gh0strat | 2bccc88ecc78857e5e892f8846bf2c6ca3ad188e1b18c5d8983eb2d0427c0abf

Analysis

max time kernel
71s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe
Size

209KB
MD5

fa9efc1bbd5655dc5f362006e474416c
SHA1

03443e223b41d45c752ffe9a4fd20812486cf66f
SHA256

2bccc88ecc78857e5e892f8846bf2c6ca3ad188e1b18c5d8983eb2d0427c0abf
SHA512

b8d443a594d08cb7951a831ad6b22dd3cf6d31866128c905cf8184b5f0221c25925d78b4b830ec73299398c18c09954970ae4527c6dd75ef6f0fe5005376139f
SSDEEP

3072:woc58jSVn7q9dZL2tTA8E0MeJ+9U1wWlhZ6yOm3kJ1BaHDTB3yoh+k8MTbN:wlJc2ts8ReU1zZB3k3KDTB3yJk8

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/1376-0-0x0000000010000000-0x0000000010027000-memory.dmp	family_gh0strat
behavioral2/memory/1656-7-0x0000000010000000-0x0000000010027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
4956	WScript.exe

Executes dropped EXE 64 IoCs

pid	Process
1656	pufxqc.exe
4628	pufxqc.exe
3296	pufxqc.exe
2732	pufxqc.exe
976	pufxqc.exe
2816	pufxqc.exe
2680	pufxqc.exe
4976	pufxqc.exe
3700	pufxqc.exe
1172	pufxqc.exe
2312	pufxqc.exe
4904	pufxqc.exe
2792	pufxqc.exe
528	pufxqc.exe
2292	pufxqc.exe
5012	pufxqc.exe
4464	pufxqc.exe
4388	pufxqc.exe
648	pufxqc.exe
2088	pufxqc.exe
880	pufxqc.exe
3044	pufxqc.exe
2744	pufxqc.exe
5116	pufxqc.exe
2324	pufxqc.exe
3296	pufxqc.exe
3036	pufxqc.exe
872	pufxqc.exe
4020	pufxqc.exe
3584	pufxqc.exe
4560	pufxqc.exe
3968	pufxqc.exe
1180	pufxqc.exe
3532	pufxqc.exe
1812	pufxqc.exe
2260	pufxqc.exe
2312	pufxqc.exe
2800	pufxqc.exe
3144	pufxqc.exe
2764	pufxqc.exe
4928	pufxqc.exe
4452	pufxqc.exe
836	pufxqc.exe
4524	pufxqc.exe
3028	pufxqc.exe
1572	pufxqc.exe
2060	pufxqc.exe
4956	pufxqc.exe
4568	pufxqc.exe
392	pufxqc.exe
1656	pufxqc.exe
1408	pufxqc.exe
220	pufxqc.exe
928	pufxqc.exe
872	pufxqc.exe
4676	pufxqc.exe
3288	pufxqc.exe
1648	pufxqc.exe
3048	pufxqc.exe
3708	pufxqc.exe
3852	pufxqc.exe
4532	pufxqc.exe
4260	pufxqc.exe
332	pufxqc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\pufxqc.exe	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe
File opened for modification	C:\Windows\pufxqc.exe	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

pid	pid_target	Process	procid_target
2768	1656	WerFault.exe	87
928	2732	WerFault.exe	98
4108	2680	WerFault.exe	103
3832	1172	WerFault.exe	108
2092	2792	WerFault.exe	113
3420	5012	WerFault.exe	118
668	648	WerFault.exe	123
4448	3044	WerFault.exe	128
1316	2324	WerFault.exe	133
2536	872	WerFault.exe	140
4976	4560	WerFault.exe	145
1884	3532	WerFault.exe	151
3008	2312	WerFault.exe	156
3260	2764	WerFault.exe	161
880	836	WerFault.exe	166
4804	1572	WerFault.exe	171
4832	4568	WerFault.exe	176
1704	1408	WerFault.exe	181
1900	872	WerFault.exe	186
4136	1648	WerFault.exe	191
1776	3852	WerFault.exe	196
4788	332	WerFault.exe	201
1660	3880	WerFault.exe	206
972	4424	WerFault.exe	211
4472	2096	WerFault.exe	216
3396	1316	WerFault.exe	221
4124	2952	WerFault.exe	226
2116	4880	WerFault.exe	231
4684	2412	WerFault.exe	236
4320	4904	WerFault.exe	241
2316	2360	WerFault.exe	246
1736	2760	WerFault.exe	251
5076	5096	WerFault.exe	256
1572	628	WerFault.exe	261
2436	2780	WerFault.exe	266
4396	3096	WerFault.exe	271
624	2256	WerFault.exe	276
4136	3288	WerFault.exe	281
4888	5032	WerFault.exe	287
3448	1944	WerFault.exe	292
4348	1632	WerFault.exe	297
4784	4928	WerFault.exe	302
2232	3060	WerFault.exe	307
2332	3044	WerFault.exe	312
1144	4956	WerFault.exe	317
1084	3296	WerFault.exe	322
604	4020	WerFault.exe	327
872	4088	WerFault.exe	332
4156	4968	WerFault.exe	337
1424	5112	WerFault.exe	342
1812	3532	WerFault.exe	347
956	208	WerFault.exe	352
4336	5040	WerFault.exe	357
3480	3880	WerFault.exe	362
2324	1128	WerFault.exe	367
1084	4656	WerFault.exe	373
3924	2720	WerFault.exe	379
1080	440	WerFault.exe	384
3640	1056	WerFault.exe	389
3844	4004	WerFault.exe	394
4792	3104	WerFault.exe	400
1796	208	WerFault.exe	405
3216	2232	WerFault.exe	410
4544	4528	WerFault.exe	418

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000_Classes\Local Settings	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1376	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe
1656	pufxqc.exe
4628	pufxqc.exe
3296	pufxqc.exe
2732	pufxqc.exe
976	pufxqc.exe
2816	pufxqc.exe
2680	pufxqc.exe
4976	pufxqc.exe
3700	pufxqc.exe
1172	pufxqc.exe
2312	pufxqc.exe
4904	pufxqc.exe
2792	pufxqc.exe
528	pufxqc.exe
2292	pufxqc.exe
5012	pufxqc.exe
4388	pufxqc.exe
648	pufxqc.exe
2088	pufxqc.exe
880	pufxqc.exe
3044	pufxqc.exe
2744	pufxqc.exe
5116	pufxqc.exe
2324	pufxqc.exe
3296	pufxqc.exe
3036	pufxqc.exe
872	pufxqc.exe
4020	pufxqc.exe
3584	pufxqc.exe
4560	pufxqc.exe
3968	pufxqc.exe
1180	pufxqc.exe
3532	pufxqc.exe
1812	pufxqc.exe
2260	pufxqc.exe
2312	pufxqc.exe
2800	pufxqc.exe
3144	pufxqc.exe
2764	pufxqc.exe
4928	pufxqc.exe
4452	pufxqc.exe
836	pufxqc.exe
4524	pufxqc.exe
3028	pufxqc.exe
1572	pufxqc.exe
2060	pufxqc.exe
4956	pufxqc.exe
4568	pufxqc.exe
392	pufxqc.exe
1656	pufxqc.exe
1408	pufxqc.exe
220	pufxqc.exe
928	pufxqc.exe
872	pufxqc.exe
4676	pufxqc.exe
3288	pufxqc.exe
1648	pufxqc.exe
3048	pufxqc.exe
3708	pufxqc.exe
3852	pufxqc.exe
4532	pufxqc.exe
4260	pufxqc.exe
332	pufxqc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4956	1376	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe	88
PID 1376 wrote to memory of 4956	1376	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe	88
PID 1376 wrote to memory of 4956	1376	fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe	88
PID 1656 wrote to memory of 4628	1656	pufxqc.exe	89
PID 1656 wrote to memory of 4628	1656	pufxqc.exe	89
PID 1656 wrote to memory of 4628	1656	pufxqc.exe	89
PID 1656 wrote to memory of 3296	1656	pufxqc.exe	91
PID 1656 wrote to memory of 3296	1656	pufxqc.exe	91
PID 1656 wrote to memory of 3296	1656	pufxqc.exe	91
PID 2732 wrote to memory of 976	2732	pufxqc.exe	99
PID 2732 wrote to memory of 976	2732	pufxqc.exe	99
PID 2732 wrote to memory of 976	2732	pufxqc.exe	99
PID 2732 wrote to memory of 2816	2732	pufxqc.exe	100
PID 2732 wrote to memory of 2816	2732	pufxqc.exe	100
PID 2732 wrote to memory of 2816	2732	pufxqc.exe	100
PID 2680 wrote to memory of 4976	2680	pufxqc.exe	104
PID 2680 wrote to memory of 4976	2680	pufxqc.exe	104
PID 2680 wrote to memory of 4976	2680	pufxqc.exe	104
PID 2680 wrote to memory of 3700	2680	pufxqc.exe	105
PID 2680 wrote to memory of 3700	2680	pufxqc.exe	105
PID 2680 wrote to memory of 3700	2680	pufxqc.exe	105
PID 1172 wrote to memory of 2312	1172	pufxqc.exe	109
PID 1172 wrote to memory of 2312	1172	pufxqc.exe	109
PID 1172 wrote to memory of 2312	1172	pufxqc.exe	109
PID 1172 wrote to memory of 4904	1172	pufxqc.exe	110
PID 1172 wrote to memory of 4904	1172	pufxqc.exe	110
PID 1172 wrote to memory of 4904	1172	pufxqc.exe	110
PID 2792 wrote to memory of 528	2792	pufxqc.exe	114
PID 2792 wrote to memory of 528	2792	pufxqc.exe	114
PID 2792 wrote to memory of 528	2792	pufxqc.exe	114
PID 2792 wrote to memory of 2292	2792	pufxqc.exe	115
PID 2792 wrote to memory of 2292	2792	pufxqc.exe	115
PID 2792 wrote to memory of 2292	2792	pufxqc.exe	115
PID 5012 wrote to memory of 4464	5012	pufxqc.exe	119
PID 5012 wrote to memory of 4464	5012	pufxqc.exe	119
PID 5012 wrote to memory of 4464	5012	pufxqc.exe	119
PID 5012 wrote to memory of 4388	5012	pufxqc.exe	120
PID 5012 wrote to memory of 4388	5012	pufxqc.exe	120
PID 5012 wrote to memory of 4388	5012	pufxqc.exe	120
PID 648 wrote to memory of 2088	648	pufxqc.exe	124
PID 648 wrote to memory of 2088	648	pufxqc.exe	124
PID 648 wrote to memory of 2088	648	pufxqc.exe	124
PID 648 wrote to memory of 880	648	pufxqc.exe	170
PID 648 wrote to memory of 880	648	pufxqc.exe	170
PID 648 wrote to memory of 880	648	pufxqc.exe	170
PID 3044 wrote to memory of 2744	3044	pufxqc.exe	129
PID 3044 wrote to memory of 2744	3044	pufxqc.exe	129
PID 3044 wrote to memory of 2744	3044	pufxqc.exe	129
PID 3044 wrote to memory of 5116	3044	pufxqc.exe	130
PID 3044 wrote to memory of 5116	3044	pufxqc.exe	130
PID 3044 wrote to memory of 5116	3044	pufxqc.exe	130
PID 2324 wrote to memory of 3296	2324	pufxqc.exe	134
PID 2324 wrote to memory of 3296	2324	pufxqc.exe	134
PID 2324 wrote to memory of 3296	2324	pufxqc.exe	134
PID 2324 wrote to memory of 3036	2324	pufxqc.exe	136
PID 2324 wrote to memory of 3036	2324	pufxqc.exe	136
PID 2324 wrote to memory of 3036	2324	pufxqc.exe	136
PID 872 wrote to memory of 4020	872	pufxqc.exe	141
PID 872 wrote to memory of 4020	872	pufxqc.exe	141
PID 872 wrote to memory of 4020	872	pufxqc.exe	141
PID 872 wrote to memory of 3584	872	pufxqc.exe	142
PID 872 wrote to memory of 3584	872	pufxqc.exe	142
PID 872 wrote to memory of 3584	872	pufxqc.exe	142
PID 4560 wrote to memory of 3968	4560	pufxqc.exe	146

C:\Users\Admin\AppData\Local\Temp\fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa9efc1bbd5655dc5f362006e474416c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\1565.vbs"
  2⤵
  - Deletes itself
  PID:4956

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4628
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3296
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 640
  2⤵
  - Program crash
  PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1656 -ip 1656
1⤵
PID:2308

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 600
  2⤵
  - Program crash
  PID:928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2732 -ip 2732
1⤵
PID:3652

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4976
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3700
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 608
  2⤵
  - Program crash
  PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2680 -ip 2680
1⤵
PID:2924

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2312
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 580
  2⤵
  - Program crash
  PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1172 -ip 1172
1⤵
PID:1596

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:528
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 580
  2⤵
  - Program crash
  PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2792 -ip 2792
1⤵
PID:1040

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4388
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 604
  2⤵
  - Program crash
  PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5012 -ip 5012
1⤵
PID:3592

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 580
  2⤵
  - Program crash
  PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 648 -ip 648
1⤵
PID:5096

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2744
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 612
  2⤵
  - Program crash
  PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3044 -ip 3044
1⤵
PID:2104

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3296
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 580
  2⤵
  - Program crash
  PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2324 -ip 2324
1⤵
PID:4860

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4020
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 572
  2⤵
  - Program crash
  PID:2536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 872 -ip 872
1⤵
PID:2952

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3968
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1180
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 544
  2⤵
  - Program crash
  PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4560 -ip 4560
1⤵
PID:2720

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3532
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 612
  2⤵
  - Program crash
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3532 -ip 3532
1⤵
PID:4136

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2312
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2800
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3144
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 544
  2⤵
  - Program crash
  PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2312 -ip 2312
1⤵
PID:3704

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2764
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4928
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 584
  2⤵
  - Program crash
  PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2764 -ip 2764
1⤵
PID:2348

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4524
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 588
  2⤵
  - Program crash
  PID:880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 836 -ip 836
1⤵
PID:2124

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2060
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 580
  2⤵
  - Program crash
  PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1572 -ip 1572
1⤵
PID:2660

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4568
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:392
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 580
  2⤵
  - Program crash
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4568 -ip 4568
1⤵
PID:4456

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1408
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:220
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 624
  2⤵
  - Program crash
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1408 -ip 1408
1⤵
PID:3652

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:872
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4676
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3288
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 612
  2⤵
  - Program crash
  PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 872 -ip 872
1⤵
PID:4880

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1648
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3048
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3708
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 544
  2⤵
  - Program crash
  PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1648 -ip 1648
1⤵
PID:1056

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3852
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4532
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 600
  2⤵
  - Program crash
  PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3852 -ip 3852
1⤵
PID:1172

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:332
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:5004
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 536
  2⤵
  - Program crash
  PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 332 -ip 332
1⤵
PID:2752

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3880
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2892
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 580
  2⤵
  - Program crash
  PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3880 -ip 3880
1⤵
PID:4464

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4424
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:880
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 544
  2⤵
  - Program crash
  PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4424 -ip 4424
1⤵
PID:2300

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2096
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4120
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 580
  2⤵
  - Program crash
  PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2096 -ip 2096
1⤵
PID:1584

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:1316
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4028
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1316 -s 544
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1316 -ip 1316
1⤵
PID:4720

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2952
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1720
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 552
  2⤵
  - Program crash
  PID:4124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2952 -ip 2952
1⤵
PID:4996

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4880
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4184
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 544
  2⤵
  - Program crash
  PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4880 -ip 4880
1⤵
PID:420

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2412
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2396
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 580
  2⤵
  - Program crash
  PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2412 -ip 2412
1⤵
PID:1280

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4904
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4888
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 580
  2⤵
  - Program crash
  PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4904 -ip 4904
1⤵
PID:4156

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2360
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2792
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 608
  2⤵
  - Program crash
  PID:2316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2360 -ip 2360
1⤵
PID:3144

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2760
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1772
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 580
  2⤵
  - Program crash
  PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2760 -ip 2760
1⤵
PID:3332

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:5096
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3200
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 580
  2⤵
  - Program crash
  PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5096 -ip 5096
1⤵
PID:1888

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:628
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:880
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 584
  2⤵
  - Program crash
  PID:1572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 628 -ip 628
1⤵
PID:2768

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2780
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2248
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 612
  2⤵
  - Program crash
  PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2780 -ip 2780
1⤵
PID:3336

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3096
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4528
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 608
  2⤵
  - Program crash
  PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3096 -ip 3096
1⤵
PID:2148

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2256
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:220
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 608
  2⤵
  - Program crash
  PID:624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2256 -ip 2256
1⤵
PID:3492

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3288
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2368
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 544
  2⤵
  - Program crash
  PID:4136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3288 -ip 3288
1⤵
PID:3444

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:5032
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:892
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 616
  2⤵
  - Program crash
  PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5032 -ip 5032
1⤵
PID:4320

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:1944
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4368
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1944 -s 600
  2⤵
  - Program crash
  PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1944 -ip 1944
1⤵
PID:3532

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:1632
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4632
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 608
  2⤵
  - Program crash
  PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1632 -ip 1632
1⤵
PID:4388

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4928
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2760
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4336
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 544
  2⤵
  - Program crash
  PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4928 -ip 4928
1⤵
PID:1284

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3060
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2308
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3480
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 544
  2⤵
  - Program crash
  PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3060 -ip 3060
1⤵
PID:2000

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3044
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3000
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 612
  2⤵
  - Program crash
  PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3044 -ip 3044
1⤵
PID:880

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4956
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3596
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1656
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 628
  2⤵
  - Program crash
  PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4956 -ip 4956
1⤵
PID:2848

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3296
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1316
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 620
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3296 -ip 3296
1⤵
PID:1256

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4020
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:928
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 544
  2⤵
  - Program crash
  PID:604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4020 -ip 4020
1⤵
PID:3260

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4088
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4168
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 580
  2⤵
  - Program crash
  PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4088 -ip 4088
1⤵
PID:3948

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4968
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3168
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 544
  2⤵
  - Program crash
  PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4968 -ip 4968
1⤵
PID:4904

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:5112
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2168
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1476
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 624
  2⤵
  - Program crash
  PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5112 -ip 5112
1⤵
PID:4140

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3532
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3448
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2752
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 612
  2⤵
  - Program crash
  PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3532 -ip 3532
1⤵
PID:1944

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:208
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2080
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 612
  2⤵
  - Program crash
  PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 208 -ip 208
1⤵
PID:2312

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:5040
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2244
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 544
  2⤵
  - Program crash
  PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5040 -ip 5040
1⤵
PID:2160

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3880
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2756
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3880 -s 600
  2⤵
  - Program crash
  PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3880 -ip 3880
1⤵
PID:2768

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:1128
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3280
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 648
  2⤵
  - Program crash
  PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1128 -ip 1128
1⤵
PID:784

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4656
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:688
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1256
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 608
  2⤵
  - Program crash
  PID:1084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4656 -ip 4656
1⤵
PID:888

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2720
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:604
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 544
  2⤵
  - Program crash
  PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2720 -ip 2720
1⤵
PID:4124

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:440
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2924
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4416
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 580
  2⤵
  - Program crash
  PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 440 -ip 440
1⤵
PID:4836

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:1056
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3168
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1056 -s 608
  2⤵
  - Program crash
  PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1056 -ip 1056
1⤵
PID:2440

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4004
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4984
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 544
  2⤵
  - Program crash
  PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4004 -ip 4004
1⤵
PID:3892

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:3104
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:2752
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:1632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 580
  2⤵
  - Program crash
  PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3104 -ip 3104
1⤵
PID:2348

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:208
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:5012
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 608
  2⤵
  - Program crash
  PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 208 -ip 208
1⤵
PID:2244

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:2232
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:452
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 560
  2⤵
  - Program crash
  PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2232 -ip 2232
1⤵
PID:228

C:\Windows\pufxqc.exe
C:\Windows\pufxqc.exe
1⤵
PID:4528
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:4180
- C:\Windows\pufxqc.exe
  C:\Windows\pufxqc.exe Win7
  2⤵
  PID:3648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 608
  2⤵
  - Program crash
  PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4528 -ip 4528
1⤵
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\1565.vbs

Filesize
500B

MD5
a1fd29e464390e81d3d71bd6524eed5b

SHA1
661447c3dddc17175b8c16507b33aac25e69f86b

SHA256
ffe48f9a74dd9b0ec53ea81c2b5cf262fd956d22fb0fbd38cf455cde0e124052

SHA512
b422b29d5dbd3e34510a7806eed5b92fc400826b896e81fce923fe06b882dc26b59b944354612d9565ad9c473e520cef9cc9e59d66a8fad6e6911fafb8d8826f

Download Submit
C:\Windows\pufxqc.exe

Filesize
209KB

MD5
fa9efc1bbd5655dc5f362006e474416c

SHA1
03443e223b41d45c752ffe9a4fd20812486cf66f

SHA256
2bccc88ecc78857e5e892f8846bf2c6ca3ad188e1b18c5d8983eb2d0427c0abf

SHA512
b8d443a594d08cb7951a831ad6b22dd3cf6d31866128c905cf8184b5f0221c25925d78b4b830ec73299398c18c09954970ae4527c6dd75ef6f0fe5005376139f

Download Submit
memory/1376-0-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/1656-7-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download