932

C:\Users\Admin\Pictures\Adobe Films\t9Uml7aB5vBCc4ksxjlw_X9f.exe
"C:\Users\Admin\Pictures\Adobe Films\t9Uml7aB5vBCc4ksxjlw_X9f.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 464
4⤵
- Program crash
PID:4748

C:\Users\Admin\Pictures\Adobe Films\IOHJ5kPN2vegyB6O0_sGJgtb.exe
"C:\Users\Admin\Pictures\Adobe Films\IOHJ5kPN2vegyB6O0_sGJgtb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 464
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4508

C:\Users\Admin\Pictures\Adobe Films\OTec8MDuJee6gIdKBsgfL7i6.exe
"C:\Users\Admin\Pictures\Adobe Films\OTec8MDuJee6gIdKBsgfL7i6.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3572

C:\Users\Admin\Pictures\Adobe Films\VQki5onfxaB4Pas5qA4uUTeT.exe
"C:\Users\Admin\Pictures\Adobe Films\VQki5onfxaB4Pas5qA4uUTeT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 464
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4740

C:\Users\Admin\Pictures\Adobe Films\aPRDwFlyHH_YADW_P0sL6fgD.exe
"C:\Users\Admin\Pictures\Adobe Films\aPRDwFlyHH_YADW_P0sL6fgD.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Users\Admin\Pictures\Adobe Films\aPRDwFlyHH_YADW_P0sL6fgD.exe
"C:\Users\Admin\Pictures\Adobe Films\aPRDwFlyHH_YADW_P0sL6fgD.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4896

C:\Users\Admin\Pictures\Adobe Films\BLnKBKdbblara1PO5yrSoBiM.exe
"C:\Users\Admin\Pictures\Adobe Films\BLnKBKdbblara1PO5yrSoBiM.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Users\Admin\Pictures\Adobe Films\QsIbisvnF9gAh7kCncnPvSxt.exe
"C:\Users\Admin\Pictures\Adobe Films\QsIbisvnF9gAh7kCncnPvSxt.exe"
3⤵
- Executes dropped EXE
PID:376

C:\Users\Admin\Pictures\Adobe Films\XVMtJGRdM_pjGbsQaSJLFP3e.exe
"C:\Users\Admin\Pictures\Adobe Films\XVMtJGRdM_pjGbsQaSJLFP3e.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4036 -ip 4036
1⤵
PID:3964

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 612
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 612
3⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 400 -ip 400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4036 -ip 4036
1⤵
PID:2976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4036 -ip 4036
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4036 -ip 4036
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4036 -ip 4036
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4036 -ip 4036
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4036 -ip 4036
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4036 -ip 4036
1⤵
PID:828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4036 -ip 4036
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4036 -ip 4036
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4036 -ip 4036
1⤵
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4036 -ip 4036
1⤵
PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4036 -ip 4036
1⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4036 -ip 4036
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4036 -ip 4036
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4036 -ip 4036
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4036 -ip 4036
1⤵
PID:320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4036 -ip 4036
1⤵
PID:3104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4036 -ip 4036
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4036 -ip 4036
1⤵
PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4036 -ip 4036
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3824 -ip 3824
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3824 -ip 3824
1⤵
PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3824 -ip 3824
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3824 -ip 3824
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3824 -ip 3824
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3824 -ip 3824
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3824 -ip 3824
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3824 -ip 3824
1⤵
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3824 -ip 3824
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3824 -ip 3824
1⤵
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3824 -ip 3824
1⤵
PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3824 -ip 3824
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3824 -ip 3824
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3824 -ip 3824
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3824 -ip 3824
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3824 -ip 3824
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3912 -ip 3912
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3844 -ip 3844
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 780 -ip 780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3180 -ip 3180
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1124 -ip 1124
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2692 -ip 2692
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 780 -ip 780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1124 -ip 1124
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 780 -ip 780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1124 -ip 1124
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 780 -ip 780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1124 -ip 1124
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 740 -ip 740
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1124 -ip 1124
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
dfede6e50c61011cfe29802e683f33a4

SHA1
017d32942cec968210254e714e88fd285d1860e0

SHA256
3947b99aaef76941375a3a79ee4011415f98170b8c71a19f2e46d76ef75916d7

SHA512
d60932c06da195d1c78b397aa4a3ebf7c7fecc17a74ad1598fef8a6efc7d649b6e015c8d38419927cd707af4bffd3e5ce250f751aa1bf499586d94d0d74b08fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e82c2a867c605e20cb431ac113319fdb

