glupteba | b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

Target

EB7233922891E1DAD0434FBD52623647.exe
Size

7.9MB
MD5

eb7233922891e1dad0434fbd52623647
SHA1

331126b108532ab9a1e932141bff55a38656bce9
SHA256

b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
SHA512

597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

installs3

65.21.228.92:46802

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerundll32.exerUNdlL32.eXe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	4848	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4848	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	4848	rUNdlL32.eXe

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe	family_redline
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe	family_redline
behavioral2/memory/5236-337-0x000001AEC8E20000-0x000001AEC8E39000-memory.dmp	family_redline
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe	family_redline
behavioral2/memory/4636-435-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/5392-481-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4840-488-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exejfiag3g_gg.exeWerFault.exeXuvylitadae.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

description	pid	process	target process
PID 1432 created 1096	1432	WerFault.exe	rundll32.exe
PID 3188 created 4504	3188	WerFault.exe	Info.exe
PID 5792 created 5288	5792	WerFault.exe	S9vvbu_thmJNivbyrd5cbgjY.exe
PID 5832 created 5276	5832	WerFault.exe	1JXoSiUoBQDRFxKQt6PfAJQT.exe
PID 5992 created 5556	5992	WerFault.exe	KaN6V1t36aPvGbjwrCNT4frv.exe
PID 5824 created 5340	5824	jfiag3g_gg.exe	ZP8ROxtPgq7xzmkTnY1ILt2W.exe
PID 5740 created 5592	5740	WerFault.exe	bXB9E3wOjLBBoAzWOKy1jhXH.exe
PID 5372 created 5192	5372	Xuvylitadae.exe	S5JNKYGQ09fmPKqgYZFlX5Wl.exe
PID 2104 created 2000	2104	WerFault.exe	rundll32.exe
PID 3976 created 4408	3976	WerFault.exe	rundll32.exe
PID 1204 created 1884	1204	WerFault.exe	askinstall53.exe
PID 6736 created 7084	6736	WerFault.exe	anyname.exe
PID 5428 created 7084	5428	WerFault.exe	anyname.exe
PID 5524 created 7084	5524	WerFault.exe	anyname.exe
PID 3896 created 3128	3896	WerFault.exe	A126.exe
PID 6356 created 5452	6356	WerFault.exe	explorer.exe
PID 5764 created 1400	5764	WerFault.exe	8421129.exe
PID 5512 created 4780	5512	WerFault.exe	1478644.exe
PID 3004 created 5344	3004	WerFault.exe	4881157.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

evasion 6 IoCs

evasion.

evasion

Processes:

resource	yara_rule
behavioral2/memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp	evasion
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe	evasion
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe	evasion
C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe	evasion
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe	evasion
behavioral2/memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp	evasion

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5556-296-0x00000000049F0000-0x0000000004A8D000-memory.dmp	family_vidar

Blocklisted process makes network request 9 IoCs

Processes:

rUNdlL32.eXeMsiExec.exepowershell.exe

flow	pid	process
117	5264	rUNdlL32.eXe
193	6456	MsiExec.exe
195	6456	MsiExec.exe
196	6456	MsiExec.exe
197	6456	MsiExec.exe
198	6456	MsiExec.exe
206	6456	MsiExec.exe
260	4276	powershell.exe
261	4276	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

aipackagechainer.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aipackagechainer.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	h5Mf7fCP0iLoTpkZt0_ezgBy.exe

Executes dropped EXE 64 IoCs

Processes:

KRSetp.exeFolder.exeFolder.exeInfo.exeInstallation.exeyOpfFns9feXR1oA37BXrUSoj.exei51OEtivp64F1h3jriSb9179.exeS5JNKYGQ09fmPKqgYZFlX5Wl.exeLvJ59gJxc3LSPWvaIC75WK3C.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exeOaUqDiJqLrReD6nAIAxVSWA8.exeK9nJsFAus_AD4WbNTjIG3wOs.exenmRKRFlsM2jdww3bmd_iqMIN.exeZM0tOe8uO666xAL03x_SEt7G.exe1JXoSiUoBQDRFxKQt6PfAJQT.exeS9vvbu_thmJNivbyrd5cbgjY.exe6fb0NKLzbR9O1Hnpb8meEjoY.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeMsKeXpA3JCm5KJWAfbFTLe6p.exeZP8ROxtPgq7xzmkTnY1ILt2W.exebAGRnF23dqqSQc9GLsP_8f2i.exeKaN6V1t36aPvGbjwrCNT4frv.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exebXB9E3wOjLBBoAzWOKy1jhXH.exebFClUtu0XfsHUGnX6uO9BE2D.exe22222.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exeAGV_ZCjRSXUJEYPKIJWOth72.exeX6pFteX1hujq71gAoddJIl03.exeX6pFteX1hujq71gAoddJIl03.tmpcustomer3.exemd8_8eus.exejooyu.exe1cu20YjSd19Ml5gGnIdtbCyZ.exe11111.exejfiag3g_gg.exe8421129.exeK9nJsFAus_AD4WbNTjIG3wOs.exenmRKRFlsM2jdww3bmd_iqMIN.exe3544711.exei51OEtivp64F1h3jriSb9179.exemd9_1sjm.exeaskinstall53.exeK9nJsFAus_AD4WbNTjIG3wOs.exe11111.exeultramediaburner.tmpSetup.exeK9nJsFAus_AD4WbNTjIG3wOs.exeGameBox64bit.exenmRKRFlsM2jdww3bmd_iqMIN.exeCleaner Installation.exeVersiumresearch.exeMediaBurner2.exenote8876.exezhangfei.exeGameBoxWin64.exeWeather Installation.exeConhost.exeMediaBurner2.tmpmsedge.exe11111.exe

pid	process
4780	KRSetp.exe
4924	Folder.exe
4992	Folder.exe
4504	Info.exe
3980	Installation.exe
5168	yOpfFns9feXR1oA37BXrUSoj.exe
5180	i51OEtivp64F1h3jriSb9179.exe
5192	S5JNKYGQ09fmPKqgYZFlX5Wl.exe
5204	LvJ59gJxc3LSPWvaIC75WK3C.exe
5216	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
5236	OaUqDiJqLrReD6nAIAxVSWA8.exe
5228	K9nJsFAus_AD4WbNTjIG3wOs.exe
5252	nmRKRFlsM2jdww3bmd_iqMIN.exe
5264	ZM0tOe8uO666xAL03x_SEt7G.exe
5276	1JXoSiUoBQDRFxKQt6PfAJQT.exe
5288	S9vvbu_thmJNivbyrd5cbgjY.exe
5300	6fb0NKLzbR9O1Hnpb8meEjoY.exe
5316	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
5328	MsKeXpA3JCm5KJWAfbFTLe6p.exe
5340	ZP8ROxtPgq7xzmkTnY1ILt2W.exe
5364	bAGRnF23dqqSQc9GLsP_8f2i.exe
5556	KaN6V1t36aPvGbjwrCNT4frv.exe
5548	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
5592	bXB9E3wOjLBBoAzWOKy1jhXH.exe
5584	bFClUtu0XfsHUGnX6uO9BE2D.exe
5908	22222.exe
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
5260	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
2260	AGV_ZCjRSXUJEYPKIJWOth72.exe
796	X6pFteX1hujq71gAoddJIl03.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
1568	customer3.exe
5884	md8_8eus.exe
5836	jooyu.exe
2708	1cu20YjSd19Ml5gGnIdtbCyZ.exe
3180	11111.exe
5824	jfiag3g_gg.exe
1400	8421129.exe
5732	K9nJsFAus_AD4WbNTjIG3wOs.exe
4084	nmRKRFlsM2jdww3bmd_iqMIN.exe
1588	3544711.exe
4636	i51OEtivp64F1h3jriSb9179.exe
4252	md9_1sjm.exe
1884	askinstall53.exe
5896	K9nJsFAus_AD4WbNTjIG3wOs.exe
5248	11111.exe
5744	ultramediaburner.tmp
5908	22222.exe
5480	Setup.exe
5392	K9nJsFAus_AD4WbNTjIG3wOs.exe
496	GameBox64bit.exe
4840	nmRKRFlsM2jdww3bmd_iqMIN.exe
5692	Cleaner Installation.exe
3284	Versiumresearch.exe
3632	MediaBurner2.exe
3980	note8876.exe
1664	zhangfei.exe
1884	askinstall53.exe
3472	GameBoxWin64.exe
2536	Weather Installation.exe
1604	Conhost.exe
2240	MediaBurner2.tmp
5460	msedge.exe
6112	11111.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5884-367-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe9A5E.exebAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9A5E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9A5E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bAGRnF23dqqSQc9GLsP_8f2i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bAGRnF23dqqSQc9GLsP_8f2i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LvJ59gJxc3LSPWvaIC75WK3C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LvJ59gJxc3LSPWvaIC75WK3C.exe

Drops startup file 2 IoCs

Processes:

customer3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe	customer3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe	customer3.exe

Loads dropped DLL 64 IoCs

Processes:

rundll32.exeOaUqDiJqLrReD6nAIAxVSWA8.exeX6pFteX1hujq71gAoddJIl03.tmprundll32.exeCleaner Installation.exeGameBoxWin64.exeWeather Installation.exeMediaBurner2.tmprundll32.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeWerFault.exeMsiExec.exeWeather_Installation.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exe

pid	process
1096	rundll32.exe
5236	OaUqDiJqLrReD6nAIAxVSWA8.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
1284	X6pFteX1hujq71gAoddJIl03.tmp
2000	rundll32.exe
5692	Cleaner Installation.exe
3472	GameBoxWin64.exe
3472	GameBoxWin64.exe
2536	Weather Installation.exe
2240	MediaBurner2.tmp
4408	rundll32.exe
3472	GameBoxWin64.exe
2488	MsiExec.exe
2488	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
5504	MsiExec.exe
5504	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
6816	MsiExec.exe
6816	MsiExec.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
4032	Weather.exe
5424	Weather_Installation.exe
4032	Weather.exe
4032	Weather.exe
5424	Weather_Installation.exe
2788	Weather.exe
2360	Weather.exe
2360	Weather.exe
2360	Weather.exe
6012	Weather.exe
6012	Weather.exe
6012	Weather.exe
2360	Weather.exe
1108	Weather.exe
1108	Weather.exe
1108	Weather.exe
6656	Weather.exe
6656	Weather.exe
6656	Weather.exe
6656	Weather.exe
492	Weather.exe
492	Weather.exe
492	Weather.exe
6396	Weather.exe
6396	Weather.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe	themida
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe	themida
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe	themida
behavioral2/memory/5364-370-0x0000000000BD0000-0x0000000000BD1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exemsedge.exeWeather_Installation.exeultramediaburner.tmpaipackagechainer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Weather_Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --PH33"	Weather_Installation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	ultramediaburner.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Taewaezhobume.exe\""	aipackagechainer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exemd9_1sjm.exenote8876.exe9A5E.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bAGRnF23dqqSQc9GLsP_8f2i.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LvJ59gJxc3LSPWvaIC75WK3C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	note8876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9A5E.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Weather Installation.exeCleaner Installation.exeWerFault.exeGameBoxWin64.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	Weather Installation.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\O:	Cleaner Installation.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\N:	GameBoxWin64.exe
File opened (read-only)	\??\R:	Weather Installation.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\H:	GameBoxWin64.exe
File opened (read-only)	\??\Z:	Weather Installation.exe
File opened (read-only)	\??\X:	GameBoxWin64.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	GameBoxWin64.exe
File opened (read-only)	\??\Y:	GameBoxWin64.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	Weather Installation.exe
File opened (read-only)	\??\N:	WerFault.exe
File opened (read-only)	\??\X:	WerFault.exe
File opened (read-only)	\??\F:	GameBoxWin64.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	Weather Installation.exe
File opened (read-only)	\??\U:	Cleaner Installation.exe
File opened (read-only)	\??\P:	WerFault.exe
File opened (read-only)	\??\P:	GameBoxWin64.exe
File opened (read-only)	\??\O:	Weather Installation.exe
File opened (read-only)	\??\S:	Weather Installation.exe
File opened (read-only)	\??\P:	Cleaner Installation.exe
File opened (read-only)	\??\L:	WerFault.exe
File opened (read-only)	\??\V:	WerFault.exe
File opened (read-only)	\??\B:	GameBoxWin64.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\F:	Cleaner Installation.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\T:	GameBoxWin64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	Weather Installation.exe
File opened (read-only)	\??\U:	WerFault.exe
File opened (read-only)	\??\M:	GameBoxWin64.exe
File opened (read-only)	\??\E:	Weather Installation.exe
File opened (read-only)	\??\H:	Weather Installation.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\G:	WerFault.exe
File opened (read-only)	\??\U:	GameBoxWin64.exe
File opened (read-only)	\??\Q:	Weather Installation.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	GameBoxWin64.exe
File opened (read-only)	\??\I:	Weather Installation.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	GameBoxWin64.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	WerFault.exe
File opened (read-only)	\??\Y:	WerFault.exe
File opened (read-only)	\??\O:	GameBoxWin64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\E:	WerFault.exe
File opened (read-only)	\??\I:	GameBoxWin64.exe
File opened (read-only)	\??\Z:	GameBoxWin64.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ipinfo.io
48 ipinfo.io
80 ip-api.com
121 ipinfo.io
173 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

bAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exeWerFault.exe9A5E.exe

pid process

5364 bAGRnF23dqqSQc9GLsP_8f2i.exe
5204 LvJ59gJxc3LSPWvaIC75WK3C.exe
5512 WerFault.exe
5772 9A5E.exe

flow	ioc
21	ipinfo.io
48	ipinfo.io
80	ip-api.com
121	ipinfo.io
173	ip-api.com

pid	process
5364	bAGRnF23dqqSQc9GLsP_8f2i.exe
5204	LvJ59gJxc3LSPWvaIC75WK3C.exe
5512	WerFault.exe
5772	9A5E.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

bEYG8MCmwS_N0mgL9uYFs3Jb.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exeWerFault.exeK9nJsFAus_AD4WbNTjIG3wOs.exenmRKRFlsM2jdww3bmd_iqMIN.exeGameBox64bit.exeyOpfFns9feXR1oA37BXrUSoj.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exe

description	pid	process	target process
PID 5316 set thread context of 6108	5316	bEYG8MCmwS_N0mgL9uYFs3Jb.exe	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
PID 5548 set thread context of 5260	5548	iHcz2PjFZ8e9IDvRcRQLV9o9.exe	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
PID 5180 set thread context of 4636	5180	WerFault.exe	i51OEtivp64F1h3jriSb9179.exe
PID 5228 set thread context of 5392	5228	K9nJsFAus_AD4WbNTjIG3wOs.exe	K9nJsFAus_AD4WbNTjIG3wOs.exe
PID 5252 set thread context of 4840	5252	nmRKRFlsM2jdww3bmd_iqMIN.exe	nmRKRFlsM2jdww3bmd_iqMIN.exe
PID 496 set thread context of 5128	496	GameBox64bit.exe	GameBox64bit.exe
PID 5168 set thread context of 6704	5168	yOpfFns9feXR1oA37BXrUSoj.exe	yOpfFns9feXR1oA37BXrUSoj.exe
PID 5216 set thread context of 5968	5216	h5Mf7fCP0iLoTpkZt0_ezgBy.exe	h5Mf7fCP0iLoTpkZt0_ezgBy.exe

Drops file in Program Files directory 33 IoCs

Processes:

aipackagechainer.exeultramediaburner.tmpSetup.exebFClUtu0XfsHUGnX6uO9BE2D.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exenote8876.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe.config	aipackagechainer.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Taewaezhobume.exe.config	aipackagechainer.exe
File created	C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe	aipackagechainer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-KTNRU.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Setup.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Taewaezhobume.exe	aipackagechainer.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	Setup.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-9C8N6.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\resources.pak	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\d.INTEG.RAW	note8876.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\resources.pak	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\d	note8876.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\d.jfm	note8876.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\d.jfm	note8876.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\d	note8876.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\tmp.edb	note8876.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exeWerFault.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\f74eb31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF351.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID57.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDF8AC9F3942F7FFD.TMP	msiexec.exe
File created	C:\Windows\Installer\f74eb31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF227.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE5.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF51048722BFEFC2F8.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF022.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6FFB5CFF992020C3.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF07ECE270F696013C.TMP	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSIF73B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2584.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB3E.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1832	1096	WerFault.exe	rundll32.exe
1492	4504	WerFault.exe	Info.exe
6092	5288	WerFault.exe	S9vvbu_thmJNivbyrd5cbgjY.exe
508	5276	WerFault.exe	1JXoSiUoBQDRFxKQt6PfAJQT.exe
5272	5556	WerFault.exe	KaN6V1t36aPvGbjwrCNT4frv.exe
1556	5340	WerFault.exe	ZP8ROxtPgq7xzmkTnY1ILt2W.exe
4280	5592	WerFault.exe	bXB9E3wOjLBBoAzWOKy1jhXH.exe
4780	5192	WerFault.exe	S5JNKYGQ09fmPKqgYZFlX5Wl.exe
5180	2000	WerFault.exe	rundll32.exe
5984	4408	WerFault.exe	rundll32.exe
5348	1884	WerFault.exe	askinstall53.exe
6148	7084	WerFault.exe	anyname.exe
5792	7084	WerFault.exe	anyname.exe
5512	7084	WerFault.exe	anyname.exe
5724	3128	WerFault.exe	A126.exe
4196	5452	WerFault.exe	explorer.exe
4196	1400	WerFault.exe	8421129.exe
5544	4780	WerFault.exe	1478644.exe
6676	5344	WerFault.exe	4881157.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bEYG8MCmwS_N0mgL9uYFs3Jb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bEYG8MCmwS_N0mgL9uYFs3Jb.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsiexec.execmd.exeWerFault.exe1478644.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cmd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	1478644.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Enumerates system info in registry 2 TTPs 40 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exemsedge.execmd.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1478644.exemsiexec.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	1478644.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	1478644.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msiexec.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3784 taskkill.exe
3340 taskkill.exe

pid	process
3784	taskkill.exe
3340	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

sihclient.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe

Modifies registry class 7 IoCs

Processes:

Weather.exeWeather.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{EBB086E9-9B02-4D4F-902E-D03FD4258FF5}	Weather.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{CC4DB119-78C5-4B85-8330-08CDB3243364}	Weather.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

GameBoxWin64.exeCleaner Installation.exeWeather Installation.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Cleaner Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	Weather Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Cleaner Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e5c0000000100000004000000001000002000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Cleaner Installation.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	Weather Installation.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	125	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exemsedge.exemsedge.exeWerFault.exeidentity_helper.exeInstallation.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeWerFault.exeWerFault.exeWerFault.exe

pid	process
1832	WerFault.exe
1832	WerFault.exe
2460	msedge.exe
2460	msedge.exe
5040	msedge.exe
5040	msedge.exe
1492	WerFault.exe
1492	WerFault.exe
4608	identity_helper.exe
4608	identity_helper.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
6092	WerFault.exe
6092	WerFault.exe
508	WerFault.exe
508	WerFault.exe
3192
3192
5272	WerFault.exe
5272	WerFault.exe
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192
3192

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3192

pid	process
3192

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

bEYG8MCmwS_N0mgL9uYFs3Jb.exeexplorer.exe

pid	process
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
3192
3192
3192
3192
3192
3192
3192
3192
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192
3192
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192
3192
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192
3192
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192
3192
3280	explorer.exe
3280	explorer.exe
3192
3192
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

KRSetp.exeWerFault.exesvchost.exeOaUqDiJqLrReD6nAIAxVSWA8.exerUNdlL32.eXeAGV_ZCjRSXUJEYPKIJWOth72.exebAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exe8421129.exei51OEtivp64F1h3jriSb9179.exe3544711.exeaskinstall53.exe

description	pid	process
Token: SeDebugPrivilege	4780	KRSetp.exe
Token: SeRestorePrivilege	1832	WerFault.exe
Token: SeBackupPrivilege	1832	WerFault.exe
Token: SeBackupPrivilege	1832	WerFault.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeDebugPrivilege	5236	OaUqDiJqLrReD6nAIAxVSWA8.exe
Token: SeDebugPrivilege	5264	rUNdlL32.eXe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeDebugPrivilege	2260	AGV_ZCjRSXUJEYPKIJWOth72.exe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeDebugPrivilege	5364	bAGRnF23dqqSQc9GLsP_8f2i.exe
Token: SeDebugPrivilege	5204	LvJ59gJxc3LSPWvaIC75WK3C.exe
Token: SeDebugPrivilege	1400	8421129.exe
Token: SeDebugPrivilege	4636	i51OEtivp64F1h3jriSb9179.exe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeDebugPrivilege	1588	3544711.exe
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeShutdownPrivilege	3192
Token: SeCreatePagefilePrivilege	3192
Token: SeCreateTokenPrivilege	1884	askinstall53.exe
Token: SeAssignPrimaryTokenPrivilege	1884	askinstall53.exe
Token: SeLockMemoryPrivilege	1884	askinstall53.exe
Token: SeIncreaseQuotaPrivilege	1884	askinstall53.exe
Token: SeMachineAccountPrivilege	1884	askinstall53.exe
Token: SeTcbPrivilege	1884	askinstall53.exe

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

msedge.exeX6pFteX1hujq71gAoddJIl03.tmpCleaner Installation.exeGameBoxWin64.exeWeather Installation.exeultramediaburner.tmpWerFault.exeWeather.exemsedge.exe

pid	process
5040	msedge.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
5692	Cleaner Installation.exe
3472	GameBoxWin64.exe
2536	Weather Installation.exe
5744	ultramediaburner.tmp
3896	WerFault.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
5488	msedge.exe

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Weather.exe

pid process

4032 Weather.exe
4032 Weather.exe
4032 Weather.exe
4032 Weather.exe
4032 Weather.exe

pid	process
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Installation.exe1JXoSiUoBQDRFxKQt6PfAJQT.exeS9vvbu_thmJNivbyrd5cbgjY.exe6fb0NKLzbR9O1Hnpb8meEjoY.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeMsKeXpA3JCm5KJWAfbFTLe6p.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exebFClUtu0XfsHUGnX6uO9BE2D.exeKaN6V1t36aPvGbjwrCNT4frv.exeZP8ROxtPgq7xzmkTnY1ILt2W.exeX6pFteX1hujq71gAoddJIl03.exe22222.exeX6pFteX1hujq71gAoddJIl03.tmpcustomer3.exemd8_8eus.exe1cu20YjSd19Ml5gGnIdtbCyZ.exe11111.exejfiag3g_gg.exe11111.exeultramediaburner.tmpSetup.exeMediaBurner2.exeaskinstall53.exeConhost.exeMediaBurner2.tmpmsedge.exe11111.exezhangfei.exezhangfei.exejfiag3g_gg.exe22222.exesvchost.exe22222.exeultramediaburner.exeufgaa.exeanyname.exeanyname.exe11111.exe804C.exe11111.exe11111.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exejfiag3g_gg.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe

pid	process
3980	Installation.exe
5276	1JXoSiUoBQDRFxKQt6PfAJQT.exe
5288	S9vvbu_thmJNivbyrd5cbgjY.exe
5300	6fb0NKLzbR9O1Hnpb8meEjoY.exe
5316	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
5328	MsKeXpA3JCm5KJWAfbFTLe6p.exe
5548	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
5584	bFClUtu0XfsHUGnX6uO9BE2D.exe
5556	KaN6V1t36aPvGbjwrCNT4frv.exe
5340	ZP8ROxtPgq7xzmkTnY1ILt2W.exe
796	X6pFteX1hujq71gAoddJIl03.exe
5908	22222.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
1568	customer3.exe
5884	md8_8eus.exe
2708	1cu20YjSd19Ml5gGnIdtbCyZ.exe
3180	11111.exe
5824	jfiag3g_gg.exe
5248	11111.exe
5744	ultramediaburner.tmp
5908	22222.exe
5480	Setup.exe
3632	MediaBurner2.exe
1884	askinstall53.exe
1604	Conhost.exe
2240	MediaBurner2.tmp
5460	msedge.exe
6112	11111.exe
1664	zhangfei.exe
4856	zhangfei.exe
5780	jfiag3g_gg.exe
5908	22222.exe
2468	22222.exe
972	svchost.exe
2472	22222.exe
6776	ultramediaburner.exe
5744	ultramediaburner.tmp
5828	ufgaa.exe
876	anyname.exe
7084	anyname.exe
5628	11111.exe
4008	804C.exe
6508	11111.exe
5628	11111.exe
2076	11111.exe
5968	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
6244	11111.exe
4628	11111.exe
5408	11111.exe
7104	11111.exe
2460	11111.exe
1376	11111.exe
4504	11111.exe
6332	11111.exe
7076	jfiag3g_gg.exe
1552	11111.exe
3500	11111.exe
3696	11111.exe
6216	11111.exe
5136	11111.exe
3240	11111.exe
6032	11111.exe
6088	11111.exe
5980	11111.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EB7233922891E1DAD0434FBD52623647.exemsedge.exeFolder.exerUNdlL32.eXeWerFault.exe

description	pid	process	target process
PID 1624 wrote to memory of 4780	1624	EB7233922891E1DAD0434FBD52623647.exe	KRSetp.exe
PID 1624 wrote to memory of 4780	1624	EB7233922891E1DAD0434FBD52623647.exe	KRSetp.exe
PID 1624 wrote to memory of 5040	1624	EB7233922891E1DAD0434FBD52623647.exe	msedge.exe
PID 1624 wrote to memory of 5040	1624	EB7233922891E1DAD0434FBD52623647.exe	msedge.exe
PID 1624 wrote to memory of 4924	1624	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 1624 wrote to memory of 4924	1624	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 1624 wrote to memory of 4924	1624	EB7233922891E1DAD0434FBD52623647.exe	Folder.exe
PID 5040 wrote to memory of 3508	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 3508	5040	msedge.exe	msedge.exe
PID 4924 wrote to memory of 4992	4924	Folder.exe	Folder.exe
PID 4924 wrote to memory of 4992	4924	Folder.exe	Folder.exe
PID 4924 wrote to memory of 4992	4924	Folder.exe	Folder.exe
PID 1624 wrote to memory of 4504	1624	EB7233922891E1DAD0434FBD52623647.exe	Info.exe
PID 1624 wrote to memory of 4504	1624	EB7233922891E1DAD0434FBD52623647.exe	Info.exe
PID 1624 wrote to memory of 4504	1624	EB7233922891E1DAD0434FBD52623647.exe	Info.exe
PID 1008 wrote to memory of 1096	1008	rUNdlL32.eXe	rundll32.exe
PID 1008 wrote to memory of 1096	1008	rUNdlL32.eXe	rundll32.exe
PID 1008 wrote to memory of 1096	1008	rUNdlL32.eXe	rundll32.exe
PID 1432 wrote to memory of 1096	1432	WerFault.exe	rundll32.exe
PID 1432 wrote to memory of 1096	1432	WerFault.exe	rundll32.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2368	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2460	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 2460	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 3924	5040	msedge.exe	msedge.exe
PID 5040 wrote to memory of 3924	5040	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
3⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
3⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
3⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
3⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
3⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
3⤵
PID:2496

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
3⤵
PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
3⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
3⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
3⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 /prefetch:2
3⤵
PID:6188

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
2⤵
- Executes dropped EXE
PID:4504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 240
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe
"C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5300

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5248

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:6244

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:5408

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:7104

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:6216

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
- Suspicious use of SetWindowsHookEx
PID:5980

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:7052

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2868

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5516

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:504

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5624

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:6488

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
4⤵
PID:5016

C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe
"C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 296
4⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:6092

C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe
"C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 296
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:508

C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe
"C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe"
3⤵
- Executes dropped EXE
PID:5264

C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
"C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5252

C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
4⤵
- Executes dropped EXE
PID:4084

C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
4⤵
PID:1884

C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
4⤵
- Executes dropped EXE
PID:4840

C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe
"C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
"C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5228

C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
4⤵
- Executes dropped EXE
PID:5732

C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
4⤵
- Executes dropped EXE
PID:5896

C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
4⤵
- Executes dropped EXE
PID:5392

C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe
"C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5216

C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe
"C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
4⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1a0,0x1a4,0x1a8,0x130,0x1ac,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
6⤵
PID:6756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
6⤵
PID:6616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
6⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
6⤵
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
6⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
6⤵
PID:5528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
6⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
6⤵
PID:7004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
6⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 /prefetch:8
6⤵
PID:6404

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
6⤵
PID:6280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
6⤵
PID:7124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
6⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6168 /prefetch:8
6⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6328 /prefetch:8
6⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6464 /prefetch:8
6⤵
PID:7144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
6⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1900 /prefetch:8
6⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
6⤵
PID:6604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6532 /prefetch:8
6⤵
PID:6388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
6⤵
PID:6624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
6⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
6⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6020 /prefetch:2
6⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
6⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6608 /prefetch:8
6⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5984 /prefetch:8
6⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
6⤵
PID:960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
6⤵
PID:868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
6⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
6⤵
PID:2184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
6⤵
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
6⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7184 /prefetch:8
6⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
6⤵
PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
6⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
6⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
6⤵
PID:6396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
6⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8040 /prefetch:8
6⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
6⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
6⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7640 /prefetch:8
6⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
6⤵
PID:6600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:1
6⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
6⤵
PID:1532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8292 /prefetch:8
6⤵
PID:4860

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 5968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
5⤵
PID:6156

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5968
6⤵
- Kills process with taskkill
PID:3784

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C taskkill /F /PID 5968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
5⤵
PID:1196

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 5968
6⤵
- Kills process with taskkill
PID:3340

C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe
"C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe
"C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe"
3⤵
- Executes dropped EXE
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 244
4⤵
- Program crash
PID:4780

C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
"C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe"
3⤵
- Executes dropped EXE
PID:5180

C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe
"C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5168

C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe
"C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"
4⤵
PID:6704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
"C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5316

C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
"C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:6108

C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe
"C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:5364

C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe
"C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 320
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1556

C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe
"C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328

C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe
"C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe"
3⤵
- Executes dropped EXE
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 240
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4280

C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe
"C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5584

C:\Program Files (x86)\Company\NewProduct\customer3.exe
"C:\Program Files (x86)\Company\NewProduct\customer3.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:5744

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
5⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6112

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5908

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Suspicious use of SetWindowsHookEx
PID:2468

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\22222.exe
C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
5⤵
- Suspicious use of SetWindowsHookEx
PID:2472

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5884

C:\Program Files (x86)\Company\NewProduct\jooyu.exe
"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
4⤵
- Executes dropped EXE
PID:5836

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5824

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
- Suspicious use of SetWindowsHookEx
PID:7076

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
5⤵
PID:6356

C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe
"C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 300
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
"C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
"C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"
4⤵
- Executes dropped EXE
PID:5260

C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe
"C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe"
3⤵
PID:5908

C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe
"C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe" -q
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe
"C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Users\Admin\AppData\Roaming\8421129.exe
"C:\Users\Admin\AppData\Roaming\8421129.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1400 -s 2340
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4196

C:\Users\Admin\AppData\Roaming\3544711.exe
"C:\Users\Admin\AppData\Roaming\3544711.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe
"C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:796

C:\Users\Admin\AppData\Local\Temp\is-MTJJ2.tmp\X6pFteX1hujq71gAoddJIl03.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MTJJ2.tmp\X6pFteX1hujq71gAoddJIl03.tmp" /SL5="$202DC,138429,56832,C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Users\Admin\AppData\Local\Temp\is-AA40I.tmp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-AA40I.tmp\Setup.exe" /Verysilent
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5480

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:496

C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
7⤵
PID:5128

C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"
6⤵
- Executes dropped EXE
PID:3284

C:\Users\Admin\AppData\Roaming\1478644.exe
"C:\Users\Admin\AppData\Roaming\1478644.exe"
7⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4780 -s 2356
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5544

C:\Users\Admin\AppData\Roaming\5605215.exe
"C:\Users\Admin\AppData\Roaming\5605215.exe"
7⤵
PID:5744

C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
8⤵
PID:5688

C:\Users\Admin\AppData\Roaming\3153485.exe
"C:\Users\Admin\AppData\Roaming\3153485.exe"
7⤵
PID:6132

C:\Users\Admin\AppData\Roaming\4881157.exe
"C:\Users\Admin\AppData\Roaming\4881157.exe"
7⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 2548
8⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6676

C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:3980

C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Users\Admin\AppData\Local\Temp\is-MMVMB.tmp\MediaBurner2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MMVMB.tmp\MediaBurner2.tmp" /SL5="$3028C,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2240

C:\Users\Admin\AppData\Local\Temp\is-V7FOR.tmp\3377047_logo_media.exe
"C:\Users\Admin\AppData\Local\Temp\is-V7FOR.tmp\3377047_logo_media.exe" /S /UID=burnerch2
8⤵
PID:5284

C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe
"C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe" /VERYSILENT
9⤵
- Suspicious use of SetWindowsHookEx
PID:6776

C:\Users\Admin\AppData\Local\Temp\is-RJ7JP.tmp\ultramediaburner.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RJ7JP.tmp\ultramediaburner.tmp" /SL5="$800AE,281924,62464,C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe" /VERYSILENT
10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
11⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\d2-de3b3-031-63687-a6b269a3643ce\Lishacidege.exe
"C:\Users\Admin\AppData\Local\Temp\d2-de3b3-031-63687-a6b269a3643ce\Lishacidege.exe"
9⤵
PID:6916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
10⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
10⤵
PID:4136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
10⤵
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
10⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
10⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
10⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
10⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
10⤵
PID:872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
11⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\4d-76cb9-41c-d54a6-3a241b7d81929\Xuvylitadae.exe
"C:\Users\Admin\AppData\Local\Temp\4d-76cb9-41c-d54a6-3a241b7d81929\Xuvylitadae.exe"
9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe /qn CAMPAIGN="654" & exit
10⤵
PID:5172

C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe
C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe /qn CAMPAIGN="654"
11⤵
PID:3896

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
12⤵
PID:5876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe & exit
10⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6092

C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe
C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:5828

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:6508

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:5628

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:2076

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:6332

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
- Suspicious use of SetWindowsHookEx
PID:6088

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6972

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\11111.exe
C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
12⤵
PID:5904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe & exit
10⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe
C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe
11⤵
- Suspicious use of SetWindowsHookEx
PID:876

C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe
"C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe" -q
12⤵
- Suspicious use of SetWindowsHookEx
PID:7084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 1392
13⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 1368
13⤵
- Program crash
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 1376
13⤵
- Program crash
PID:5512

C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5692

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
7⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5348

C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:3472

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
7⤵
PID:1056

C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:2536

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
7⤵
PID:2268

C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1908
7⤵
- Program crash
PID:5348

C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a
7⤵
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:4252

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4172

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 452
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4504 -ip 4504
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5556 -ip 5556
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5276 -ip 5276
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5288 -ip 5288
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5340 -ip 5340
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5592 -ip 5592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5192 -ip 5192
1⤵
PID:5372

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4176

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 448
3⤵
- Suspicious use of SetThreadContext
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 2000
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:4992

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 746450773384A016A2AFC0A8030AEDA5 C
2⤵
- Loads dropped DLL
PID:2488

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding EED348EC35EAE2F5393D136883315BB8 C
2⤵
- Loads dropped DLL
PID:4976

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1F4A76F4E90F1B5C39492027BD6B7113 C
2⤵
- Loads dropped DLL
PID:5504

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3AD28EA06C7BA358D002BA422BE6650A
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:6456

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F1A54687B998F4DB192D8541B949025D C
2⤵
- Loads dropped DLL
PID:6816

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
PID:5284

C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default
3⤵
- Loads dropped DLL
- Adds Run key to start application
PID:5424

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--PH33"
4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0xac,0xb0,0x20c,0x1f0,0x210,0x7ff9ead29ec0,0x7ff9ead29ed0,0x7ff9ead29ee0
5⤵
- Loads dropped DLL
PID:2788

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2
5⤵
- Loads dropped DLL
- Modifies registry class
PID:2360

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2012 /prefetch:8
5⤵
- Loads dropped DLL
PID:6012

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2408 /prefetch:8
5⤵
- Loads dropped DLL
PID:1108

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2536 /prefetch:1
5⤵
- Loads dropped DLL
PID:6656

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3160 /prefetch:8
5⤵
- Loads dropped DLL
PID:492

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1992 /prefetch:2
5⤵
- Loads dropped DLL
- Modifies registry class
PID:6396

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2000 /prefetch:8
5⤵
PID:6684

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3456 /prefetch:8
5⤵
PID:1324

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3552 /prefetch:8
5⤵
PID:5084

C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=1104 /prefetch:8
5⤵
PID:876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_2547.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
3⤵
- Blocklisted process makes network request
PID:4276

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 448
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4408 -ip 4408
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1884 -ip 1884
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5524

C:\Users\Admin\AppData\Local\Temp\804C.exe
C:\Users\Admin\AppData\Local\Temp\804C.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Users\Admin\AppData\Local\Temp\8F03.exe
C:\Users\Admin\AppData\Local\Temp\8F03.exe
1⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\9A5E.exe
C:\Users\Admin\AppData\Local\Temp\9A5E.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5772

C:\Users\Admin\AppData\Local\Temp\A126.exe
C:\Users\Admin\AppData\Local\Temp\A126.exe
1⤵
PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 296
2⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3128 -ip 3128
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 876
2⤵
- Program crash
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5452 -ip 5452
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 1400 -ip 1400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5764

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2980

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4780 -ip 4780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5344 -ip 5344
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3004

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
1⤵
PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
MD5
bda0c64936b09cfb76fda98e37f5b6a4

SHA1
8ee82a7dee86562cb7b1732dafe4c5a9f16f51b8

SHA256
4f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783

SHA512
cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
MD5
bda0c64936b09cfb76fda98e37f5b6a4

SHA1
8ee82a7dee86562cb7b1732dafe4c5a9f16f51b8

SHA256
4f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783

SHA512
cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
MD5
5af9f5b4e531fab8417a2f137350c842

SHA1
644e6ea394ba94830101d4aeb7d9d23c690b0b83

SHA256
a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4

SHA512
8a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6cb5833-4ee2-4cc4-8f64-7d953c774a86\@Cryptex777.dll
MD5
e8641f344213ca05d8b5264b5f4e2dee

SHA1
96729e31f9b805800b2248fd22a4b53e226c8309

SHA256
85e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24

SHA512
3130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109

Download Submit
C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe
MD5
b5f49db3a9a421773d2eeade6f52bb33

SHA1
08dfa30ef726c80d85e4d803b348a418cf0cadc1

SHA256
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

SHA512
2078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec

Download Submit
C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe
MD5
b5f49db3a9a421773d2eeade6f52bb33

SHA1
08dfa30ef726c80d85e4d803b348a418cf0cadc1

SHA256
5049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8

SHA512
2078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec

Download Submit
C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe
MD5
ff2d2b1250ae2706f6550893e12a25f8

SHA1
5819d925377d38d921f6952add575a6ca19f213b

SHA256
ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96

SHA512
c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23

Download Submit
C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe
MD5
9499dac59e041d057327078ccada8329

SHA1
707088977b09835d2407f91f4f6dbe4a4c8f2fff

SHA256
ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9

SHA512
9d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397

Download Submit
C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe
MD5
508d43219e37e4f9828b193e78439635

SHA1
7a23832f84c8a25d52410c22df2472b18f5df47c

SHA256
67a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b

SHA512
aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e

Download Submit
C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe
MD5
508d43219e37e4f9828b193e78439635

SHA1
7a23832f84c8a25d52410c22df2472b18f5df47c

SHA256
67a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b

SHA512
aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e

Download Submit
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
MD5
1cd51768a37e5d5027575a38a42eb13c

SHA1
051f84f1062956fc3798456ae475939197d49d43

SHA256
1df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f

SHA512
9edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d

Download Submit
C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe
MD5
77c0247d06673d720c68591e8e16af33

SHA1
0e5c680ef719853fdeb1f363e2c88b7d52c58fc3

SHA256
542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03

SHA512
c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a

Download Submit
C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe
MD5
77c0247d06673d720c68591e8e16af33

SHA1
0e5c680ef719853fdeb1f363e2c88b7d52c58fc3

SHA256
542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03

SHA512
c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a

Download Submit
C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe
MD5
fa2170ab2dfa330d961cccf8e93c757b

SHA1
d3fd7ae0be7954a547169e29a44d467f14dfb340

SHA256
78f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0

SHA512
3880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e

Download Submit
C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe
MD5
a6ef5e293c9422d9a4838178aea19c50

SHA1
93b6d38cc9376fa8710d2df61ae591e449e71b85

SHA256
94ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0

SHA512
b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454

Download Submit
C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe
MD5
9cfbd2e8f619ce508af7ea851b55f62e

SHA1
c50a46b259d5c5e05972de8eb1ab3bc4195c1a03

SHA256
c188ce667119b9ea8269b2878aaa664e6ba281db957e0354d9eaac8537b8a153

SHA512
c762b9d22cad64cf6addad1d11a7a726a1eacc3bd3ec8d2d1485b25dae637c9238241635707116ee18b4d8e3b5a6600d49f79ed9e10d11ac031fc50a680726fe

Download Submit
C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe
MD5
9cfbd2e8f619ce508af7ea851b55f62e

SHA1
c50a46b259d5c5e05972de8eb1ab3bc4195c1a03

SHA256
c188ce667119b9ea8269b2878aaa664e6ba281db957e0354d9eaac8537b8a153

SHA512
c762b9d22cad64cf6addad1d11a7a726a1eacc3bd3ec8d2d1485b25dae637c9238241635707116ee18b4d8e3b5a6600d49f79ed9e10d11ac031fc50a680726fe

Download Submit
C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe
MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe
MD5
2654d11f2d3ce974e432ad1c84bcd1f7

SHA1
053efdc46790dd1b49e93863df59c83c39342c8f

SHA256
df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51

SHA512
8b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7

Download Submit
C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe
MD5
c5cdf4c9d78205655a2592a499b92e8f

SHA1
53d9dc7d0394eafd61c8498a01d9d7abd4f3761c

SHA256
5ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b

SHA512
980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819

Download Submit
C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe
MD5
c5cdf4c9d78205655a2592a499b92e8f

SHA1
53d9dc7d0394eafd61c8498a01d9d7abd4f3761c

SHA256
5ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b

SHA512
980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819

Download Submit
C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe
MD5
908fa1446bc3cc61c7f05e0f56067705

SHA1
195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4

SHA256
b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f

SHA512
ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0

Download Submit
C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe
MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe
MD5
d8b2a0b440b26c2dc3032e3f0de38b72

SHA1
ceca844eba2a784e4fbdac0e9377df9d4b9a668b

SHA256
55da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241

SHA512
abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3

Download Submit
C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe
MD5
e399c741e5809f64dabd7ee219063081

SHA1
411bdea66e7ca6616a13ffcda4c8388472ec4616

SHA256
b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1

SHA512
6c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495

Download Submit
C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe
MD5
e399c741e5809f64dabd7ee219063081

SHA1
411bdea66e7ca6616a13ffcda4c8388472ec4616

SHA256
b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1

SHA512
6c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495

Download Submit
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe
MD5
dcbe7119391038c81bf94f1a446b61ec

SHA1
050d68abe0521d67740c560649adbc8a779976ad

SHA256
187a72004c93ede992887f5f02371173635383597ede072208017655b441041b

SHA512
b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4

Download Submit
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe
MD5
dcbe7119391038c81bf94f1a446b61ec

SHA1
050d68abe0521d67740c560649adbc8a779976ad

SHA256
187a72004c93ede992887f5f02371173635383597ede072208017655b441041b

SHA512
b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4

Download Submit
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe
MD5
54ce8822fbf1cdb94c28d12ccd82f8f9

SHA1
7077757f069fe0ebd338aeff700cab323e3ab235

SHA256
0984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2

SHA512
183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435

Download Submit
C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe
MD5
2cc6d4f1c214e4d44d078773dc5469d0

SHA1
6dc7a3ebc447aa9b4edb14b670452336c110e646

SHA256
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70

SHA512
d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f

Download Submit
C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe
MD5
2cc6d4f1c214e4d44d078773dc5469d0

SHA1
6dc7a3ebc447aa9b4edb14b670452336c110e646

SHA256
dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70

SHA512
d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f

Download Submit
C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe
MD5
90eb803d0e395eab28a6dc39a7504cc4

SHA1
7a0410c3b8827a9542003982308c5ad06fdf473f

SHA256
1c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd

SHA512
d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835

Download Submit
C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
MD5
526bd44b4e36b0b52cfd28abe551471a

SHA1
35c89e3f3df5dbe5d099a72fec5eba40279bdaca

SHA256
8f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d

SHA512
749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb

Download Submit
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
MD5
11d57daf30ca3e02d82760025034d970

SHA1
18dbef336c70b6fbe50926602b3305299c258848

SHA256
d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01

SHA512
21c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b

Download Submit
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
MD5
9bf2480895b33565d02f30d1a07a20ba

SHA1
7624a0067c63e6b228a0255c41fa156174a5ac68

SHA256
6be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c

SHA512
bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5

Download Submit
C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe
MD5
44cfd7d22b79fbde5875f3a97ddc75e8

SHA1
0c50d97207b5440fcf0aa7287037c318fa73e444

SHA256
b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d

SHA512
2bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb

Download Submit
C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe
MD5
44cfd7d22b79fbde5875f3a97ddc75e8

SHA1
0c50d97207b5440fcf0aa7287037c318fa73e444

SHA256
b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d

SHA512
2bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb

Download Submit
\??\pipe\LOCAL\crashpad_5040_MYBBKELETSCBLLRX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/496-485-0x0000000000000000-mapping.dmp

Download
memory/496-518-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/796-329-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/796-318-0x0000000000000000-mapping.dmp

Download
memory/1096-172-0x0000000000000000-mapping.dmp

Download
memory/1284-391-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1284-405-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/1284-348-0x0000000000000000-mapping.dmp

Download
memory/1284-366-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1284-361-0x00000000031C0000-0x00000000031FC000-memory.dmp

Filesize
240KB

Download
memory/1284-368-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/1284-369-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/1284-371-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1284-373-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/1284-377-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/1284-380-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/1284-384-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1284-398-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/1284-382-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1284-423-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/1284-421-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/1284-413-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/1284-418-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/1284-410-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/1284-387-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1284-394-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1400-431-0x0000000000000000-mapping.dmp

Download
memory/1400-459-0x000000001BB10000-0x000000001BB12000-memory.dmp

Filesize
8KB

Download
memory/1568-437-0x000001FBA1010000-0x000001FBA107E000-memory.dmp

Filesize
440KB

Download
memory/1568-438-0x000001FBA14F0000-0x000001FBA15BF000-memory.dmp

Filesize
828KB

Download
memory/1568-353-0x0000000000000000-mapping.dmp

Download
memory/1588-476-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/1588-433-0x0000000000000000-mapping.dmp

Download
memory/1712-214-0x0000000000000000-mapping.dmp

Download
memory/2000-482-0x0000000000000000-mapping.dmp

Download
memory/2240-532-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2260-354-0x0000000001460000-0x0000000001476000-memory.dmp

Filesize
88KB

Download
memory/2260-316-0x0000000000000000-mapping.dmp

Download
memory/2260-365-0x000000001BCB0000-0x000000001BCB2000-memory.dmp

Filesize
8KB

Download
memory/2260-331-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2368-176-0x0000000000000000-mapping.dmp

Download
memory/2368-180-0x00007FFA1D5F0000-0x00007FFA1D5F1000-memory.dmp

Filesize
4KB

Download
memory/2460-177-0x0000000000000000-mapping.dmp

Download
memory/2708-379-0x0000000000000000-mapping.dmp

Download
memory/3180-404-0x0000000000000000-mapping.dmp

Download
memory/3192-378-0x000000000AD30000-0x000000000AD40000-memory.dmp

Filesize
64KB

Download
memory/3192-376-0x0000000008700000-0x0000000008710000-memory.dmp

Filesize
64KB

Download
memory/3192-341-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/3284-498-0x0000000000000000-mapping.dmp

Download
memory/3284-534-0x000000001B470000-0x000000001B472000-memory.dmp

Filesize
8KB

Download
memory/3504-196-0x0000000000000000-mapping.dmp

Download
memory/3508-163-0x0000000000000000-mapping.dmp

Download
memory/3632-505-0x0000000000000000-mapping.dmp

Download
memory/3632-514-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3924-185-0x0000000000000000-mapping.dmp

Download
memory/3980-207-0x0000000000000000-mapping.dmp

Download
memory/3980-508-0x0000000000000000-mapping.dmp

Download
memory/3980-529-0x0000000000800000-0x0000000000803000-memory.dmp

Filesize
12KB

Download
memory/3980-227-0x0000000003F70000-0x00000000040AD000-memory.dmp

Filesize
1.2MB

Download
memory/4252-455-0x0000000000000000-mapping.dmp

Download
memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp

Filesize
9.1MB

Download
memory/4504-168-0x0000000000000000-mapping.dmp

Download
memory/4608-210-0x0000000000000000-mapping.dmp

Download
memory/4636-435-0x0000000000000000-mapping.dmp

Download
memory/4636-461-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/4780-148-0x0000000000000000-mapping.dmp

Download
memory/4780-153-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4780-151-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4780-154-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

Filesize
112KB

Download
memory/4780-155-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4780-156-0x000000001B8B0000-0x000000001B8B2000-memory.dmp

Filesize
8KB

Download
memory/4780-570-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

Filesize
8KB

Download
memory/4840-488-0x0000000000000000-mapping.dmp

Download
memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/4924-158-0x0000000000000000-mapping.dmp

Download
memory/4992-166-0x0000000000000000-mapping.dmp

Download
memory/5000-193-0x0000000000000000-mapping.dmp

Download
memory/5040-157-0x0000000000000000-mapping.dmp

Download
memory/5112-219-0x0000000000000000-mapping.dmp

Download
memory/5128-583-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/5168-345-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/5168-330-0x00000000052E0000-0x0000000005886000-memory.dmp

Filesize
5.6MB

Download
memory/5168-288-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/5168-298-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/5168-228-0x0000000000000000-mapping.dmp

Download
memory/5180-362-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/5180-229-0x0000000000000000-mapping.dmp

Download
memory/5180-340-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/5192-230-0x0000000000000000-mapping.dmp

Download
memory/5204-441-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/5204-231-0x0000000000000000-mapping.dmp

Download
memory/5216-306-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/5216-334-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/5216-309-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/5216-232-0x0000000000000000-mapping.dmp

Download
memory/5216-302-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5216-287-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/5216-299-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/5216-323-0x0000000005080000-0x0000000005626000-memory.dmp

Filesize
5.6MB

Download
memory/5228-359-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5228-346-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/5228-233-0x0000000000000000-mapping.dmp

Download
memory/5228-335-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/5236-337-0x000001AEC8E20000-0x000001AEC8E39000-memory.dmp

Filesize
100KB

Download
memory/5236-294-0x00007FF9EEC70000-0x00007FF9EEDBF000-memory.dmp

Filesize
1.3MB

Download
memory/5236-254-0x000001AEC7020000-0x000001AEC7021000-memory.dmp

Filesize
4KB

Download
memory/5236-350-0x000001AEE1820000-0x000001AEE1821000-memory.dmp

Filesize
4KB

Download
memory/5236-234-0x0000000000000000-mapping.dmp

Download
memory/5236-286-0x000001AEE1870000-0x000001AEE1872000-memory.dmp

Filesize
8KB

Download
memory/5236-349-0x000001AEC8E60000-0x000001AEC8E61000-memory.dmp

Filesize
4KB

Download
memory/5248-465-0x0000000000000000-mapping.dmp

Download
memory/5252-235-0x0000000000000000-mapping.dmp

Download
memory/5252-355-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/5252-356-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/5252-333-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/5260-314-0x0000000000000000-mapping.dmp

Download
memory/5264-290-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/5264-319-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/5264-236-0x0000000000000000-mapping.dmp

Download
memory/5264-307-0x000000001AC70000-0x000000001AC85000-memory.dmp

Filesize
84KB

Download
memory/5276-237-0x0000000000000000-mapping.dmp

Download
memory/5276-284-0x0000000004890000-0x00000000048C0000-memory.dmp

Filesize
192KB

Download
memory/5284-545-0x00000000011A0000-0x00000000011A2000-memory.dmp

Filesize
8KB

Download
memory/5288-238-0x0000000000000000-mapping.dmp

Download
memory/5288-300-0x0000000002DC0000-0x0000000002DC9000-memory.dmp

Filesize
36KB

Download
memory/5300-364-0x0000020324C60000-0x0000020324D2F000-memory.dmp

Filesize
828KB

Download
memory/5300-239-0x0000000000000000-mapping.dmp

Download
memory/5300-352-0x0000020324BF0000-0x0000020324C5F000-memory.dmp

Filesize
444KB

Download
memory/5316-304-0x0000000002E60000-0x0000000002E6A000-memory.dmp

Filesize
40KB

Download
memory/5316-240-0x0000000000000000-mapping.dmp

Download
memory/5328-289-0x0000000001260000-0x0000000001272000-memory.dmp

Filesize
72KB

Download
memory/5328-241-0x0000000000000000-mapping.dmp

Download
memory/5328-273-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/5340-332-0x00000000049C0000-0x00000000049EF000-memory.dmp

Filesize
188KB

Download
memory/5340-242-0x0000000000000000-mapping.dmp

Download
memory/5344-567-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/5364-415-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/5364-370-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5364-245-0x0000000000000000-mapping.dmp

Download
memory/5392-481-0x0000000000000000-mapping.dmp

Download
memory/5392-526-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/5480-480-0x0000000000000000-mapping.dmp

Download
memory/5548-267-0x0000000000000000-mapping.dmp

Download
memory/5556-296-0x00000000049F0000-0x0000000004A8D000-memory.dmp

Filesize
628KB

Download
memory/5556-268-0x0000000000000000-mapping.dmp

Download
memory/5584-272-0x0000000000000000-mapping.dmp

Download
memory/5592-402-0x0000000000CA0000-0x0000000000D2F000-memory.dmp

Filesize
572KB

Download
memory/5592-271-0x0000000000000000-mapping.dmp

Download
memory/5688-609-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5692-496-0x0000000000000000-mapping.dmp

Download
memory/5744-466-0x0000000000000000-mapping.dmp

Download
memory/5744-686-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/5824-428-0x0000000000000000-mapping.dmp

Download
memory/5836-363-0x0000000000000000-mapping.dmp

Download
memory/5884-357-0x0000000000000000-mapping.dmp

Download
memory/5884-367-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/5908-295-0x0000000000000000-mapping.dmp

Download
memory/5908-474-0x0000000000000000-mapping.dmp

Download
memory/6108-308-0x0000000000000000-mapping.dmp

Download
memory/6108-311-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6132-593-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/6776-685-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download