f1bbcc5c678d174d858ae089f4494e3ea8bcfc418098d61804a15e437f08aff7

Resubmissions

03-07-2024 22:59

240703-2yn7wszhlp 10

03-07-2024 16:13

03-07-2024 16:11

10-05-2024 16:25

24-08-2023 11:16

05-08-2023 22:52

Analysis

max time kernel
1693s
max time network
1704s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Size

669KB
MD5

ead18f3a909685922d7213714ea9a183
SHA1

1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512

6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
SSDEEP

6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score

10^/10

discovery persistence ransomware upx

Malware Config

Extracted

Path

C:\Users\Public\Documents\_readme.txt

Ransom Note

ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

Emails

[email protected]

URLs

https://we.tl/t-T9WE5uiVT6

Signatures

Renames multiple (220) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Executes dropped EXE 24 IoCs

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

pid	process
3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3204	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5032	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3736	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3848	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2344	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1484	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
976	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4444	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4948	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1972	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1468	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4952	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2424	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
796	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4748	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5028 icacls.exe

pid	process
5028	icacls.exe

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral18/memory/4728-0-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	upx
behavioral18/memory/2220-12-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/2824-25-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/3704-26-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4624-30-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/3508-1124-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/3204-1213-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/5032-1218-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4680-1228-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/3848-1235-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/3736-1234-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/2344-1251-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/1716-1266-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/1484-1272-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/976-1273-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4444-1278-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/5040-1289-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4948-1296-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/1972-1297-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/728-1301-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/688-1314-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/1656-1321-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/1468-1322-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4952-1326-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4928-1340-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/2424-1346-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/796-1348-0x0000000000400000-0x00000000004A9000-memory.dmp	upx
behavioral18/memory/4748-1352-0x0000000000400000-0x00000000004A9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart"	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Drops desktop.ini file(s) 35 IoCs

Processes:

5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

description	ioc	process
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Looks up external IP address via web service 35 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
92	api.2ip.ua
127	api.2ip.ua
134	api.2ip.ua
136	api.2ip.ua
27	api.2ip.ua
55	api.2ip.ua
108	api.2ip.ua
111	api.2ip.ua
12	api.2ip.ua
94	api.2ip.ua
109	api.2ip.ua
128	api.2ip.ua
21	api.2ip.ua
135	api.2ip.ua
129	api.2ip.ua
138	api.2ip.ua
143	api.2ip.ua
60	api.2ip.ua
100	api.2ip.ua
110	api.2ip.ua
126	api.2ip.ua
106	api.2ip.ua
116	api.2ip.ua
120	api.2ip.ua
93	api.2ip.ua
118	api.2ip.ua
119	api.2ip.ua
125	api.2ip.ua
137	api.2ip.ua
144	api.2ip.ua
145	api.2ip.ua
54	api.2ip.ua
87	api.2ip.ua
99	api.2ip.ua
117	api.2ip.ua

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 29 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3292	4728	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
720	4624	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3756	2824	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4564	3704	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
728	2220	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4292	4656	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1120	3508	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3012	5032	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2084	3204	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4860	2344	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1792	3736	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4768	3848	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3508	4680	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3616	976	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1784	1716	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
368	4444	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1892	1484	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2232	1972	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3216	5040	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4532	728	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2876	4948	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4116	1468	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4340	688	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1724	4952	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4956	1656	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3224	796	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3688	4928	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3640	4748	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3768	2424	WerFault.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Modifies registry class 2 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2080292272-204036150-2159171770-1000\{529935FD-2EA8-4909-9A53-D7814C55EC15}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

pid	process
4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2824	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2824	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3704	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3704	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4624	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4624	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3204	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3204	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5032	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5032	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3736	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3736	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2344	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2344	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3848	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
3848	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1484	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1484	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
976	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
976	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4444	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4444	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4948	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4948	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1972	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1972	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1468	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
1468	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4952	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4952	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2424	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
2424	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
796	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
796	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4748	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
4748	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

explorer.exe

description	pid	process
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe
Token: SeShutdownPrivilege	1512	explorer.exe
Token: SeCreatePagefilePrivilege	1512	explorer.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

explorer.exe

pid process

1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
Suspicious use of SendNotifyMessage 8 IoCs

Processes:

explorer.exe

pid process

1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe
1512 explorer.exe

pid	process
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe

pid	process
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe
1512	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc" /deny *S-1-1-0:(OI)(CI)(DE,DC)
2⤵
- Modifies file permissions
PID:5028

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
2⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2220

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2824 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 1064
5⤵
- Program crash
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 1760
4⤵
- Program crash
PID:3756

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2220 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3704 -s 1080
4⤵
- Program crash
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 1032
3⤵
- Program crash
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 2124
2⤵
- Program crash
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4728 -ip 4728
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4624 -ip 4624
1⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2824 -ip 2824
1⤵
PID:1696

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3204

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3204 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1052
4⤵
- Program crash
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 1064
3⤵
- Program crash
PID:2084

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3508 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1092
3⤵
- Program crash
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 1668
2⤵
- Program crash
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3704 -ip 3704
1⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2220 -ip 2220
1⤵
PID:1040

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4656 -ip 4656
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3508 -ip 3508
1⤵
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5032 -ip 5032
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3204 -ip 3204
1⤵
PID:3984

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4680

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3736 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 1064
4⤵
- Program crash
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3736 -s 1724
3⤵
- Program crash
PID:1792

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4680 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 1596
3⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 1520
2⤵
- Program crash
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2344 -ip 2344
1⤵
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3736 -ip 3736
1⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3848 -ip 3848
1⤵
PID:336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4680 -ip 4680
1⤵
PID:3708

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1716

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1484 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 1064
4⤵
- Program crash
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 1628
3⤵
- Program crash
PID:1892

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1716 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1060
3⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 1640
2⤵
- Program crash
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 976 -ip 976
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1716 -ip 1716
1⤵
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4444 -ip 4444
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1484 -ip 1484
1⤵
PID:540

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4948 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 1060
4⤵
- Program crash
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1624
3⤵
- Program crash
PID:2876

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 5040 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 1616
3⤵
- Program crash
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1660
2⤵
- Program crash
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1972 -ip 1972
1⤵
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5040 -ip 5040
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 728 -ip 728
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4948 -ip 4948
1⤵
PID:2652

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:744

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:688

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1656

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1656 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 1060
4⤵
- Program crash
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 1640
3⤵
- Program crash
PID:4956

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 688 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1604
3⤵
- Program crash
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 1704
2⤵
- Program crash
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1468 -ip 1468
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 688 -ip 688
1⤵
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4952 -ip 4952
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1656 -ip 1656
1⤵
PID:2020

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe --Task
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2424

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2424 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 1064
4⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1640
3⤵
- Program crash
PID:3768

C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
"C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 4928 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1600
3⤵
- Program crash
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4928 -s 1680
2⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 796 -ip 796
1⤵
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4928 -ip 4928
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4748 -ip 4748
1⤵
PID:4860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2424 -ip 2424
1⤵
PID:4124

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
Filesize
1.3MB

MD5
f782b09fd215d3d9bb898d61ea2e7a37

SHA1
a382348e9592bdf93dd10c49773b815a992fa7c7

SHA256
7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694

SHA512
9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

Download Submit
C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.kropun
Filesize
622KB

MD5
4e6518161cc338011531e6ec335401e2

SHA1
6d221aae3781af873141e6bbc6790c7ffb20259e

SHA256
a47f41aa7bcec0354731bea88367b16ea9010ff199298e613b6e3aee6744beca

SHA512
549c082c5d737f1b1ffcabea6b7f5c44d87efbc9864081afb02a10fa33ffb7c4a081956814e0ccbf9f0ed8a590c4ee9bad782ca49bd63ec9818a25e5b3af1382

Download Submit
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
Filesize
736KB

MD5
c3c0fe1bf5f38a6c89cead208307b99c

SHA1
df5d4f184c3124d4749c778084f35a2c00066b0b

SHA256
f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf

SHA512
0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize
180KB

MD5
b2e47100abd58190e40c8b6f9f672a36

SHA1
a754a78021b16e63d9e606cacc6de4fcf6872628

SHA256
889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128

SHA512
d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

Download Submit
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
Filesize
26.0MB

MD5
078fdfc06d675c9476796f61e8d8b396

SHA1
183e0f30aad003e5443fc282813f349ebd7bb1c8

SHA256
71474bbf9ec8997bb0ec65853cb095b000f1cdd52aa3f53b486a994588a4b7f7

SHA512
ec1b7bb3993e7022b600557fb63f405cca68fa269ebf9cebb4c699c7e35ac3bdafac44c12b60b67c01987d499023a2b5cfea0bdb66684eff4d67546ec5952a68

Download Submit
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
Filesize
28.5MB

MD5
01bc6dc2e63ba4656e64f83debbc1f4e

SHA1
823cb85a326995b562bd02e26996a4a841795322

SHA256
b96e7138eee33474e5ec02c855673b56f78f0773d10fb962b7c9d015597db689

SHA512
90f0a9df306c83c3c10cdc7cb03110bb75796b3462a3562743a5a4cf9366d85e157cdf7b60bf6458051a0deec9275ae30fc49d19f83aebaae01ec908b3335175

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
1KB

MD5
2365869258df7a66a2121b802ca4afd9

SHA1
73acc30a2edeb9d6830de559bb8a74f35168135d

SHA256
d6b1932822bbd72a8e78c771717d992142348f67d625a42393719fefbe59b0ed

SHA512
795004bab536e128dbd81c188976d37c7b650efbfa5a80374df4c65a1049c27658f4620b7605583928eb167fcb69b4c99e4c8730c507b824a7bde9c7fb0e21f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize
174B

MD5
5413ecc23c0ba6536c815c0a0921c4bf

SHA1
2976e43f95c67598c18567ce7818c48d04092fcf

SHA256
580fd653a810cc232f5eb88785c4f31295a79d64ba02d5936be8529aa03c63be

SHA512
466bcc9669fa6e3c1384fbd9e6bcc139c6ea051e673b196682f9407ed22ba31ae4b0208ad2de0ed1ce0a7510c47511493392c429ed02d791d1becdde02fffefd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize
170B

MD5
b55754d8033c850e4feff2b1f9f277a1

SHA1
e907302ee80f7cbb7c36cf01206a55ddf51279d0

SHA256
7364a4cd202823b44a607f7922273e04d3cbb41eb2c9aea9cb44c62f6dc5f198

SHA512
2e71a85e9213407824e9a0bb88c985652bd461ce50ef50394065e3f3e685dfa79a20ab2ffbb804df9dda3c2b2515740621c927678343837154df5432a3e7348e

Download Submit
C:\Users\Admin\AppData\Local\ef2513b2-e2df-4a44-808c-7e2436c6c4cc\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Filesize
669KB

MD5
ead18f3a909685922d7213714ea9a183

SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf

SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

Download Submit
C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db
Filesize
16KB

MD5
e6f74e2e02b6bc6051dc9d3c23b21061

SHA1
85e6d7bddee419dafe3908b3b7958e1bf7a4c433

SHA256
4ee4950c5677a3ddd56bbfc3eb4c4893931916a8dd681f6b09def926c93b0334

SHA512
b61fd1318c118b47f251720ae8ebabb4a2d4ea03f6f975e7040f007c61133edadf07a6e53d54583698ef2afd6e608eb31ca23c511211b694bc1adb71937f202a

Download Submit
C:\Users\Public\Documents\_readme.txt
Filesize
1KB

MD5
d75064cfaac9c92f52aadf373dc7e463

SHA1
36ea05181d9b037694929ec81f276f13c7d2655c

SHA256
163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508

SHA512
43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/688-1320-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/688-1314-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/688-1331-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/728-1310-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/728-1301-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/796-1348-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/796-1354-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/976-1273-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/976-1279-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1468-1329-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1468-1322-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1484-1272-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1484-1287-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1656-1338-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1656-1321-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1716-1268-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1716-1269-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1716-1266-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1716-1280-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1972-1303-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1972-1297-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-22-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-1208-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-1106-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-32-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-24-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-23-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-17-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2220-12-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2344-1258-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2344-1251-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2344-1259-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2424-1346-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2424-1363-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2824-28-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2824-38-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2824-25-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2824-33-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3204-1223-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3204-1226-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3204-1213-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3508-1221-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3508-1211-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3508-1210-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3508-1124-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3704-1207-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3704-34-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3704-26-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3736-1260-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3736-1253-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3736-1247-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3736-1234-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3848-1235-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3848-1248-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3848-1263-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/3848-1262-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4444-1278-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4444-1285-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4624-30-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4624-36-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4624-37-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4656-1220-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4680-1228-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4680-1246-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4680-1231-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4680-1264-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4680-1230-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4728-2-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/4728-3-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4728-0-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4728-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4728-14-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4748-1352-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4748-1361-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4928-1345-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4928-1356-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4928-1340-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4948-1296-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4948-1312-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4952-1336-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4952-1326-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5032-1225-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5032-1218-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5032-1224-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5040-1305-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5040-1295-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/5040-1289-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download

description	pid	process	target process
PID 4728 wrote to memory of 5028	4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 4728 wrote to memory of 5028	4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 4728 wrote to memory of 5028	4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	icacls.exe
PID 4728 wrote to memory of 2220	4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4728 wrote to memory of 2220	4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4728 wrote to memory of 2220	4728	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2220 wrote to memory of 2824	2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2220 wrote to memory of 2824	2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2220 wrote to memory of 2824	2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2220 wrote to memory of 3704	2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2220 wrote to memory of 3704	2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2220 wrote to memory of 3704	2220	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2824 wrote to memory of 4624	2824	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2824 wrote to memory of 4624	2824	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2824 wrote to memory of 4624	2824	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3508 wrote to memory of 3204	3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3508 wrote to memory of 3204	3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3508 wrote to memory of 3204	3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3508 wrote to memory of 4656	3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3508 wrote to memory of 4656	3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3508 wrote to memory of 4656	3508	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3204 wrote to memory of 5032	3204	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3204 wrote to memory of 5032	3204	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3204 wrote to memory of 5032	3204	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4680 wrote to memory of 3736	4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4680 wrote to memory of 3736	4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4680 wrote to memory of 3736	4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4680 wrote to memory of 3848	4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4680 wrote to memory of 3848	4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4680 wrote to memory of 3848	4680	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3736 wrote to memory of 2344	3736	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3736 wrote to memory of 2344	3736	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3736 wrote to memory of 2344	3736	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1716 wrote to memory of 1484	1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1716 wrote to memory of 1484	1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1716 wrote to memory of 1484	1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1716 wrote to memory of 976	1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1716 wrote to memory of 976	1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1716 wrote to memory of 976	1716	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1484 wrote to memory of 4444	1484	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1484 wrote to memory of 4444	1484	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1484 wrote to memory of 4444	1484	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5040 wrote to memory of 4948	5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5040 wrote to memory of 4948	5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5040 wrote to memory of 4948	5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5040 wrote to memory of 1972	5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5040 wrote to memory of 1972	5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 5040 wrote to memory of 1972	5040	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4948 wrote to memory of 728	4948	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4948 wrote to memory of 728	4948	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4948 wrote to memory of 728	4948	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 688 wrote to memory of 1656	688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 688 wrote to memory of 1656	688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 688 wrote to memory of 1656	688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 688 wrote to memory of 1468	688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 688 wrote to memory of 1468	688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 688 wrote to memory of 1468	688	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1656 wrote to memory of 4952	1656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1656 wrote to memory of 4952	1656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1656 wrote to memory of 4952	1656	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4928 wrote to memory of 2424	4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4928 wrote to memory of 2424	4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4928 wrote to memory of 2424	4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 4928 wrote to memory of 796	4928	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe	5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe