94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242

Analysis

max time kernel
125s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
Size

6.1MB
MD5

cbc544a8feb79112f5b79fc9c026be09
SHA1

0512fb19f30597a2d8f503ae3d86e712512c07e1
SHA256

94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242
SHA512

33a265e1469237352900bf2f9a6a129ae0e6eaeeaf9fe963aa2cdef5d9ee9de77fbdee90ff7887ac5db53e6313b526adf52fbb98bd7d4a9a5df4d8c14e85880e
SSDEEP

196608:J4NdfNZwDDCc/F7Bi0UqQJefQ2dYGamW:oZ+DCc/F7BimQJe41GamW

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
29	1520	rundll32.exe
34	5056	rundll32.exe
36	1520	rundll32.exe
37	4156	rundll32.exe
38	5056	rundll32.exe
40	2280	rundll32.exe
41	1864	rundll32.exe
42	4156	rundll32.exe
43	2280	rundll32.exe
46	1864	rundll32.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe

Loads dropped DLL 9 IoCs

pid	Process
1520	rundll32.exe
1520	rundll32.exe
5056	rundll32.exe
4156	rundll32.exe
4156	rundll32.exe
2280	rundll32.exe
1864	rundll32.exe
1864	rundll32.exe
2008	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2072	1520	rundll32.exe	219

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
1492	1440	WerFault.exe	80
2548	1440	WerFault.exe	80
4384	1440	WerFault.exe	80
2056	1440	WerFault.exe	80
1704	1440	WerFault.exe	80
3768	1440	WerFault.exe	80
3596	1440	WerFault.exe	80
684	1440	WerFault.exe	80
1312	1440	WerFault.exe	80
4224	4820	WerFault.exe	106
2248	4820	WerFault.exe	106
860	4820	WerFault.exe	106
3808	4820	WerFault.exe	106
4360	4820	WerFault.exe	106
1988	4820	WerFault.exe	106
1632	4820	WerFault.exe	106
3180	4820	WerFault.exe	106
2448	4820	WerFault.exe	106
4920	432	WerFault.exe	125
3840	1440	WerFault.exe	80
4048	432	WerFault.exe	125
4844	432	WerFault.exe	125
1536	432	WerFault.exe	125
2508	432	WerFault.exe	125
4324	432	WerFault.exe	125
4384	432	WerFault.exe	125
2836	432	WerFault.exe	125
3988	432	WerFault.exe	125
2440	432	WerFault.exe	125
2152	1912	WerFault.exe	147
4268	4820	WerFault.exe	106
3540	1912	WerFault.exe	147
3820	1912	WerFault.exe	147
2124	1912	WerFault.exe	147
1908	1912	WerFault.exe	147
2008	1912	WerFault.exe	147
3916	1912	WerFault.exe	147
504	1912	WerFault.exe	147
1124	1912	WerFault.exe	147
4348	1912	WerFault.exe	147
1440	3192	WerFault.exe	172
3732	3192	WerFault.exe	172
4500	3192	WerFault.exe	172
2760	3192	WerFault.exe	172
1820	3192	WerFault.exe	172
3388	3192	WerFault.exe	172
5048	3192	WerFault.exe	172
4400	3192	WerFault.exe	172
2796	3192	WerFault.exe	172
1704	3192	WerFault.exe	172
2440	3592	WerFault.exe	194
832	3592	WerFault.exe	194
4516	3592	WerFault.exe	194
2516	3592	WerFault.exe	194
316	3592	WerFault.exe	194
4628	3592	WerFault.exe	194
4252	3592	WerFault.exe	194
1964	3592	WerFault.exe	194
4112	3592	WerFault.exe	194
2352	1388	WerFault.exe	214
1916	1388	WerFault.exe	214
4400	1388	WerFault.exe	214
4512	1388	WerFault.exe	214
4852	1388	WerFault.exe	214

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2072	rundll32.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4820	1440	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	106
PID 1440 wrote to memory of 4820	1440	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	106
PID 1440 wrote to memory of 4820	1440	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	106
PID 4820 wrote to memory of 432	4820	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	125
PID 4820 wrote to memory of 432	4820	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	125
PID 4820 wrote to memory of 432	4820	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	125
PID 1440 wrote to memory of 1520	1440	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	128
PID 1440 wrote to memory of 1520	1440	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	128
PID 1440 wrote to memory of 1520	1440	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	128
PID 432 wrote to memory of 1912	432	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	147
PID 432 wrote to memory of 1912	432	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	147
PID 432 wrote to memory of 1912	432	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	147
PID 432 wrote to memory of 5056	432	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	148
PID 432 wrote to memory of 5056	432	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	148
PID 432 wrote to memory of 5056	432	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	148
PID 4820 wrote to memory of 4156	4820	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	154
PID 4820 wrote to memory of 4156	4820	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	154
PID 4820 wrote to memory of 4156	4820	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	154
PID 1912 wrote to memory of 3192	1912	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	172
PID 1912 wrote to memory of 3192	1912	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	172
PID 1912 wrote to memory of 3192	1912	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	172
PID 1912 wrote to memory of 2280	1912	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	173
PID 1912 wrote to memory of 2280	1912	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	173
PID 1912 wrote to memory of 2280	1912	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	173
PID 3192 wrote to memory of 3592	3192	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	194
PID 3192 wrote to memory of 3592	3192	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	194
PID 3192 wrote to memory of 3592	3192	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	194
PID 3192 wrote to memory of 1864	3192	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	195
PID 3192 wrote to memory of 1864	3192	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	195
PID 3192 wrote to memory of 1864	3192	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	195
PID 3592 wrote to memory of 1388	3592	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	214
PID 3592 wrote to memory of 1388	3592	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	214
PID 3592 wrote to memory of 1388	3592	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	214
PID 3592 wrote to memory of 2008	3592	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	215
PID 3592 wrote to memory of 2008	3592	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	215
PID 3592 wrote to memory of 2008	3592	94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe	215
PID 1520 wrote to memory of 2072	1520	rundll32.exe	219
PID 1520 wrote to memory of 2072	1520	rundll32.exe	219
PID 1520 wrote to memory of 2072	1520	rundll32.exe	219

C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
"C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 628
  2⤵
  - Program crash
  PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 896
  2⤵
  - Program crash
  PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 980
  2⤵
  - Program crash
  PID:4384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 976
  2⤵
  - Program crash
  PID:2056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1124
  2⤵
  - Program crash
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1132
  2⤵
  - Program crash
  PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1144
  2⤵
  - Program crash
  PID:3596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1092
  2⤵
  - Program crash
  PID:684
- C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
  "C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 472
    3⤵
    - Program crash
    PID:4224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 996
    3⤵
    - Program crash
    PID:2248
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1000
    3⤵
    - Program crash
    PID:860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 996
    3⤵
    - Program crash
    PID:3808
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1092
    3⤵
    - Program crash
    PID:4360
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1116
    3⤵
    - Program crash
    PID:1988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1128
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1148
    3⤵
    - Program crash
    PID:3180
- - C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
    "C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 600
      4⤵
      Program crash
      PID:4920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 996
      4⤵
      Program crash
      PID:4048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1004
      4⤵
      Program crash
      PID:4844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1008
      4⤵
      Program crash
      PID:1536
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1112
      4⤵
      Program crash
      PID:2508
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1080
      4⤵
      Program crash
      PID:4324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1000
      4⤵
      Program crash
      PID:4384
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1140
      4⤵
      Program crash
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
      "C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 472
        5⤵
        Program crash
        
        PID:2152
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 996
        5⤵
        Program crash
        
        PID:3540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1004
        5⤵
        Program crash
        
        PID:3820
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1004
        5⤵
        Program crash
        
        PID:2124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1088
        5⤵
        Program crash
        
        PID:1908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1096
        5⤵
        Program crash
        
        PID:2008
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1116
        5⤵
        Program crash
        
        PID:3916
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1080
        5⤵
        Program crash
        
        PID:504
    - - C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3192
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 600
        6⤵
        Program crash
        
        PID:1440
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 996
        6⤵
        Program crash
        
        PID:3732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1004
        6⤵
        Program crash
        
        PID:4500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1004
        6⤵
        Program crash
        
        PID:2760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1104
        6⤵
        Program crash
        
        PID:1820
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1004
        6⤵
        Program crash
        
        PID:3388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1084
        6⤵
        Program crash
        
        PID:5048
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1080
        6⤵
        Program crash
        
        PID:4400
      - C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 600
        7⤵
        Program crash
        
        PID:2440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 996
        7⤵
        Program crash
        
        PID:832
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1000
        7⤵
        Program crash
        
        PID:4516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 996
        7⤵
        Program crash
        
        PID:2516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1132
        7⤵
        Program crash
        
        PID:316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1152
        7⤵
        Program crash
        
        PID:4628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1172
        7⤵
        Program crash
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe
        
        "C:\Users\Admin\AppData\Local\Temp\94a67de2fc728dcbd2d4347a3a5d89965bae18eb957cc652f6af15aadfdc5242.exe"
        7⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 600
        8⤵
        Program crash
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 996
        8⤵
        Program crash
        
        PID:1916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1000
        8⤵
        Program crash
        
        PID:4400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 996
        8⤵
        Program crash
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1112
        8⤵
        Program crash
        
        PID:4852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1144
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1092
        8⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        7⤵
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 984
        7⤵
        Program crash
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 1068
        7⤵
        Program crash
        
        PID:4112
      - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:1864
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 984
        6⤵
        Program crash
        
        PID:2796
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 1136
        6⤵
        Program crash
        
        PID:1704
    - - C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2280
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 984
        5⤵
        Program crash
        
        PID:1124
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 1096
        5⤵
        Program crash
        
        PID:4348
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Checks processor information in registry
      PID:5056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 988
      4⤵
      Program crash
      PID:3988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 432 -s 1144
      4⤵
      Program crash
      PID:2440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 984
    3⤵
    - Program crash
    PID:2448
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:4156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1152
    3⤵
    - Program crash
    PID:4268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 980
  2⤵
  - Program crash
  PID:1312
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll,start
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14057
    3⤵
    - Suspicious use of FindShellTrayWindow
    PID:2072
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 1280
  2⤵
  - Program crash
  PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1440 -ip 1440
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1440 -ip 1440
1⤵
PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1440 -ip 1440
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1440 -ip 1440
1⤵
PID:3996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1440 -ip 1440
1⤵
PID:2084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1440 -ip 1440
1⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1440 -ip 1440
1⤵
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1440 -ip 1440
1⤵
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1440 -ip 1440
1⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4820 -ip 4820
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4820 -ip 4820
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4820 -ip 4820
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4820 -ip 4820
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4820 -ip 4820
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4820 -ip 4820
1⤵
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4820 -ip 4820
1⤵
PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4820 -ip 4820
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4820 -ip 4820
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 432 -ip 432
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1440 -ip 1440
1⤵
PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 432 -ip 432
1⤵
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 432 -ip 432
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 432 -ip 432
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 432 -ip 432
1⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 432 -ip 432
1⤵
PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 432 -ip 432
1⤵
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 432 -ip 432
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 432 -ip 432
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 432 -ip 432
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1912 -ip 1912
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4820 -ip 4820
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1912 -ip 1912
1⤵
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1912 -ip 1912
1⤵
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1912 -ip 1912
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1912 -ip 1912
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1912 -ip 1912
1⤵
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1912 -ip 1912
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1912 -ip 1912
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1912 -ip 1912
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 1912 -ip 1912
1⤵
PID:2956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3192 -ip 3192
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 3192 -ip 3192
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3192 -ip 3192
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3192 -ip 3192
1⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3192 -ip 3192
1⤵
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3192 -ip 3192
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3192 -ip 3192
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 3192 -ip 3192
1⤵
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3192 -ip 3192
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3192 -ip 3192
1⤵
PID:3472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3592 -ip 3592
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3592 -ip 3592
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 3592 -ip 3592
1⤵
PID:3060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3592 -ip 3592
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3592 -ip 3592
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3592 -ip 3592
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 3592 -ip 3592
1⤵
PID:1752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 3592 -ip 3592
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3592 -ip 3592
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1388 -ip 1388
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1388 -ip 1388
1⤵
PID:1536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 1388 -ip 1388
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 1388 -ip 1388
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1388 -ip 1388
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1388 -ip 1388
1⤵
PID:4040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 1388 -ip 1388
1⤵
PID:3240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02fc4909-db62-4fee-8646-109dbf6b271b.tmp

Filesize
21KB

MD5
301ea18f32584b0102b1e4f710c6054d

SHA1
e970ec47138c443ec94a4c3671622f578ed09a26

SHA256
7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

SHA512
3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fc4909-db62-4fee-8646-109dbf6b271b.tmp

Filesize
21KB

MD5
301ea18f32584b0102b1e4f710c6054d

SHA1
e970ec47138c443ec94a4c3671622f578ed09a26

SHA256
7f4e382d1c6724a5f173f3617e35d5ad74c28ffce9a918f00b48c88f978dc34e

SHA512
3c1dd0687ff4a98324f8f0c054e2bf24a3adc2edb28a4ee095f5e71d5943702bcdf36b4c5b2e163e17cc207833194539ed98b7830e94ac446a9d48d29837627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\185a0208-d15a-42cc-a6bd-26fded261d7b.tmp

Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\185a0208-d15a-42cc-a6bd-26fded261d7b.tmp

Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\53e6a9ff-6628-4c05-9f9e-5740d15f61de.tmp

Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\53e6a9ff-6628-4c05-9f9e-5740d15f61de.tmp

Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\607cd18f-98c4-4c86-94ad-33f9ee772d45.tmp

Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\607cd18f-98c4-4c86-94ad-33f9ee772d45.tmp

Filesize
25KB

MD5
9f670566b87be47f09e3871cd67ed6d9

SHA1
8b49dd7fb4bf06df0a16cfc03a42832b78bdfabd

SHA256
d7089602fa181dfd161165dc1bb34271e7481f88ee2ca06230da2a2269a68c80

SHA512
6e53a2d3c4329114f7e562d84bcb6345176ce4d7006c9d699d6dab9886d5aa277b5b8fe5cfb9e574a49e0c1de6414efa913cf9b3ffecd95e9fafa28370fc2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dydhshsoe.dll

Filesize
3.2MB

MD5
bdc32d8fc2bf1643dfe018a23d0f77a0

SHA1
f11b4450028f894353738a3045946ee7a580dea5

SHA256
791cf2949fdfe4b10584d7ff507e71a1864fa0c98002f717d6cdd1c4df1fa64f

SHA512
1d6474683bb65acb640be43aa1bf988d337f773a007bee22ac688af94d628d92514c1a07bc7000a9d756c7266c80a76901372f865956a0dd7036bad5a6413705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20220812_194409742.html

Filesize
93KB

MD5
71758797ae7914b1227d0b34c30c0797

SHA1
f63e17acdd4f8ed417c476a19742547291408963

SHA256
62bfa55487dface1cb7989308d91488315e79714153a4e40e1c14d4ca7a4a1c2

SHA512
98be11d1d910ad96ca12c39262e0be6ce451baebb2ceb0cc559762906e4993bdfaf7bdf3cb38eb67e055c9778560fe686fe155b39f8afc4a9d70880c14e9a829

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeesisuoeiaqit.tmp

Filesize
3.5MB

MD5
30d9bc7452d5819b304b121c517a8f73

SHA1
ea1b8ffa9f4918a90dfd7f574b5b0694bedb1d01

SHA256
364c226e4aadbfbe0ba89b0eeb4e8346462cf33f8e4a26ba9cf6501f196f3710

SHA512
db2e7649e3bbfa81234442e70666bf966edf904f3f33551940af6c77dada6cd958be81c003c34d71eb929e3f7ce3d3aa4665135fb67f420092b03931209c8fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeesisuoeiaqit.tmp

Filesize
3.5MB

MD5
30d9bc7452d5819b304b121c517a8f73

SHA1
ea1b8ffa9f4918a90dfd7f574b5b0694bedb1d01

SHA256
364c226e4aadbfbe0ba89b0eeb4e8346462cf33f8e4a26ba9cf6501f196f3710

SHA512
db2e7649e3bbfa81234442e70666bf966edf904f3f33551940af6c77dada6cd958be81c003c34d71eb929e3f7ce3d3aa4665135fb67f420092b03931209c8fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeesisuoeiaqit.tmp

Filesize
3.5MB

MD5
30d9bc7452d5819b304b121c517a8f73

SHA1
ea1b8ffa9f4918a90dfd7f574b5b0694bedb1d01

SHA256
364c226e4aadbfbe0ba89b0eeb4e8346462cf33f8e4a26ba9cf6501f196f3710

SHA512
db2e7649e3bbfa81234442e70666bf966edf904f3f33551940af6c77dada6cd958be81c003c34d71eb929e3f7ce3d3aa4665135fb67f420092b03931209c8fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Seeesisuoeiaqit.tmp

Filesize
3.5MB

MD5
30d9bc7452d5819b304b121c517a8f73

SHA1
ea1b8ffa9f4918a90dfd7f574b5b0694bedb1d01

SHA256
364c226e4aadbfbe0ba89b0eeb4e8346462cf33f8e4a26ba9cf6501f196f3710

SHA512
db2e7649e3bbfa81234442e70666bf966edf904f3f33551940af6c77dada6cd958be81c003c34d71eb929e3f7ce3d3aa4665135fb67f420092b03931209c8fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\XZIOFAVD-20220812-1951.log

Filesize
56KB

MD5
d431794afa91c4c3745055b53d795183

SHA1
ca518aa0948e9e8af5ec5a89bc613d7e4fc6c9d5

SHA256
2290c5fc19f04b088974b297c2677e0e848900c9188382d3b24611a02685ae03

SHA512
1ae72c1da9b766b3bea44aa3244ab028f7ed8c6e715b284ca111f6f22d3300dbc54a89639f3af0b0371c62c7cab81d4b8b76d807e9738f9d5aa4b329f25fdd64

Download Submit
C:\Users\Admin\AppData\Local\Temp\b702d486-654d-4716-aaa2-bc53c138b0f8.tmp

Filesize
84KB

MD5
5d35b8c0588457da1f0ab69f754dc768

SHA1
7f23363c2bf180c2300fd27a50d264b713c89c6c

SHA256
1f7a721b714f57504dab936b57f2d5dc7a0b5c1452eebbd44360705e2a636efa

SHA512
2b0fd2ddd99d5ff7c3ed4df844ecace96b36c5903ea7d996b9d01cf433d012263e8c7f5dde8db4a9f67c49e1535d7a34c02eb295d637fb4809970a4c511a51c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7a972bc-9460-4c6f-93c0-e6dd9473f34f.tmp

Filesize
23KB

MD5
2e0a52964e4f43a9830f01775bcb061b

SHA1
deedc2124380dcc834798466b7ae8ca986aba82f

SHA256
3884df97009ac7e97143743660ed8e010d5f77edcf611bf85276e876fc70754b

SHA512
56c28175bfeb1adfa70761dbf3d46f60b3545de1dd879b346658a2701a173c5fd1959dcb6ecb931f7589f8178fa46d026da0edcfef0471f0fc9d65df7bc6ea44

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
5d031b12263e4c18b48a434aafc8209e

SHA1
ed12ea0255d2c7dc4a4afaa30de511cec539e44c

SHA256
4d5adb4dd1a5d269e017680797a0403cfca1106411c061ce8753bfe9b4cbd5e4

SHA512
6b7a2e3d3d0b082ec3272229d0e5215d2269c96fb6993671e8614c8ce55e232463f5a812ff3f41aae806aae8681e18a5506c465ef20787eabd0f2257c1c2a2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI6492.txt

Filesize
414KB

MD5
e84baf36ed9355aac02c3f9de8a23c22

SHA1
78f5ff2e9a7bee6ad878f6b800723046a579b0ec

SHA256
91e5abdb3d637fd2ed154683857201bcf95a49f2c8b27ce36f7559f4f8deed81

SHA512
132e1e2b1dc9d44d902930fd3d8ea1806b17ca54eacce74a4517a17b789e9e5e575a9de7f16451cabeb3b4cceb6728ea9d51ebd299d4ce72b7de33246d286074

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI645A.txt

Filesize
11KB

MD5
7b873b39db7b02204b2619e7ad882462

SHA1
6277c99ed98c622c7fbc190669144ccb3744c4c4

SHA256
2814f20a867472a4137808b9695eec04264dddbb2e5e9d447fd0f46c4f303b96

SHA512
429213d5ea5f84bbbd25daecfee504bafca10606204fb53569475112ef969355f9c90eb33a9af7e63ac89adef1d3e2b0af0029eff12ed2b93d265f3f89793a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI6492.txt

Filesize
11KB

MD5
3deb951d119c378dff3d7911fa48dd12

SHA1
b74cbbddb4b37d46456da7a3e86260a3d8144e17

SHA256
0cf9936341117c121cc50582950760d7b24f1117749b451d82a45202f5aad461

SHA512
d9fc285be218af35e81d17b6bd78644d9bad8995cbfc466a0a671f171012f5ff760863e359ea49c9329c951a2280fa5b8e08e72c431e2c961e9fbc65bba7ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI6492.txt

Filesize
11KB

MD5
3deb951d119c378dff3d7911fa48dd12

SHA1
b74cbbddb4b37d46456da7a3e86260a3d8144e17

SHA256
0cf9936341117c121cc50582950760d7b24f1117749b451d82a45202f5aad461

SHA512
d9fc285be218af35e81d17b6bd78644d9bad8995cbfc466a0a671f171012f5ff760863e359ea49c9329c951a2280fa5b8e08e72c431e2c961e9fbc65bba7ce80