SHA1
0bcbb754b4ad68eff09930a6f52867c08a7b9b91

SHA256
6713bae239132d875e9471544546089870086b851d8235f2b5f8350cfaa4b121

SHA512
6a6e4a8a3933ddd983fde6307616a95592b0d77921de1b2b12a0c90d03a9b8d02a733f362d1c4ef79e3e37e0a25c8b015c639be0bfff2e7719bfd9ab4579f657

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e82c2a867c605e20cb431ac113319fdb

SHA1
0bcbb754b4ad68eff09930a6f52867c08a7b9b91

SHA256
6713bae239132d875e9471544546089870086b851d8235f2b5f8350cfaa4b121

SHA512
6a6e4a8a3933ddd983fde6307616a95592b0d77921de1b2b12a0c90d03a9b8d02a733f362d1c4ef79e3e37e0a25c8b015c639be0bfff2e7719bfd9ab4579f657

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
00cf91126f35585f9e7cbf85749d8464

SHA1
3b89f67359b9a70bb5cada28d7e7c64905fb7fdc

SHA256
dbe8485ef525324d4f329e50a8391401b2c5fd31c75e0ed5e4a06ca0d026651b

SHA512
7a81fdb1832feb8041199258cfd673e90fe6c58e90dd284a38157b6d166fa702051476942844bf8782264d674cfabb7ab2884c058c1aaec9911bd97a349e5643

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
00cf91126f35585f9e7cbf85749d8464

SHA1
3b89f67359b9a70bb5cada28d7e7c64905fb7fdc

SHA256
dbe8485ef525324d4f329e50a8391401b2c5fd31c75e0ed5e4a06ca0d026651b

SHA512
7a81fdb1832feb8041199258cfd673e90fe6c58e90dd284a38157b6d166fa702051476942844bf8782264d674cfabb7ab2884c058c1aaec9911bd97a349e5643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
eff2c125aae62012daf45c675a99f1f4

SHA1
ae4e5f4800a0c381f0e5302bed57fc0c82a3f64f

SHA256
9ffb007f09ffd11d3bf8bcfe4d84ac624141b4003028b4aa8803555ccbd8715e

SHA512
6863c86c626a079271b47ab075bcdba9efb1a9b2fc08df6d34261b78ea291d045f4996ea8e497b8c1ac141af8362aaa6dcd8b06843c2872ca98e7809a66129e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
eff2c125aae62012daf45c675a99f1f4

SHA1
ae4e5f4800a0c381f0e5302bed57fc0c82a3f64f

SHA256
9ffb007f09ffd11d3bf8bcfe4d84ac624141b4003028b4aa8803555ccbd8715e

SHA512
6863c86c626a079271b47ab075bcdba9efb1a9b2fc08df6d34261b78ea291d045f4996ea8e497b8c1ac141af8362aaa6dcd8b06843c2872ca98e7809a66129e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
9178e18ea08b783eb2b750c98c3b5a60

SHA1
110057c868ad2ea447322271a5f25967b8b86849

SHA256
460cf0c410480cdc387879b8ee39f59c7f32f9ca791e47797d229410bbe06592

SHA512
5cb50505ea9b3a7a90b1ab7eb34a1fa001de9414a2787af72aa5dc9f498ca1fad1b5d3f186b92940b378fda67aaabacaf01ac31317db63a58599e6d195ea96d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
bf7db21ce191f120b6ce855059e03c1f

SHA1
4c99d4e3faebf87ad92c9ecb423ad890e572494b

SHA256
fc0dd53fcd48dd3855eeb1a0d6bb8396d3d9ba857d2aa80b5d047167000546c7

SHA512
f0c177cbc33b8e86ebf08160860d8c89e9784eede3679fe44aef28d5362b93c526f442f520d7c1735e9496052ea3a41276734148e8731a6bc64bd6c631d2b71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
bf7db21ce191f120b6ce855059e03c1f

SHA1
4c99d4e3faebf87ad92c9ecb423ad890e572494b

SHA256
fc0dd53fcd48dd3855eeb1a0d6bb8396d3d9ba857d2aa80b5d047167000546c7

SHA512
f0c177cbc33b8e86ebf08160860d8c89e9784eede3679fe44aef28d5362b93c526f442f520d7c1735e9496052ea3a41276734148e8731a6bc64bd6c631d2b71c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\98tqHz26u601w1XQ3e_ycTZG.exe
MD5
caf7eb755bd0348b0ca5a03fe50df495

SHA1
d4e6e8a7a2c9524a287339e445ebd7061a292b28

SHA256
0342010025423b0f608bd3466e05c1e7967a7357ee4847fab8b23d8e329a8abb

SHA512
1d722df99ca31d2ba491ee086b8cbfc966f005ee0c2dceb42978fc8fe7d5ab143993bd3840c9178fce82aae5164285d08d07a60fa4e277307c2729bf482e2e5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\98tqHz26u601w1XQ3e_ycTZG.exe
MD5
caf7eb755bd0348b0ca5a03fe50df495

SHA1
d4e6e8a7a2c9524a287339e445ebd7061a292b28

SHA256
0342010025423b0f608bd3466e05c1e7967a7357ee4847fab8b23d8e329a8abb

SHA512
1d722df99ca31d2ba491ee086b8cbfc966f005ee0c2dceb42978fc8fe7d5ab143993bd3840c9178fce82aae5164285d08d07a60fa4e277307c2729bf482e2e5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AyQCaOs0j1N8eAXuTD6x77uC.exe
MD5
61bcd17894900f463353611e0241c985

SHA1
45aeb78ec362eafbd00f81bf5190f88f7ee23369

SHA256
dbdfb318fee4a57fc2ddb916c81ec0699a3f433748e38890559f5e405e94b7e9

SHA512
d91303503796dc6a8f2f09091978fdfb50ec7b1a5e0c1f9e83422b640ad8a6fcb0a0529fc7ac043cafd8ddcd936bc9fdf3a6c9334e4fe090dc0990e68af0002b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AyQCaOs0j1N8eAXuTD6x77uC.exe
MD5
61bcd17894900f463353611e0241c985

SHA1
45aeb78ec362eafbd00f81bf5190f88f7ee23369

SHA256
dbdfb318fee4a57fc2ddb916c81ec0699a3f433748e38890559f5e405e94b7e9

SHA512
d91303503796dc6a8f2f09091978fdfb50ec7b1a5e0c1f9e83422b640ad8a6fcb0a0529fc7ac043cafd8ddcd936bc9fdf3a6c9334e4fe090dc0990e68af0002b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\BLnKBKdbblara1PO5yrSoBiM.exe
MD5
37c142dd78241947cf5a728e9e0f34b7

SHA1
9917dd2b353b8879ec3cb810732452bc46882deb

SHA256
34d841525ed9c4ce8e5dc73018cf52a7181b0baf40871a8a064a0930b248bbc9

SHA512
1fd30d3b9ac394915aca52added6065ad323c908b6be63d14b69f770d2117571a915d275b899c9f941664e1cff892247b83e4354f72c47bdfac5fca937094669

Download Submit
C:\Users\Admin\Pictures\Adobe Films\IOHJ5kPN2vegyB6O0_sGJgtb.exe
MD5
64c9a04abd56851aefb69e65b19fe968

SHA1
a19a1067aca88b612e952db57fa18ada99162a6e

SHA256
b13c6a6b836657c1fb1f4c06ff680663ade7e85d1389bc3f7b5169cb1aebc0dd

SHA512
e39beaeaaae027b7be5d4a2a4505c22bbdd690161dbe0ad114c7d46801018c4bb8d6ba4514ca9817f30968cecce5926a264ad85baca0da6ac956c3fff15690ff

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JAlg1tJu7fS473GdaDUzFrew.exe
MD5
a1c4d1ce68ceaffa84728ed0f5196fd0

SHA1
f6941f577550a6ecf5309582968ea2c4c12fa7d7

SHA256
b940e318153e9cb75af0195676bbaeb136804963eba07ab277b0f7238e426b9a

SHA512
0854320417e360b23bb0f49ac3367e1853fbfdf6f0c87ae9614de46dd466090fea8849b177f6bfba5e1865cc0b4450b6fb13b58377cef1018da364f9aec93766

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KUBHoCoKzLQ8FxQHEAnf_DFC.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KUBHoCoKzLQ8FxQHEAnf_DFC.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MMOVYqpV2YNmB_s43DIu2TkG.exe
MD5
4cb40a5915b998c9c70b71e6b54de912

SHA1
15bfedc171add539bcbb2ecf4a1fd9eef1fd97f9

SHA256
bcba37ea39dbe60b1dd38557aaccf5aca3d6e2d754fa6e6d81e07e18ff3d7e58

SHA512
945b1de67d1cc6adb9bbbf1b08d8163c1cbb19f6878242def90aa08354503d98c96e7b53218ef4c1024c1315c3361be59830cbc88308b4ea088d1efe3755ebad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\OTec8MDuJee6gIdKBsgfL7i6.exe
MD5
62651c999f00f822fa0f10242747d8eb

SHA1
0269e1d1b1bdf595becc7a70c650255377eb863f

SHA256
1b5752f9fbf131671b60974926e03db7822d413244afdd8c9172701902b17c32

SHA512
fbb3e727ec7d3dbd25350feba350440ae08e84f68b5405bf9ca2101c70bedaa120b00e9d586808878d25f6791fab2668e8a884e18a1472938475fb4874b83af2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VQki5onfxaB4Pas5qA4uUTeT.exe
MD5
849814b0b00bfa4277f3c33b08e6caa8

SHA1
bdb293d7d6713830f48bf0daff2c4900f5afd9cc

SHA256
39933bacd89fb4ed010097f9cb35bc3356ddc6fe6e82201beb27efc008445cab

SHA512
351d52aa6b05054dc78ef67df1b19c8a8444270cec5d1374d302dc942f11b8d6558d2275fc7b2bf771858bccfab18d04499853788a91910304d2f0b737b4a28e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VajOlnIG9M2SZJBC__7vNsd8.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VajOlnIG9M2SZJBC__7vNsd8.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\aPRDwFlyHH_YADW_P0sL6fgD.exe
MD5
ebd92ae870a96ec9eafc5e12b22d0caa

SHA1
a000562844a49fe6c226d74ef23b7ffef7f7ed10

SHA256
bf3cb3479ba2238dda49a220bfa875b399a3e37149e29a2d5762bf81f43276c7

SHA512
5c5ed2b131818dabb7c5a47a2f4a3631ae0c11b577d34dc208bb5a0c3a2c6d8dbc1d74920b899082b31f27c51e73b969fe7c0fc68ec83b5b294565082440d301

Download Submit
C:\Users\Admin\Pictures\Adobe Films\e8QM3IM6YbvuqXU3g1CpAiDE.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\iClpPs59Gr5MJlD3NnYcwlaL.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ms8hFgiPP5jHXegy535Ghzst.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ms8hFgiPP5jHXegy535Ghzst.exe
MD5
266a1335f73ff12584a5d1d2e65b8be7

SHA1
35a6d1593a0ff74f209de0f294cd7b7cd067c14c

SHA256
316a7cea264e8cc29efe6dc3def98eeff7c42138ceba126127dc8228a119cfee

SHA512
35bdc71211656abaf05cde978594b5d0ad11d154851d90adc80fb96e1c737682561e82615024453bf6f483cb7bf451bd604993343e3bfb2d369deef25d1e4361

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nogLpji0lAhn1sZJTNs3GnQL.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\nogLpji0lAhn1sZJTNs3GnQL.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\onlWmWW_bbmOfrGOC_gIe3pW.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\onlWmWW_bbmOfrGOC_gIe3pW.exe
MD5
b9b15774905815d1ab124662adbaca9f

SHA1
21becde5109bac48f3efd8b4fea7043c47daf563

SHA256
655c8da705475f8326a43a382036964a2ecb3d39923154a2db8a0ac18e191934

SHA512
b9b9bbe177aac7b261c9632bc30338e747acf38bc4b7b74d8db0d3f0ccfe7f4bc44182bf660f94fdc88ee542a7d595b10f44d9ad1eb22c12d255369281a77e31

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qjJZiH1TOix237oHq0qrYl6h.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\qjJZiH1TOix237oHq0qrYl6h.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rT5DiRsu2Qx1Ql_GnXaKaL_2.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t9Uml7aB5vBCc4ksxjlw_X9f.exe
MD5
d0e66302d8fd5c0987670667702e844d

SHA1
e232dcbb280b2fcc09060d5f0c1c95d8751bd308

SHA256
3053835dc6474fabe8979800bd984c6f234b1e94571614f9475e2c7ee5e843f8

SHA512
9891b4a5378a4c7a501f4de3e84af7d46075ee21e2835a75691b9ab61350695fdd7c9a5317efb67e8c025b5f48bc6d02545f205f7ba32a46245969cafeb3fdab

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ukFBaazk6UuXdhEc0khcJKAr.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yqeN9ef1716h737PHSbAKH_w.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yqeN9ef1716h737PHSbAKH_w.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/376-246-0x000000007173E000-0x000000007173F000-memory.dmp

Filesize
4KB

Download
memory/376-227-0x0000000000910000-0x000000000091C000-memory.dmp

Filesize
48KB

Download
memory/740-280-0x0000000002430000-0x00000000024D3000-memory.dmp

Filesize
652KB

Download
memory/740-279-0x00000000023A0000-0x0000000002425000-memory.dmp

Filesize
532KB

Download
memory/780-256-0x0000000001AE0000-0x0000000001B24000-memory.dmp

Filesize
272KB

Download
memory/780-251-0x0000000001AB0000-0x0000000001AD7000-memory.dmp

Filesize
156KB

Download
memory/780-252-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/828-165-0x0000000001F00000-0x0000000001F09000-memory.dmp

Filesize
36KB

Download
memory/828-164-0x0000000001DDA000-0x0000000001DE2000-memory.dmp

Filesize
32KB

Download
memory/828-166-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/828-151-0x0000000001DDA000-0x0000000001DE2000-memory.dmp

Filesize
32KB

Download
memory/928-267-0x0000000004420000-0x00000000045DD000-memory.dmp

Filesize
1.7MB

Download
memory/1124-253-0x0000000005700000-0x0000000006026000-memory.dmp

Filesize
9.1MB

Download
memory/1124-254-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1124-257-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/1488-168-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/1488-215-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1488-167-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/1488-238-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1960-277-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/1960-250-0x000000007173E000-0x000000007173F000-memory.dmp

Filesize
4KB

Download
memory/1960-226-0x0000000000C70000-0x0000000000D3E000-memory.dmp

Filesize
824KB

Download
memory/2092-202-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/2092-208-0x00000000027A0000-0x00000000027E6000-memory.dmp

Filesize
280KB

Download
memory/2092-193-0x0000000000CC0000-0x0000000000EF1000-memory.dmp

Filesize
2.2MB

Download
memory/2092-263-0x0000000000CC2000-0x0000000000CF8000-memory.dmp

Filesize
216KB

Download
memory/2092-258-0x000000007173E000-0x000000007173F000-memory.dmp

Filesize
4KB

Download
memory/2092-268-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2092-205-0x0000000075140000-0x0000000075355000-memory.dmp

Filesize
2.1MB

Download
memory/2092-230-0x00000000742F0000-0x0000000074379000-memory.dmp

Filesize
548KB

Download
memory/2092-228-0x0000000000CC0000-0x0000000000EF1000-memory.dmp

Filesize
2.2MB

Download
memory/2092-229-0x0000000000CC0000-0x0000000000EF1000-memory.dmp

Filesize
2.2MB

Download
memory/2120-241-0x00000000006A0000-0x0000000000857000-memory.dmp

Filesize
1.7MB

Download
memory/2120-231-0x00000000006A0000-0x0000000000857000-memory.dmp

Filesize
1.7MB

Download
memory/2120-235-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/2120-243-0x00000000742F0000-0x0000000074379000-memory.dmp

Filesize
548KB

Download
memory/2120-237-0x0000000075140000-0x0000000075355000-memory.dmp

Filesize
2.1MB

Download
memory/2120-239-0x000000007173E000-0x000000007173F000-memory.dmp

Filesize
4KB

Download
memory/2120-261-0x0000000000D60000-0x0000000000DA6000-memory.dmp

Filesize
280KB

Download
memory/2120-233-0x00000000006A0000-0x0000000000857000-memory.dmp

Filesize
1.7MB

Download
memory/2120-270-0x00000000006A2000-0x00000000006D7000-memory.dmp

Filesize
212KB

Download
memory/2120-271-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2416-266-0x0000000001140000-0x0000000001155000-memory.dmp

Filesize
84KB

Download
memory/2692-262-0x0000000000E10000-0x0000000000E70000-memory.dmp

Filesize
384KB

Download
memory/2916-275-0x0000000002150000-0x000000000215D000-memory.dmp

Filesize
52KB

Download
memory/2916-278-0x0000000002160000-0x0000000002173000-memory.dmp

Filesize
76KB

Download
memory/2976-141-0x00007FFE06DE3000-0x00007FFE06DE5000-memory.dmp

Filesize
8KB

Download
memory/2976-144-0x0000000000450000-0x000000000047C000-memory.dmp

Filesize
176KB

Download
memory/3180-269-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3308-274-0x0000000000760000-0x0000000000769000-memory.dmp

Filesize
36KB

Download
memory/3308-276-0x0000000000770000-0x0000000000779000-memory.dmp

Filesize
36KB

Download
memory/3548-143-0x000000000204B000-0x000000000206E000-memory.dmp

Filesize
140KB

Download
memory/3548-181-0x0000000003FE0000-0x0000000003FF2000-memory.dmp

Filesize
72KB

Download
memory/3548-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-180-0x00000000073B0000-0x00000000079C8000-memory.dmp

Filesize
6.1MB

Download
memory/3548-225-0x00000000066D2000-0x00000000066D3000-memory.dmp

Filesize
4KB

Download
memory/3548-217-0x0000000001EE0000-0x0000000001F10000-memory.dmp

Filesize
192KB

Download
memory/3548-209-0x000000000204B000-0x000000000206E000-memory.dmp

Filesize
140KB

Download
memory/3548-204-0x0000000006D90000-0x0000000006E9A000-memory.dmp

Filesize
1.0MB

Download
memory/3548-173-0x00000000067E0000-0x0000000006D84000-memory.dmp

Filesize
5.6MB

Download
memory/3548-264-0x000000007173E000-0x000000007173F000-memory.dmp

Filesize
4KB

Download
memory/3548-265-0x00000000066D3000-0x00000000066D4000-memory.dmp

Filesize
4KB

Download
memory/3548-224-0x00000000066D0000-0x00000000066D1000-memory.dmp

Filesize
4KB

Download
memory/3572-245-0x00000000001F0000-0x00000000002E4000-memory.dmp

Filesize
976KB

Download
memory/3572-236-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3572-240-0x0000000075140000-0x0000000075355000-memory.dmp

Filesize
2.1MB

Download
memory/3572-260-0x0000000002940000-0x0000000002986000-memory.dmp

Filesize
280KB

Download
memory/3572-242-0x00000000001F2000-0x0000000000225000-memory.dmp

Filesize
204KB

Download
memory/3572-272-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/3572-249-0x00000000742F0000-0x0000000074379000-memory.dmp

Filesize
548KB

Download
memory/3572-247-0x00000000001F0000-0x00000000002E4000-memory.dmp

Filesize
976KB

Download
memory/3572-244-0x000000007173E000-0x000000007173F000-memory.dmp

Filesize
4KB

Download
memory/3572-232-0x00000000001F0000-0x00000000002E4000-memory.dmp

Filesize
976KB

Download
memory/3572-234-0x00000000001F0000-0x00000000002E4000-memory.dmp

Filesize
976KB

Download
memory/3604-255-0x0000000000490000-0x00000000004D8000-memory.dmp

Filesize
288KB

Download
memory/3604-248-0x00007FFE06A83000-0x00007FFE06A85000-memory.dmp

Filesize
8KB

Download
memory/3824-177-0x0000000004CB8000-0x00000000050F4000-memory.dmp

Filesize
4.2MB

Download
memory/3824-179-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3844-342-0x0000000003B00000-0x0000000003B2F000-memory.dmp

Filesize
188KB

Download
memory/3912-259-0x0000000002730000-0x0000000002790000-memory.dmp

Filesize
384KB

Download
memory/4036-172-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/4036-171-0x0000000005190000-0x0000000005AB6000-memory.dmp

Filesize
9.1MB

Download
memory/4036-170-0x0000000004C4F000-0x000000000508B000-memory.dmp

Filesize
4.2MB

Download
memory/4352-291-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4352-294-0x0000000000A31000-0x0000000000A81000-memory.dmp

Filesize
320KB

Download
memory/4352-295-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/4456-292-0x0000000000E20000-0x00000000011E3000-memory.dmp

Filesize
3.8MB

Download
memory/4456-296-0x0000000000E20000-0x00000000011E3000-memory.dmp

Filesize
3.8MB

Download
memory/4788-297-0x0000000010000000-0x00000000105C0000-memory.dmp

Filesize
5.8MB

Download
memory/4896-273-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download