glupteba | 9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42

Analysis

max time kernel
165s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe
Size

8.0MB
MD5

c055360832f8cd46d110b096e5f94d21
SHA1

f9989581b587f3991f093629af242a50b20ff1f9
SHA256

9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42
SHA512

6659dfc3cce18e74331f50d8e05da3c0fd05567552d666b799c401cb25971d5856546bf678adc46ccb449a021433db1de7bbd686d8a35ab0a42c7a3a03f37a93

Score

10^/10

glupteba metasploit smokeloader socelars backdoor discovery dropper evasion loader persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2388-176-0x00000000051E0000-0x0000000005B06000-memory.dmp	family_glupteba
behavioral2/memory/2388-177-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/860-183-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/1516-197-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3752 1104 rUNdlL32.eXe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3752	1104	rUNdlL32.eXe

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 1968 created 2388 1968 svchost.exe Info.exe
PID 1968 created 1516 1968 svchost.exe csrss.exe
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file

description	pid	process	target process
PID 1968 created 2388	1968	svchost.exe	Info.exe
PID 1968 created 1516	1968	svchost.exe	csrss.exe

Executes dropped EXE 16 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeInstall.exeFiles.exeFolder.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeezA8UZQ2z1qarmc3VAVKqVlr.exeinjector.exe

pid	process
5056	SoCleanInst.exe
1332	md9_1sjm.exe
3124	Folder.exe
2388	Info.exe
4304	Updbdate.exe
2796	Install.exe
1112	Files.exe
3276	Folder.exe
3272	pub2.exe
2944	File.exe
2836	jfiag3g_gg.exe
4620	jfiag3g_gg.exe
860	Info.exe
1516	csrss.exe
4584	ezA8UZQ2z1qarmc3VAVKqVlr.exe
1916	injector.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4444 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4444	rundll32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpringFeather = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

108 ipinfo.io
38 ip-api.com
107 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in Windows directory 2 IoCs

Processes:

Info.exe

description ioc process

File opened for modification C:\Windows\rss Info.exe
File created C:\Windows\rss\csrss.exe Info.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
108	ipinfo.io
38	ip-api.com
107	ipinfo.io

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1300	2388	WerFault.exe	Info.exe
4912	4444	WerFault.exe	rundll32.exe
2344	2388	WerFault.exe	Info.exe
4012	2388	WerFault.exe	Info.exe
2368	2388	WerFault.exe	Info.exe
2020	2388	WerFault.exe	Info.exe
1976	2388	WerFault.exe	Info.exe
4344	2388	WerFault.exe	Info.exe
2980	2388	WerFault.exe	Info.exe
400	2388	WerFault.exe	Info.exe
1780	2388	WerFault.exe	Info.exe
764	2388	WerFault.exe	Info.exe
1428	2388	WerFault.exe	Info.exe
1868	2388	WerFault.exe	Info.exe
3136	2388	WerFault.exe	Info.exe
2724	2388	WerFault.exe	Info.exe
4832	2388	WerFault.exe	Info.exe
3984	2388	WerFault.exe	Info.exe
2364	2388	WerFault.exe	Info.exe
2796	2388	WerFault.exe	Info.exe
4448	2388	WerFault.exe	Info.exe
3844	860	WerFault.exe	Info.exe
3488	860	WerFault.exe	Info.exe
3576	860	WerFault.exe	Info.exe
3604	860	WerFault.exe	Info.exe
3144	860	WerFault.exe	Info.exe
1192	860	WerFault.exe	Info.exe
4392	860	WerFault.exe	Info.exe
1824	860	WerFault.exe	Info.exe
5008	860	WerFault.exe	Info.exe
1916	860	WerFault.exe	Info.exe
2620	860	WerFault.exe	Info.exe
4456	860	WerFault.exe	Info.exe
4428	860	WerFault.exe	Info.exe
3744	860	WerFault.exe	Info.exe
4500	860	WerFault.exe	Info.exe
4560	860	WerFault.exe	Info.exe
4768	1516	WerFault.exe	csrss.exe
3748	1516	WerFault.exe	csrss.exe
4572	1516	WerFault.exe	csrss.exe
2996	1516	WerFault.exe	csrss.exe
1200	1516	WerFault.exe	csrss.exe
2148	1516	WerFault.exe	csrss.exe
1916	1516	WerFault.exe	csrss.exe
2576	1516	WerFault.exe	csrss.exe
4588	1516	WerFault.exe	csrss.exe
2820	1516	WerFault.exe	csrss.exe
4460	1516	WerFault.exe	csrss.exe
2680	1516	WerFault.exe	csrss.exe
4504	1516	WerFault.exe	csrss.exe
3272	1516	WerFault.exe	csrss.exe
4512	1516	WerFault.exe	csrss.exe
1512	1516	WerFault.exe	csrss.exe
4536	2944	WerFault.exe	File.exe
4776	2944	WerFault.exe	File.exe
3784	1516	WerFault.exe	csrss.exe
2964	1516	WerFault.exe	csrss.exe
4340	1516	WerFault.exe	csrss.exe
3604	1516	WerFault.exe	csrss.exe
3924	1516	WerFault.exe	csrss.exe
4392	1516	WerFault.exe	csrss.exe
372	1516	WerFault.exe	csrss.exe
3328	1516	WerFault.exe	csrss.exe
2812	2944	WerFault.exe	File.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4892 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4672 taskkill.exe

pid	process
4892	schtasks.exe

pid	process
4672	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Info.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
3272	pub2.exe
3272	pub2.exe
4620	jfiag3g_gg.exe
4620	jfiag3g_gg.exe
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380
2380

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3272 pub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	5056	SoCleanInst.exe
Token: SeCreateTokenPrivilege	2796	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2796	Install.exe
Token: SeLockMemoryPrivilege	2796	Install.exe
Token: SeIncreaseQuotaPrivilege	2796	Install.exe
Token: SeMachineAccountPrivilege	2796	Install.exe
Token: SeTcbPrivilege	2796	Install.exe
Token: SeSecurityPrivilege	2796	Install.exe
Token: SeTakeOwnershipPrivilege	2796	Install.exe
Token: SeLoadDriverPrivilege	2796	Install.exe
Token: SeSystemProfilePrivilege	2796	Install.exe
Token: SeSystemtimePrivilege	2796	Install.exe
Token: SeProfSingleProcessPrivilege	2796	Install.exe
Token: SeIncBasePriorityPrivilege	2796	Install.exe
Token: SeCreatePagefilePrivilege	2796	Install.exe
Token: SeCreatePermanentPrivilege	2796	Install.exe
Token: SeBackupPrivilege	2796	Install.exe
Token: SeRestorePrivilege	2796	Install.exe
Token: SeShutdownPrivilege	2796	Install.exe
Token: SeDebugPrivilege	2796	Install.exe
Token: SeAuditPrivilege	2796	Install.exe
Token: SeSystemEnvironmentPrivilege	2796	Install.exe
Token: SeChangeNotifyPrivilege	2796	Install.exe
Token: SeRemoteShutdownPrivilege	2796	Install.exe
Token: SeUndockPrivilege	2796	Install.exe
Token: SeSyncAgentPrivilege	2796	Install.exe
Token: SeEnableDelegationPrivilege	2796	Install.exe
Token: SeManageVolumePrivilege	2796	Install.exe
Token: SeImpersonatePrivilege	2796	Install.exe
Token: SeCreateGlobalPrivilege	2796	Install.exe
Token: 31	2796	Install.exe
Token: 32	2796	Install.exe
Token: 33	2796	Install.exe
Token: 34	2796	Install.exe
Token: 35	2796	Install.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeManageVolumePrivilege	1332	md9_1sjm.exe
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380
Token: SeCreatePagefilePrivilege	2380
Token: SeShutdownPrivilege	2380

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exeFolder.exeFiles.exeInstall.exerUNdlL32.eXecmd.exesvchost.exeInfo.execmd.exeFile.execsrss.exe

description	pid	process	target process
PID 4692 wrote to memory of 5056	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	SoCleanInst.exe
PID 4692 wrote to memory of 5056	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	SoCleanInst.exe
PID 4692 wrote to memory of 1332	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	md9_1sjm.exe
PID 4692 wrote to memory of 1332	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	md9_1sjm.exe
PID 4692 wrote to memory of 1332	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	md9_1sjm.exe
PID 4692 wrote to memory of 3124	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Folder.exe
PID 4692 wrote to memory of 3124	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Folder.exe
PID 4692 wrote to memory of 3124	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Folder.exe
PID 4692 wrote to memory of 2388	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Info.exe
PID 4692 wrote to memory of 2388	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Info.exe
PID 4692 wrote to memory of 2388	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Info.exe
PID 4692 wrote to memory of 4304	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Updbdate.exe
PID 4692 wrote to memory of 4304	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Updbdate.exe
PID 4692 wrote to memory of 4304	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Updbdate.exe
PID 4692 wrote to memory of 2796	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Install.exe
PID 4692 wrote to memory of 2796	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Install.exe
PID 4692 wrote to memory of 2796	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Install.exe
PID 4692 wrote to memory of 1112	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Files.exe
PID 4692 wrote to memory of 1112	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Files.exe
PID 4692 wrote to memory of 1112	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	Files.exe
PID 3124 wrote to memory of 3276	3124	Folder.exe	Folder.exe
PID 3124 wrote to memory of 3276	3124	Folder.exe	Folder.exe
PID 3124 wrote to memory of 3276	3124	Folder.exe	Folder.exe
PID 4692 wrote to memory of 3272	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	pub2.exe
PID 4692 wrote to memory of 3272	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	pub2.exe
PID 4692 wrote to memory of 3272	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	pub2.exe
PID 4692 wrote to memory of 2944	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	File.exe
PID 4692 wrote to memory of 2944	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	File.exe
PID 4692 wrote to memory of 2944	4692	9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe	File.exe
PID 1112 wrote to memory of 2836	1112	Files.exe	jfiag3g_gg.exe
PID 1112 wrote to memory of 2836	1112	Files.exe	jfiag3g_gg.exe
PID 1112 wrote to memory of 2836	1112	Files.exe	jfiag3g_gg.exe
PID 2796 wrote to memory of 3132	2796	Install.exe	cmd.exe
PID 2796 wrote to memory of 3132	2796	Install.exe	cmd.exe
PID 2796 wrote to memory of 3132	2796	Install.exe	cmd.exe
PID 3752 wrote to memory of 4444	3752	rUNdlL32.eXe	rundll32.exe
PID 3752 wrote to memory of 4444	3752	rUNdlL32.eXe	rundll32.exe
PID 3752 wrote to memory of 4444	3752	rUNdlL32.eXe	rundll32.exe
PID 3132 wrote to memory of 4672	3132	cmd.exe	taskkill.exe
PID 3132 wrote to memory of 4672	3132	cmd.exe	taskkill.exe
PID 3132 wrote to memory of 4672	3132	cmd.exe	taskkill.exe
PID 1112 wrote to memory of 4620	1112	Files.exe	jfiag3g_gg.exe
PID 1112 wrote to memory of 4620	1112	Files.exe	jfiag3g_gg.exe
PID 1112 wrote to memory of 4620	1112	Files.exe	jfiag3g_gg.exe
PID 1968 wrote to memory of 860	1968	svchost.exe	Info.exe
PID 1968 wrote to memory of 860	1968	svchost.exe	Info.exe
PID 1968 wrote to memory of 860	1968	svchost.exe	Info.exe
PID 860 wrote to memory of 1724	860	Info.exe	cmd.exe
PID 860 wrote to memory of 1724	860	Info.exe	cmd.exe
PID 1724 wrote to memory of 3816	1724	cmd.exe	netsh.exe
PID 1724 wrote to memory of 3816	1724	cmd.exe	netsh.exe
PID 860 wrote to memory of 1516	860	Info.exe	csrss.exe
PID 860 wrote to memory of 1516	860	Info.exe	csrss.exe
PID 860 wrote to memory of 1516	860	Info.exe	csrss.exe
PID 2944 wrote to memory of 4584	2944	File.exe	ezA8UZQ2z1qarmc3VAVKqVlr.exe
PID 2944 wrote to memory of 4584	2944	File.exe	ezA8UZQ2z1qarmc3VAVKqVlr.exe
PID 1968 wrote to memory of 4892	1968	svchost.exe	schtasks.exe
PID 1968 wrote to memory of 4892	1968	svchost.exe	schtasks.exe
PID 1516 wrote to memory of 1916	1516	csrss.exe	injector.exe
PID 1516 wrote to memory of 1916	1516	csrss.exe	injector.exe

C:\Users\Admin\AppData\Local\Temp\9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe
"C:\Users\Admin\AppData\Local\Temp\9ac03ecbdc94103bebc97f5b4ff50ce7e36faf2fd04cf0169617a6dc1be6ed42.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4692

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3276

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 372
3⤵
- Program crash
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 396
3⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 604
3⤵
- Program crash
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 696
3⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 696
3⤵
- Program crash
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 728
3⤵
- Program crash
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 740
3⤵
- Program crash
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 752
3⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 628
3⤵
- Program crash
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 864
3⤵
- Program crash
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 628
3⤵
- Program crash
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 848
3⤵
- Program crash
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 888
3⤵
- Program crash
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 640
3⤵
- Program crash
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 900
3⤵
- Program crash
PID:2724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 724
3⤵
- Program crash
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 976
3⤵
- Program crash
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 992
3⤵
- Program crash
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 912
3⤵
- Program crash
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 988
3⤵
- Program crash
PID:4448

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 332
4⤵
- Program crash
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 336
4⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 336
4⤵
- Program crash
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 624
4⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 684
4⤵
- Program crash
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 684
4⤵
- Program crash
PID:1192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 684
4⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 700
4⤵
- Program crash
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 724
4⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 640
4⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 668
4⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 744
4⤵
- Program crash
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 792
4⤵
- Program crash
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 908
4⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 804
4⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 856
4⤵
- Program crash
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3816

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 368
5⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 376
5⤵
- Program crash
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 376
5⤵
- Program crash
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 652
5⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 652
5⤵
- Program crash
PID:1200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 652
5⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 728
5⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 736
5⤵
- Program crash
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 756
5⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 616
5⤵
- Program crash
PID:2820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 668
5⤵
- Program crash
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 752
5⤵
- Program crash
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 904
5⤵
- Program crash
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 916
5⤵
- Program crash
PID:3272

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 972
5⤵
- Program crash
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 988
5⤵
- Program crash
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 904
5⤵
- Program crash
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1048
5⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 984
5⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 904
5⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1044
5⤵
- Program crash
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 940
5⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1120
5⤵
- Program crash
PID:372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1088
5⤵
- Program crash
PID:3328

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1916

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1112

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4620

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3272

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2944

C:\Users\Admin\Pictures\Adobe Films\ezA8UZQ2z1qarmc3VAVKqVlr.exe
"C:\Users\Admin\Pictures\Adobe Films\ezA8UZQ2z1qarmc3VAVKqVlr.exe"
3⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1916
3⤵
- Program crash
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1884
3⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1872
3⤵
- Program crash
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2388 -ip 2388
1⤵
PID:2976

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3752

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 608
3⤵
- Program crash
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4444 -ip 4444
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2388 -ip 2388
1⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2388 -ip 2388
1⤵
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2388 -ip 2388
1⤵
PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2388 -ip 2388
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2388 -ip 2388
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2388 -ip 2388
1⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2388 -ip 2388
1⤵
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2388 -ip 2388
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2388 -ip 2388
1⤵
PID:3180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2388 -ip 2388
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2388 -ip 2388
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2388 -ip 2388
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2388 -ip 2388
1⤵
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2388 -ip 2388
1⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2388 -ip 2388
1⤵
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2388 -ip 2388
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2388 -ip 2388
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2388 -ip 2388
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2388 -ip 2388
1⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2388 -ip 2388
1⤵
PID:3680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 860 -ip 860
1⤵
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 860 -ip 860
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 860 -ip 860
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 860 -ip 860
1⤵
PID:4552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 860 -ip 860
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 860 -ip 860
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 860 -ip 860
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 860 -ip 860
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 860 -ip 860
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 860 -ip 860
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 860 -ip 860
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 860 -ip 860
1⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 860 -ip 860
1⤵
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 860 -ip 860
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 860 -ip 860
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 860 -ip 860
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1516 -ip 1516
1⤵
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1516 -ip 1516
1⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1516 -ip 1516
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1516 -ip 1516
1⤵
PID:3592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1516 -ip 1516
1⤵
PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1516 -ip 1516
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1516 -ip 1516
1⤵
PID:1612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1516 -ip 1516
1⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1516 -ip 1516
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1516 -ip 1516
1⤵
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1516 -ip 1516
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1516 -ip 1516
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1516 -ip 1516
1⤵
PID:3024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1516 -ip 1516
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1516 -ip 1516
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1516 -ip 1516
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2944 -ip 2944
1⤵
PID:3652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2944 -ip 2944
1⤵
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1516 -ip 1516
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1516 -ip 1516
1⤵
PID:2028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1516 -ip 1516
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 1516 -ip 1516
1⤵
PID:712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1516 -ip 1516
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1516 -ip 1516
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1516 -ip 1516
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1516 -ip 1516
1⤵
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2944 -ip 2944
1⤵
PID:2724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
254199404fccfb91d18c929ce584eef7

SHA1
782d4fe5b1f4cd12af5fb6bc7cbd0392d205fe07

SHA256
6348d04d59e1303a3aa2574cb2f9d98d3d91347d4f03444a15962062dccb1fdd

SHA512
a20f98e59f2e5a16191befd7bf8bd52f5789653b9c1c2917c413d5ca5c2cbfbfa7bc2e8126ef433a979f72bbf6a3fa5b43de8a1eaa490692610101df10ea14a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e82c2a867c605e20cb431ac113319fdb

SHA1
0bcbb754b4ad68eff09930a6f52867c08a7b9b91

SHA256
6713bae239132d875e9471544546089870086b851d8235f2b5f8350cfaa4b121

SHA512
6a6e4a8a3933ddd983fde6307616a95592b0d77921de1b2b12a0c90d03a9b8d02a733f362d1c4ef79e3e37e0a25c8b015c639be0bfff2e7719bfd9ab4579f657

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
e82c2a867c605e20cb431ac113319fdb

SHA1
0bcbb754b4ad68eff09930a6f52867c08a7b9b91

SHA256
6713bae239132d875e9471544546089870086b851d8235f2b5f8350cfaa4b121

SHA512
6a6e4a8a3933ddd983fde6307616a95592b0d77921de1b2b12a0c90d03a9b8d02a733f362d1c4ef79e3e37e0a25c8b015c639be0bfff2e7719bfd9ab4579f657

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
5e9cfd6a1d2804a1e7f048b0c76a6d9e

SHA1
2d119fa11dc5e390cdb1fae208fbf0903548961e

SHA256
21faf55f3437b60c0b6518d8576bff0300e4d8460139b2f157f76d36a57b559b

SHA512
4e72728420c31c3ddcb2626ed426b8afba6a6674e8e96cda664b2977f53726af59d5b2ff63db80b373480db1f4a43c3d44e5ee9a4c3b9b0c92ce0cb5eebc05dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
5e9cfd6a1d2804a1e7f048b0c76a6d9e

SHA1
2d119fa11dc5e390cdb1fae208fbf0903548961e

SHA256
21faf55f3437b60c0b6518d8576bff0300e4d8460139b2f157f76d36a57b559b

SHA512
4e72728420c31c3ddcb2626ed426b8afba6a6674e8e96cda664b2977f53726af59d5b2ff63db80b373480db1f4a43c3d44e5ee9a4c3b9b0c92ce0cb5eebc05dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
165f4f21e84a0d8883a44d434f245056

SHA1
6c8ecc3862c17a7b67355440abd989ff585468dc

SHA256
052a4f1f459aca93942a2bd32604a1129869dfb141e459916d800361022fa735

SHA512
d1e49d89febd3c3993960e9674e1b12b788a0e8048d69ba016e93b577d13d36475733e6116b105bc0b00d0f8174ff199ea61495279d2885f1314955aaca6cbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
165f4f21e84a0d8883a44d434f245056

SHA1
6c8ecc3862c17a7b67355440abd989ff585468dc

SHA256
052a4f1f459aca93942a2bd32604a1129869dfb141e459916d800361022fa735

SHA512
d1e49d89febd3c3993960e9674e1b12b788a0e8048d69ba016e93b577d13d36475733e6116b105bc0b00d0f8174ff199ea61495279d2885f1314955aaca6cbeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
aa1518edcf5cc0a750161de2e06a9af5

SHA1
335bffd5831bfc29d00db5783aec7a6be7217402

SHA256
cec6da5363aa7f1908dbc0385d9f1f0b2d02fca59cb6d1ae66d6857dfac8920d

SHA512
4c2483ae50ad5b0102fc9af4124e5d4d6b3d927508de706eac1b2dd1611d14d6deb2d2bfe1d757eefe53b2722a11444539ba120f022f47864c06bb5f7058d38a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
53b01ccd65893036e6e73376605da1e2

SHA1
12c7162ea3ce90ec064ce61251897c8bec3fd115

SHA256
de95d03777407422fac23d6c1f0740e131a0d38c5ef19aca742c7bcf1a994fd7

SHA512
e5d1dd0ac1a53df261179d58817e71f4b263179ba1f1599da3b654ae9550dc608afc5a12057fb533aab0abb2eb406e3a7331e10a6f2b91254f062a777299e067

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
ab5cb44d05fa2cb3734049b613e585b1

SHA1
3b41e1a7ad0829333ec94a6df554df0f8610b9c3

SHA256
7536d544a19dc200a4e91bbc343d03d1d6072fb59be2d99712884f07c3a4bfb8

SHA512
8f2b3112dc563f918a8f967947d219c3c0b5e1462f0315037e9251c7ce598a231d1658f6e946871455bf5474bcc29aa727aa5de644d22523f77ad4f887a400b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
ab5cb44d05fa2cb3734049b613e585b1

SHA1
3b41e1a7ad0829333ec94a6df554df0f8610b9c3

SHA256
7536d544a19dc200a4e91bbc343d03d1d6072fb59be2d99712884f07c3a4bfb8

SHA512
8f2b3112dc563f918a8f967947d219c3c0b5e1462f0315037e9251c7ce598a231d1658f6e946871455bf5474bcc29aa727aa5de644d22523f77ad4f887a400b2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ezA8UZQ2z1qarmc3VAVKqVlr.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ezA8UZQ2z1qarmc3VAVKqVlr.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/860-183-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/860-182-0x0000000004D16000-0x0000000005152000-memory.dmp

Filesize
4.2MB

Download
memory/1332-171-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/1332-188-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/1332-170-0x00000000038A0000-0x00000000038B0000-memory.dmp

Filesize
64KB

Download
memory/1516-194-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/1516-197-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2380-189-0x0000000000A10000-0x0000000000A25000-memory.dmp

Filesize
84KB

Download
memory/2388-177-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2388-176-0x00000000051E0000-0x0000000005B06000-memory.dmp

Filesize
9.1MB

Download
memory/2388-175-0x0000000004CA3000-0x00000000050DF000-memory.dmp

Filesize
4.2MB

Download
memory/2944-201-0x0000000004170000-0x000000000432E000-memory.dmp

Filesize
1.7MB

Download
memory/3272-164-0x000000000082B000-0x000000000083B000-memory.dmp

Filesize
64KB

Download
memory/3272-165-0x0000000000620000-0x0000000000629000-memory.dmp

Filesize
36KB

Download
memory/3272-153-0x000000000082B000-0x000000000083B000-memory.dmp

Filesize
64KB

Download
memory/3272-166-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/4304-147-0x0000000001F9B000-0x0000000001FBE000-memory.dmp

Filesize
140KB

Download
memory/4304-178-0x0000000006610000-0x0000000006BB4000-memory.dmp

Filesize
5.6MB

Download
memory/4304-186-0x0000000006D30000-0x0000000006D42000-memory.dmp

Filesize
72KB

Download
memory/4304-190-0x0000000001EF0000-0x0000000001F20000-memory.dmp

Filesize
192KB

Download
memory/4304-202-0x0000000006604000-0x0000000006606000-memory.dmp

Filesize
8KB

Download
memory/4304-155-0x0000000001F9B000-0x0000000001FBE000-memory.dmp

Filesize
140KB

Download
memory/4304-193-0x00000000718F0000-0x00000000720A0000-memory.dmp

Filesize
7.7MB

Download
memory/4304-181-0x00000000072E0000-0x00000000078F8000-memory.dmp

Filesize
6.1MB

Download
memory/4304-195-0x0000000000400000-0x0000000001DA0000-memory.dmp

Filesize
25.6MB

Download
memory/4304-196-0x0000000001E80000-0x0000000001EBC000-memory.dmp

Filesize
240KB

Download
memory/4304-187-0x0000000006D50000-0x0000000006E5A000-memory.dmp

Filesize
1.0MB

Download
memory/4304-199-0x0000000006602000-0x0000000006603000-memory.dmp

Filesize
4KB

Download
memory/4304-200-0x0000000006603000-0x0000000006604000-memory.dmp

Filesize
4KB

Download
memory/4304-198-0x0000000006600000-0x0000000006601000-memory.dmp

Filesize
4KB

Download
memory/5056-138-0x00000000007D0000-0x00000000007FA000-memory.dmp

Filesize
168KB

Download
memory/5056-154-0x00007FFFA7460000-0x00007FFFA7F21000-memory.dmp

Filesize
10.8MB

Download