Download Submit
C:\Users\Admin\AppData\Local\Temp\e60d62fd-4f64-4839-9b40-06d8d042b5b1.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
266KB

MD5
d8d1de11d03af24869af247e5001848e

SHA1
7d2cd781cd67e64898b35c49cdc51aae41a55c17

SHA256
196626328a25c36cff2d8aceb59a8add1afcc3ec1d0e2e4e7e1fa31620758d1b

SHA512
668c9e89e46d6be4a84c4eb72ef052ffaf720761112b4bdb8953a474745cc82af900402527877502b95cf677c253a9962fe6dbf96e6beb189df1e1bea986163e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
6546d4da7c6194f907e8ce017b7fc87a

SHA1
0141e7cfd64447560c70d6a22ad94b7daa3f0a20

SHA256
a22d9512b262abdca444253594637115919e73a5d213a39652107ad52582a5aa

SHA512
07884f94c17f4fb3d7ff2c4950b2a77e168d5a3e4bf9147d73f4e2de385497909665330c5e3b03d78897365a406f245dd37fb31858eeaedf7f149003a48c6b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct5E8C.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct7D63.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct8A4A.tmp

Filesize
62KB

MD5
7185e716980842db27c3b3a88e1fe804

SHA1
e4615379cd4797629b4cc3da157f4d4a5412fb2b

SHA256
094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

SHA512
dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
16a993a13d195d20dca07319d0725671

SHA1
2642524456da144d2db89ea760fdd788461d74db

SHA256
4f17ddbb8ccc7da41e95a5f5bd1c4c7c99f7bf321cfdf67988e32591a4e375f2

SHA512
afaea880275fa137598f5bb676059966e5b3df29473ad978ae1e4e378b674d9e52cb79629a0be5399c02170306658a635d909efe8b82daa848328858d1cf0be0

Download Submit
memory/432-157-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/432-149-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/432-145-0x00000000037DC000-0x0000000003DC6000-memory.dmp

Filesize
5.9MB

Download
memory/1388-258-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/1388-235-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/1388-238-0x0000000003834000-0x0000000003E1E000-memory.dmp

Filesize
5.9MB

Download
memory/1440-135-0x00000000055E0000-0x0000000005C00000-memory.dmp

Filesize
6.1MB

Download
memory/1440-136-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/1440-132-0x0000000003848000-0x0000000003E32000-memory.dmp

Filesize
5.9MB

Download
memory/1440-134-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/1440-133-0x00000000055E0000-0x0000000005C00000-memory.dmp

Filesize
6.1MB

Download
memory/1440-150-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/1520-204-0x0000000004170000-0x00000000042B0000-memory.dmp

Filesize
1.2MB

Download
memory/1520-151-0x0000000002420000-0x000000000276D000-memory.dmp

Filesize
3.3MB

Download
memory/1520-187-0x0000000004170000-0x00000000042B0000-memory.dmp

Filesize
1.2MB

Download
memory/1520-188-0x0000000004170000-0x00000000042B0000-memory.dmp

Filesize
1.2MB

Download
memory/1520-186-0x0000000003510000-0x000000000406F000-memory.dmp

Filesize
11.4MB

Download
memory/1520-185-0x0000000003510000-0x000000000406F000-memory.dmp

Filesize
11.4MB

Download
memory/1520-148-0x0000000002420000-0x000000000276D000-memory.dmp

Filesize
3.3MB

Download
memory/1520-223-0x0000000003510000-0x000000000406F000-memory.dmp

Filesize
11.4MB

Download
memory/1520-203-0x0000000004170000-0x00000000042B0000-memory.dmp

Filesize
1.2MB

Download
memory/1520-202-0x0000000004170000-0x00000000042B0000-memory.dmp

Filesize
1.2MB

Download
memory/1520-201-0x0000000004170000-0x00000000042B0000-memory.dmp

Filesize
1.2MB

Download
memory/1520-156-0x0000000002420000-0x000000000276D000-memory.dmp

Filesize
3.3MB

Download
memory/1864-254-0x0000000003570000-0x00000000040CF000-memory.dmp

Filesize
11.4MB

Download
memory/1864-191-0x00000000024E0000-0x000000000282D000-memory.dmp

Filesize
3.3MB

Download
memory/1864-256-0x00000000024E0000-0x000000000282D000-memory.dmp

Filesize
3.3MB

Download
memory/1864-257-0x0000000003570000-0x00000000040CF000-memory.dmp

Filesize
11.4MB

Download
memory/1864-179-0x00000000024E0000-0x000000000282D000-memory.dmp

Filesize
3.3MB

Download
memory/1864-255-0x0000000003570000-0x00000000040CF000-memory.dmp

Filesize
11.4MB

Download
memory/1864-181-0x00000000024E0000-0x000000000282D000-memory.dmp

Filesize
3.3MB

Download
memory/1912-171-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/1912-158-0x0000000003836000-0x0000000003E20000-memory.dmp

Filesize
5.9MB

Download
memory/1912-163-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/2008-218-0x0000000002C30000-0x000000000378F000-memory.dmp

Filesize
11.4MB

Download
memory/2008-220-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2008-213-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2008-219-0x0000000002C30000-0x000000000378F000-memory.dmp

Filesize
11.4MB

Download
memory/2008-215-0x0000000002C30000-0x000000000378F000-memory.dmp

Filesize
11.4MB

Download
memory/2072-207-0x000002CD3E460000-0x000002CD3E5A0000-memory.dmp

Filesize
1.2MB

Download
memory/2072-217-0x0000000000730000-0x00000000009D8000-memory.dmp

Filesize
2.7MB

Download
memory/2072-214-0x000002CD3CB90000-0x000002CD3CE49000-memory.dmp

Filesize
2.7MB

Download
memory/2072-206-0x000002CD3E460000-0x000002CD3E5A0000-memory.dmp

Filesize
1.2MB

Download
memory/2280-170-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2280-239-0x0000000003600000-0x000000000415F000-memory.dmp

Filesize
11.4MB

Download
memory/2280-180-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2280-240-0x0000000003600000-0x000000000415F000-memory.dmp

Filesize
11.4MB

Download
memory/2280-242-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/2280-253-0x0000000003600000-0x000000000415F000-memory.dmp

Filesize
11.4MB

Download
memory/2280-241-0x0000000003600000-0x000000000415F000-memory.dmp

Filesize
11.4MB

Download
memory/3192-182-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/3192-174-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/3192-173-0x0000000003730000-0x0000000003D1A000-memory.dmp

Filesize
5.9MB

Download
memory/3592-184-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/3592-183-0x0000000003766000-0x0000000003D50000-memory.dmp

Filesize
5.9MB

Download
memory/3592-216-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/3592-212-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/4156-164-0x0000000002260000-0x00000000025AD000-memory.dmp

Filesize
3.3MB

Download
memory/4156-172-0x0000000002260000-0x00000000025AD000-memory.dmp

Filesize
3.3MB

Download
memory/4156-236-0x0000000002260000-0x00000000025AD000-memory.dmp

Filesize
3.3MB

Download
memory/4156-234-0x0000000003310000-0x0000000003E6F000-memory.dmp

Filesize
11.4MB

Download
memory/4156-224-0x0000000003310000-0x0000000003E6F000-memory.dmp

Filesize
11.4MB

Download
memory/4156-259-0x0000000003310000-0x0000000003E6F000-memory.dmp

Filesize
11.4MB

Download
memory/4156-237-0x0000000003310000-0x0000000003E6F000-memory.dmp

Filesize
11.4MB

Download
memory/4156-162-0x0000000002260000-0x00000000025AD000-memory.dmp

Filesize
3.3MB

Download
memory/4820-142-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/4820-165-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/4820-140-0x0000000000400000-0x0000000003204000-memory.dmp

Filesize
46.0MB

Download
memory/4820-139-0x0000000005480000-0x0000000005AA0000-memory.dmp

Filesize
6.1MB

Download
memory/4820-138-0x00000000036EE000-0x0000000003CD8000-memory.dmp

Filesize
5.9MB

Download
memory/5056-166-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/5056-194-0x0000000003860000-0x00000000043BF000-memory.dmp

Filesize
11.4MB

Download
memory/5056-196-0x0000000003860000-0x00000000043BF000-memory.dmp

Filesize
11.4MB

Download
memory/5056-155-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/5056-197-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/5056-198-0x0000000003860000-0x00000000043BF000-memory.dmp

Filesize
11.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads