glupteba | b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

Target

EB7233922891E1DAD0434FBD52623647.exe
Size

7.9MB
MD5

eb7233922891e1dad0434fbd52623647
SHA1

331126b108532ab9a1e932141bff55a38656bce9
SHA256

b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8
SHA512

597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

installs3

65.21.228.92:46802

Extracted

Family

smokeloader

Version

2020

http://readinglistforjuly1.xyz/

http://readinglistforjuly2.xyz/

http://readinglistforjuly3.xyz/

http://readinglistforjuly4.xyz/

http://readinglistforjuly5.xyz/

http://readinglistforjuly6.xyz/

http://readinglistforjuly7.xyz/

http://readinglistforjuly8.xyz/

http://readinglistforjuly9.xyz/

http://readinglistforjuly10.xyz/

http://readinglistforjuly1.site/

http://readinglistforjuly2.site/

http://readinglistforjuly3.site/

http://readinglistforjuly4.site/

http://readinglistforjuly5.site/

http://readinglistforjuly6.site/

http://readinglistforjuly7.site/

http://readinglistforjuly8.site/

http://readinglistforjuly9.site/

http://readinglistforjuly10.site/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 1 IoCs

resource	yara_rule
behavioral2/memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	4848	rUNdlL32.eXe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	4848	rundll32.exe	27
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5264	4848	rUNdlL32.eXe	27

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

resource	yara_rule
behavioral2/files/0x000100000002b1ee-249.dat	family_redline
behavioral2/files/0x000100000002b1f4-275.dat	family_redline
behavioral2/memory/5236-337-0x000001AEC8E20000-0x000001AEC8E39000-memory.dmp	family_redline
behavioral2/files/0x000100000002b1f4-325.dat	family_redline
behavioral2/memory/4636-435-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/5392-481-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4840-488-0x0000000000000000-mapping.dmp	family_redline
behavioral2/memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs

description	pid	Process	procid_target
PID 1432 created 1096	1432	WerFault.exe	91
PID 3188 created 4504	3188	WerFault.exe	89
PID 5792 created 5288	5792	WerFault.exe	110
PID 5832 created 5276	5832	WerFault.exe	111
PID 5992 created 5556	5992	WerFault.exe	133
PID 5824 created 5340	5824	jfiag3g_gg.exe	127
PID 5740 created 5592	5740	WerFault.exe	131
PID 5372 created 5192	5372	Xuvylitadae.exe	118
PID 2104 created 2000	2104	WerFault.exe	178
PID 3976 created 4408	3976	WerFault.exe	209
PID 1204 created 1884	1204	WerFault.exe	193
PID 6736 created 7084	6736	WerFault.exe	249
PID 5428 created 7084	5428	WerFault.exe	249
PID 5524 created 7084	5524	WerFault.exe	249
PID 3896 created 3128	3896	WerFault.exe	271
PID 6356 created 5452	6356	WerFault.exe	274
PID 5764 created 1400	5764	WerFault.exe	163
PID 5512 created 4780	5512	WerFault.exe	202
PID 3004 created 5344	3004	WerFault.exe	206

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

evasion 6 IoCs

evasion.

evasion

resource	yara_rule
behavioral2/memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp	evasion
behavioral2/files/0x000200000002b122-256.dat	evasion
behavioral2/files/0x000200000002b125-255.dat	evasion
behavioral2/files/0x000100000002b1e7-246.dat	evasion
behavioral2/files/0x000200000002b125-317.dat	evasion
behavioral2/memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp	evasion

suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity
suricata
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral2/memory/5556-296-0x00000000049F0000-0x0000000004A8D000-memory.dmp	family_vidar

Blocklisted process makes network request 9 IoCs

flow	pid	Process
117	5264	rUNdlL32.eXe
193	6456	MsiExec.exe
195	6456	MsiExec.exe
196	6456	MsiExec.exe
197	6456	MsiExec.exe
198	6456	MsiExec.exe
206	6456	MsiExec.exe
260	4276	powershell.exe
261	4276	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	aipackagechainer.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	h5Mf7fCP0iLoTpkZt0_ezgBy.exe

Executes dropped EXE 64 IoCs

pid	Process
4780	KRSetp.exe
4924	Folder.exe
4992	Folder.exe
4504	Info.exe
3980	Installation.exe
5168	yOpfFns9feXR1oA37BXrUSoj.exe
5180	i51OEtivp64F1h3jriSb9179.exe
5192	S5JNKYGQ09fmPKqgYZFlX5Wl.exe
5204	LvJ59gJxc3LSPWvaIC75WK3C.exe
5216	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
5236	OaUqDiJqLrReD6nAIAxVSWA8.exe
5228	K9nJsFAus_AD4WbNTjIG3wOs.exe
5252	nmRKRFlsM2jdww3bmd_iqMIN.exe
5264	ZM0tOe8uO666xAL03x_SEt7G.exe
5276	1JXoSiUoBQDRFxKQt6PfAJQT.exe
5288	S9vvbu_thmJNivbyrd5cbgjY.exe
5300	6fb0NKLzbR9O1Hnpb8meEjoY.exe
5316	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
5328	MsKeXpA3JCm5KJWAfbFTLe6p.exe
5340	ZP8ROxtPgq7xzmkTnY1ILt2W.exe
5364	bAGRnF23dqqSQc9GLsP_8f2i.exe
5556	KaN6V1t36aPvGbjwrCNT4frv.exe
5548	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
5592	bXB9E3wOjLBBoAzWOKy1jhXH.exe
5584	bFClUtu0XfsHUGnX6uO9BE2D.exe
5908	22222.exe
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
5260	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
2260	AGV_ZCjRSXUJEYPKIJWOth72.exe
796	X6pFteX1hujq71gAoddJIl03.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
1568	customer3.exe
5884	md8_8eus.exe
5836	jooyu.exe
2708	1cu20YjSd19Ml5gGnIdtbCyZ.exe
3180	11111.exe
5824	jfiag3g_gg.exe
1400	8421129.exe
5732	K9nJsFAus_AD4WbNTjIG3wOs.exe
4084	nmRKRFlsM2jdww3bmd_iqMIN.exe
1588	3544711.exe
4636	i51OEtivp64F1h3jriSb9179.exe
4252	md9_1sjm.exe
1884	askinstall53.exe
5896	K9nJsFAus_AD4WbNTjIG3wOs.exe
5248	11111.exe
5744	ultramediaburner.tmp
5908	22222.exe
5480	Setup.exe
5392	K9nJsFAus_AD4WbNTjIG3wOs.exe
496	GameBox64bit.exe
4840	nmRKRFlsM2jdww3bmd_iqMIN.exe
5692	Cleaner Installation.exe
3284	Versiumresearch.exe
3632	MediaBurner2.exe
3980	note8876.exe
1664	zhangfei.exe
1884	askinstall53.exe
3472	GameBoxWin64.exe
2536	Weather Installation.exe
1604	Conhost.exe
2240	MediaBurner2.tmp
5460	msedge.exe
6112	11111.exe

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/5884-367-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9A5E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9A5E.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bAGRnF23dqqSQc9GLsP_8f2i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bAGRnF23dqqSQc9GLsP_8f2i.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LvJ59gJxc3LSPWvaIC75WK3C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LvJ59gJxc3LSPWvaIC75WK3C.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe	customer3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fastsystem2021.exe	customer3.exe

Loads dropped DLL 64 IoCs

pid	Process
1096	rundll32.exe
5236	OaUqDiJqLrReD6nAIAxVSWA8.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
1284	X6pFteX1hujq71gAoddJIl03.tmp
2000	rundll32.exe
5692	Cleaner Installation.exe
3472	GameBoxWin64.exe
3472	GameBoxWin64.exe
2536	Weather Installation.exe
2240	MediaBurner2.tmp
4408	rundll32.exe
3472	GameBoxWin64.exe
2488	MsiExec.exe
2488	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
5504	MsiExec.exe
5504	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
6456	MsiExec.exe
3896	WerFault.exe
3896	WerFault.exe
3896	WerFault.exe
6816	MsiExec.exe
6816	MsiExec.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
5424	Weather_Installation.exe
4032	Weather.exe
5424	Weather_Installation.exe
4032	Weather.exe
4032	Weather.exe
5424	Weather_Installation.exe
2788	Weather.exe
2360	Weather.exe
2360	Weather.exe
2360	Weather.exe
6012	Weather.exe
6012	Weather.exe
6012	Weather.exe
2360	Weather.exe
1108	Weather.exe
1108	Weather.exe
1108	Weather.exe
6656	Weather.exe
6656	Weather.exe
6656	Weather.exe
6656	Weather.exe
492	Weather.exe
492	Weather.exe
492	Weather.exe
6396	Weather.exe
6396	Weather.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000100000002b1ee-249.dat	themida
behavioral2/files/0x000100000002b1f4-275.dat	themida
behavioral2/files/0x000100000002b1f4-325.dat	themida
behavioral2/memory/5364-370-0x0000000000BD0000-0x0000000000BD1000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Weather_Installation.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Weather = "C:\\Users\\Admin\\AppData\\Roaming\\Weather\\Weather.exe --PH33"	Weather_Installation.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	ultramediaburner.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Taewaezhobume.exe\""	aipackagechainer.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	aipackagechainer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bAGRnF23dqqSQc9GLsP_8f2i.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LvJ59gJxc3LSPWvaIC75WK3C.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	note8876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9A5E.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Weather Installation.exe
File opened (read-only)	\??\L:	Cleaner Installation.exe
File opened (read-only)	\??\O:	Cleaner Installation.exe
File opened (read-only)	\??\F:	WerFault.exe
File opened (read-only)	\??\N:	GameBoxWin64.exe
File opened (read-only)	\??\R:	Weather Installation.exe
File opened (read-only)	\??\K:	Cleaner Installation.exe
File opened (read-only)	\??\H:	GameBoxWin64.exe
File opened (read-only)	\??\Z:	Weather Installation.exe
File opened (read-only)	\??\X:	GameBoxWin64.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	GameBoxWin64.exe
File opened (read-only)	\??\Y:	GameBoxWin64.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	Weather Installation.exe
File opened (read-only)	\??\N:	WerFault.exe
File opened (read-only)	\??\X:	WerFault.exe
File opened (read-only)	\??\F:	GameBoxWin64.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	Weather Installation.exe
File opened (read-only)	\??\U:	Cleaner Installation.exe
File opened (read-only)	\??\P:	WerFault.exe
File opened (read-only)	\??\P:	GameBoxWin64.exe
File opened (read-only)	\??\O:	Weather Installation.exe
File opened (read-only)	\??\S:	Weather Installation.exe
File opened (read-only)	\??\P:	Cleaner Installation.exe
File opened (read-only)	\??\L:	WerFault.exe
File opened (read-only)	\??\V:	WerFault.exe
File opened (read-only)	\??\B:	GameBoxWin64.exe
File opened (read-only)	\??\E:	Cleaner Installation.exe
File opened (read-only)	\??\F:	Cleaner Installation.exe
File opened (read-only)	\??\H:	Cleaner Installation.exe
File opened (read-only)	\??\R:	Cleaner Installation.exe
File opened (read-only)	\??\A:	Cleaner Installation.exe
File opened (read-only)	\??\T:	GameBoxWin64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	Weather Installation.exe
File opened (read-only)	\??\U:	WerFault.exe
File opened (read-only)	\??\M:	GameBoxWin64.exe
File opened (read-only)	\??\E:	Weather Installation.exe
File opened (read-only)	\??\H:	Weather Installation.exe
File opened (read-only)	\??\W:	Cleaner Installation.exe
File opened (read-only)	\??\G:	WerFault.exe
File opened (read-only)	\??\U:	GameBoxWin64.exe
File opened (read-only)	\??\Q:	Weather Installation.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	GameBoxWin64.exe
File opened (read-only)	\??\I:	Weather Installation.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	GameBoxWin64.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	WerFault.exe
File opened (read-only)	\??\Y:	WerFault.exe
File opened (read-only)	\??\O:	GameBoxWin64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	Cleaner Installation.exe
File opened (read-only)	\??\Q:	Cleaner Installation.exe
File opened (read-only)	\??\E:	WerFault.exe
File opened (read-only)	\??\I:	GameBoxWin64.exe
File opened (read-only)	\??\Z:	GameBoxWin64.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipinfo.io
48	ipinfo.io
80	ip-api.com
121	ipinfo.io
173	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5364	bAGRnF23dqqSQc9GLsP_8f2i.exe
5204	LvJ59gJxc3LSPWvaIC75WK3C.exe
5512	WerFault.exe
5772	9A5E.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 5316 set thread context of 6108	5316	bEYG8MCmwS_N0mgL9uYFs3Jb.exe	141
PID 5548 set thread context of 5260	5548	iHcz2PjFZ8e9IDvRcRQLV9o9.exe	146
PID 5180 set thread context of 4636	5180	WerFault.exe	155
PID 5228 set thread context of 5392	5228	K9nJsFAus_AD4WbNTjIG3wOs.exe	170
PID 5252 set thread context of 4840	5252	nmRKRFlsM2jdww3bmd_iqMIN.exe	172
PID 496 set thread context of 5128	496	GameBox64bit.exe	197
PID 5168 set thread context of 6704	5168	yOpfFns9feXR1oA37BXrUSoj.exe	235
PID 5216 set thread context of 5968	5216	h5Mf7fCP0iLoTpkZt0_ezgBy.exe	291

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe.config	aipackagechainer.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Taewaezhobume.exe.config	aipackagechainer.exe
File created	C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe	aipackagechainer.exe
File created	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File created	C:\Program Files (x86)\UltraMediaBurner\is-KTNRU.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe	Setup.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\Taewaezhobume.exe	aipackagechainer.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\jooyu.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\Uninstall.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File created	C:\Program Files (x86)\Company\NewProduct\Uninstall.ini	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\unins000.dat	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe	Setup.exe
File created	C:\Program Files (x86)\UltraMediaBurner\is-9C8N6.tmp	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Company\NewProduct\customer3.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	Setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\resources.pak	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe	bFClUtu0XfsHUGnX6uO9BE2D.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\d.INTEG.RAW	note8876.exe
File opened for modification	C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe	ultramediaburner.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\resources.pak	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\d	note8876.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\d.jfm	note8876.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\d.jfm	note8876.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	Setup.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\d	note8876.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\tmp.edb	note8876.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f74eb31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF351.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID57.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFDF8AC9F3942F7FFD.TMP	msiexec.exe
File created	C:\Windows\Installer\f74eb31.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF227.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4E8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE5.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF51048722BFEFC2F8.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF022.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6FFB5CFF992020C3.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF07ECE270F696013C.TMP	msiexec.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\Installer\MSIF73B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAC6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2584.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB3E.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
1832	1096	WerFault.exe	91
1492	4504	WerFault.exe	89
6092	5288	WerFault.exe	110
508	5276	WerFault.exe	111
5272	5556	WerFault.exe	133
1556	5340	WerFault.exe	127
4280	5592	WerFault.exe	131
4780	5192	WerFault.exe	118
5180	2000	WerFault.exe	178
5984	4408	WerFault.exe	209
5348	1884	WerFault.exe	193
6148	7084	WerFault.exe	249
5792	7084	WerFault.exe	249
5512	7084	WerFault.exe	249
5724	3128	WerFault.exe	271
4196	5452	WerFault.exe	274
4196	1400	WerFault.exe	163
5544	4780	WerFault.exe	202
6676	5344	WerFault.exe	206

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	bEYG8MCmwS_N0mgL9uYFs3Jb.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cmd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	1478644.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe

Enumerates system info in registry 2 TTPs 40 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	1478644.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	1478644.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msiexec.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3784	taskkill.exe
3340	taskkill.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{EBB086E9-9B02-4D4F-902E-D03FD4258FF5}	Weather.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-257790753-2419383948-818201544-1000\{CC4DB119-78C5-4B85-8330-08CDB3243364}	Weather.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Cleaner Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	Weather Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Cleaner Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e5c0000000100000004000000001000002000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Cleaner Installation.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	Weather Installation.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	120	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	125	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1832	WerFault.exe
1832	WerFault.exe
2460	msedge.exe
2460	msedge.exe
5040	msedge.exe
5040	msedge.exe
1492	WerFault.exe
1492	WerFault.exe
4608	identity_helper.exe
4608	identity_helper.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
3980	Installation.exe
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
6092	WerFault.exe
6092	WerFault.exe
508	WerFault.exe
508	WerFault.exe
3192	Process not Found
3192	Process not Found
5272	WerFault.exe
5272	WerFault.exe
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3192	Process not Found

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
6108	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3192	Process not Found
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192	Process not Found
3192	Process not Found
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192	Process not Found
3192	Process not Found
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192	Process not Found
3192	Process not Found
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3192	Process not Found
3192	Process not Found
3280	explorer.exe
3280	explorer.exe
3192	Process not Found
3192	Process not Found
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe
3280	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	KRSetp.exe
Token: SeRestorePrivilege	1832	WerFault.exe
Token: SeBackupPrivilege	1832	WerFault.exe
Token: SeBackupPrivilege	1832	WerFault.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeTcbPrivilege	2476	svchost.exe
Token: SeDebugPrivilege	5236	OaUqDiJqLrReD6nAIAxVSWA8.exe
Token: SeDebugPrivilege	5264	rUNdlL32.eXe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	2260	AGV_ZCjRSXUJEYPKIJWOth72.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	5364	bAGRnF23dqqSQc9GLsP_8f2i.exe
Token: SeDebugPrivilege	5204	LvJ59gJxc3LSPWvaIC75WK3C.exe
Token: SeDebugPrivilege	1400	8421129.exe
Token: SeDebugPrivilege	4636	i51OEtivp64F1h3jriSb9179.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeDebugPrivilege	1588	3544711.exe
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeShutdownPrivilege	3192	Process not Found
Token: SeCreatePagefilePrivilege	3192	Process not Found
Token: SeCreateTokenPrivilege	1884	askinstall53.exe
Token: SeAssignPrimaryTokenPrivilege	1884	askinstall53.exe
Token: SeLockMemoryPrivilege	1884	askinstall53.exe
Token: SeIncreaseQuotaPrivilege	1884	askinstall53.exe
Token: SeMachineAccountPrivilege	1884	askinstall53.exe
Token: SeTcbPrivilege	1884	askinstall53.exe

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
5040	msedge.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
5692	Cleaner Installation.exe
3472	GameBoxWin64.exe
2536	Weather Installation.exe
5744	ultramediaburner.tmp
3896	WerFault.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
5488	msedge.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe
4032	Weather.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3980	Installation.exe
5276	1JXoSiUoBQDRFxKQt6PfAJQT.exe
5288	S9vvbu_thmJNivbyrd5cbgjY.exe
5300	6fb0NKLzbR9O1Hnpb8meEjoY.exe
5316	bEYG8MCmwS_N0mgL9uYFs3Jb.exe
5328	MsKeXpA3JCm5KJWAfbFTLe6p.exe
5548	iHcz2PjFZ8e9IDvRcRQLV9o9.exe
5584	bFClUtu0XfsHUGnX6uO9BE2D.exe
5556	KaN6V1t36aPvGbjwrCNT4frv.exe
5340	ZP8ROxtPgq7xzmkTnY1ILt2W.exe
796	X6pFteX1hujq71gAoddJIl03.exe
5908	22222.exe
1284	X6pFteX1hujq71gAoddJIl03.tmp
1568	customer3.exe
5884	md8_8eus.exe
2708	1cu20YjSd19Ml5gGnIdtbCyZ.exe
3180	11111.exe
5824	jfiag3g_gg.exe
5248	11111.exe
5744	ultramediaburner.tmp
5908	22222.exe
5480	Setup.exe
3632	MediaBurner2.exe
1884	askinstall53.exe
1604	Conhost.exe
2240	MediaBurner2.tmp
5460	msedge.exe
6112	11111.exe
1664	zhangfei.exe
4856	zhangfei.exe
5780	jfiag3g_gg.exe
5908	22222.exe
2468	22222.exe
972	svchost.exe
2472	22222.exe
6776	ultramediaburner.exe
5744	ultramediaburner.tmp
5828	ufgaa.exe
876	anyname.exe
7084	anyname.exe
5628	11111.exe
4008	804C.exe
6508	11111.exe
5628	11111.exe
2076	11111.exe
5968	h5Mf7fCP0iLoTpkZt0_ezgBy.exe
6244	11111.exe
4628	11111.exe
5408	11111.exe
7104	11111.exe
2460	11111.exe
1376	11111.exe
4504	11111.exe
6332	11111.exe
7076	jfiag3g_gg.exe
1552	11111.exe
3500	11111.exe
3696	11111.exe
6216	11111.exe
5136	11111.exe
3240	11111.exe
6032	11111.exe
6088	11111.exe
5980	11111.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 4780	1624	EB7233922891E1DAD0434FBD52623647.exe	79
PID 1624 wrote to memory of 4780	1624	EB7233922891E1DAD0434FBD52623647.exe	79
PID 1624 wrote to memory of 5040	1624	EB7233922891E1DAD0434FBD52623647.exe	83
PID 1624 wrote to memory of 5040	1624	EB7233922891E1DAD0434FBD52623647.exe	83
PID 1624 wrote to memory of 4924	1624	EB7233922891E1DAD0434FBD52623647.exe	84
PID 1624 wrote to memory of 4924	1624	EB7233922891E1DAD0434FBD52623647.exe	84
PID 1624 wrote to memory of 4924	1624	EB7233922891E1DAD0434FBD52623647.exe	84
PID 5040 wrote to memory of 3508	5040	msedge.exe	86
PID 5040 wrote to memory of 3508	5040	msedge.exe	86
PID 4924 wrote to memory of 4992	4924	Folder.exe	87
PID 4924 wrote to memory of 4992	4924	Folder.exe	87
PID 4924 wrote to memory of 4992	4924	Folder.exe	87
PID 1624 wrote to memory of 4504	1624	EB7233922891E1DAD0434FBD52623647.exe	89
PID 1624 wrote to memory of 4504	1624	EB7233922891E1DAD0434FBD52623647.exe	89
PID 1624 wrote to memory of 4504	1624	EB7233922891E1DAD0434FBD52623647.exe	89
PID 1008 wrote to memory of 1096	1008	rUNdlL32.eXe	91
PID 1008 wrote to memory of 1096	1008	rUNdlL32.eXe	91
PID 1008 wrote to memory of 1096	1008	rUNdlL32.eXe	91
PID 1432 wrote to memory of 1096	1432	WerFault.exe	91
PID 1432 wrote to memory of 1096	1432	WerFault.exe	91
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2368	5040	msedge.exe	95
PID 5040 wrote to memory of 2460	5040	msedge.exe	96
PID 5040 wrote to memory of 2460	5040	msedge.exe	96
PID 5040 wrote to memory of 3924	5040	msedge.exe	97
PID 5040 wrote to memory of 3924	5040	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
"C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/19Pfw7
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
    3⤵
    PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
    3⤵
    PID:3924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
    3⤵
    PID:3504
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
    3⤵
    PID:1712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1828 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,8361035979723908611,2187179552756112428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5112 /prefetch:2
    3⤵
    PID:6188
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:4992
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
  2⤵
  - Executes dropped EXE
  PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 240
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1492
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3980
- - C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe
    "C:\Users\Admin\Documents\6fb0NKLzbR9O1Hnpb8meEjoY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5248
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5460
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6244
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5408
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:7104
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3500
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:6216
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5980
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:7052
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2868
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5516
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6832
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:504
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:4860
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:6488
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:5016
- - C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe
    "C:\Users\Admin\Documents\S9vvbu_thmJNivbyrd5cbgjY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 296
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      PID:6092
- - C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe
    "C:\Users\Admin\Documents\1JXoSiUoBQDRFxKQt6PfAJQT.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5276
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 296
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:508
- - C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe
    "C:\Users\Admin\Documents\ZM0tOe8uO666xAL03x_SEt7G.exe"
    3⤵
    - Executes dropped EXE
    PID:5264
- - C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
    "C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5252
  - - C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
      C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
      4⤵
      Executes dropped EXE
      PID:4084
  - - C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
      C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
      4⤵
      PID:1884
  - - C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
      C:\Users\Admin\Documents\nmRKRFlsM2jdww3bmd_iqMIN.exe
      4⤵
      Executes dropped EXE
      PID:4840
- - C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe
    "C:\Users\Admin\Documents\OaUqDiJqLrReD6nAIAxVSWA8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:5236
- - C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
    "C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5228
  - - C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
      C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
      4⤵
      Executes dropped EXE
      PID:5732
  - - C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
      C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
      4⤵
      Executes dropped EXE
      PID:5896
  - - C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
      C:\Users\Admin\Documents\K9nJsFAus_AD4WbNTjIG3wOs.exe
      4⤵
      Executes dropped EXE
      PID:5392
- - C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe
    "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5216
  - - C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe
      "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
      4⤵
      Drops file in Drivers directory
      Drops file in Program Files directory
      Suspicious use of SetWindowsHookEx
      PID:5968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        Adds Run key to start application
        Enumerates system info in registry
        Suspicious use of FindShellTrayWindow
        
        PID:5488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1a0,0x1a4,0x1a8,0x130,0x1ac,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        6⤵
        
        PID:6756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
        6⤵
        
        PID:6616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
        6⤵
        
        PID:1260
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
        6⤵
        
        PID:3468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        6⤵
        
        PID:1564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        6⤵
        
        PID:5528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
        6⤵
        
        PID:5644
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
        6⤵
        
        PID:7004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
        6⤵
        
        PID:3868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 /prefetch:8
        6⤵
        
        PID:6404
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
        6⤵
        
        PID:6280
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
        6⤵
        
        PID:7124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
        6⤵
        
        PID:5564
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6168 /prefetch:8
        6⤵
        
        PID:5548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6328 /prefetch:8
        6⤵
        
        PID:1116
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6464 /prefetch:8
        6⤵
        
        PID:7144
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1896 /prefetch:8
        6⤵
        
        PID:1184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1900 /prefetch:8
        6⤵
        
        PID:4468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4764 /prefetch:8
        6⤵
        
        PID:6604
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6532 /prefetch:8
        6⤵
        
        PID:6388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5000 /prefetch:8
        6⤵
        
        PID:6624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
        6⤵
        
        PID:4336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
        6⤵
        
        PID:5764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6020 /prefetch:2
        6⤵
        
        PID:2692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
        6⤵
        
        PID:3028
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6608 /prefetch:8
        6⤵
        
        PID:1464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5984 /prefetch:8
        6⤵
        
        PID:4552
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4460 /prefetch:8
        6⤵
        
        PID:960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        6⤵
        
        PID:868
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
        6⤵
        
        PID:4508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
        6⤵
        
        PID:2184
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1
        6⤵
        
        PID:3368
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
        6⤵
        
        PID:2424
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7184 /prefetch:8
        6⤵
        
        PID:5880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
        6⤵
        
        PID:1000
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
        6⤵
        
        PID:1660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
        6⤵
        
        PID:5680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
        6⤵
        
        PID:6396
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
        6⤵
        
        PID:4040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8040 /prefetch:8
        6⤵
        
        PID:3288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
        6⤵
        
        PID:2960
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
        6⤵
        
        PID:2532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7640 /prefetch:8
        6⤵
        
        PID:2952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
        6⤵
        
        PID:6600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:1
        6⤵
        
        PID:4492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.PageScreenshotProcessor --field-trial-handle=2188,6548852019474988220,13124048000645428084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8292 /prefetch:8
        6⤵
        
        PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 5968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
        5⤵
        
        PID:6156
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 5968
        6⤵
        Kills process with taskkill
        
        PID:3784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 5968 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\h5Mf7fCP0iLoTpkZt0_ezgBy.exe"
        5⤵
        
        PID:1196
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 5968
        6⤵
        Kills process with taskkill
        
        PID:3340
- - C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe
    "C:\Users\Admin\Documents\LvJ59gJxc3LSPWvaIC75WK3C.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:5204
- - C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe
    "C:\Users\Admin\Documents\S5JNKYGQ09fmPKqgYZFlX5Wl.exe"
    3⤵
    - Executes dropped EXE
    PID:5192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5192 -s 244
      4⤵
      Program crash
      PID:4780
- - C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
    "C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe"
    3⤵
    - Executes dropped EXE
    PID:5180
  - - C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
      C:\Users\Admin\Documents\i51OEtivp64F1h3jriSb9179.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4636
- - C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe
    "C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5168
  - - C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe
      "C:\Users\Admin\Documents\yOpfFns9feXR1oA37BXrUSoj.exe"
      4⤵
      PID:6704
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
- - C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
    "C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5316
  - - C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe
      "C:\Users\Admin\Documents\bEYG8MCmwS_N0mgL9uYFs3Jb.exe"
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:6108
- - C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe
    "C:\Users\Admin\Documents\bAGRnF23dqqSQc9GLsP_8f2i.exe"
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:5364
- - C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe
    "C:\Users\Admin\Documents\ZP8ROxtPgq7xzmkTnY1ILt2W.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 320
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:1556
- - C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe
    "C:\Users\Admin\Documents\MsKeXpA3JCm5KJWAfbFTLe6p.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5328
- - C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe
    "C:\Users\Admin\Documents\bXB9E3wOjLBBoAzWOKy1jhXH.exe"
    3⤵
    - Executes dropped EXE
    PID:5592
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 240
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      PID:4280
- - C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe
    "C:\Users\Admin\Documents\bFClUtu0XfsHUGnX6uO9BE2D.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    PID:5584
  - - C:\Program Files (x86)\Company\NewProduct\customer3.exe
      "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Suspicious use of SetWindowsHookEx
      PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5744
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        
        PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6112
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2468
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:972
    - - C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2472
  - - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5884
  - - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
      "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
      4⤵
      Executes dropped EXE
      PID:5836
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5824
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5780
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7076
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:6356
- - C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe
    "C:\Users\Admin\Documents\KaN6V1t36aPvGbjwrCNT4frv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5556
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5556 -s 300
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5272
- - C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
    "C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:5548
  - - C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe
      "C:\Users\Admin\Documents\iHcz2PjFZ8e9IDvRcRQLV9o9.exe"
      4⤵
      Executes dropped EXE
      PID:5260
- - C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe
    "C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe"
    3⤵
    PID:5908
  - - C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe
      "C:\Users\Admin\Documents\1cu20YjSd19Ml5gGnIdtbCyZ.exe" -q
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2708
- - C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe
    "C:\Users\Admin\Documents\AGV_ZCjRSXUJEYPKIJWOth72.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
  - - C:\Users\Admin\AppData\Roaming\8421129.exe
      "C:\Users\Admin\AppData\Roaming\8421129.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1400
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1400 -s 2340
        5⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4196
  - - C:\Users\Admin\AppData\Roaming\3544711.exe
      "C:\Users\Admin\AppData\Roaming\3544711.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1588
- - C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe
    "C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:796
  - - C:\Users\Admin\AppData\Local\Temp\is-MTJJ2.tmp\X6pFteX1hujq71gAoddJIl03.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-MTJJ2.tmp\X6pFteX1hujq71gAoddJIl03.tmp" /SL5="$202DC,138429,56832,C:\Users\Admin\Documents\X6pFteX1hujq71gAoddJIl03.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1284
    - - C:\Users\Admin\AppData\Local\Temp\is-AA40I.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-AA40I.tmp\Setup.exe" /Verysilent
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:5480
      - C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:496
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
        7⤵
        
        PID:5128
      - C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Versiumresearch.exe"
        6⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Users\Admin\AppData\Roaming\1478644.exe
        
        "C:\Users\Admin\AppData\Roaming\1478644.exe"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:4780
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4780 -s 2356
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5544
        
        C:\Users\Admin\AppData\Roaming\5605215.exe
        
        "C:\Users\Admin\AppData\Roaming\5605215.exe"
        7⤵
        
        PID:5744
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        8⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Roaming\3153485.exe
        
        "C:\Users\Admin\AppData\Roaming\3153485.exe"
        7⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Roaming\4881157.exe
        
        "C:\Users\Admin\AppData\Roaming\4881157.exe"
        7⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 2548
        8⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6676
      - C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
        6⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        
        PID:3980
      - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\is-MMVMB.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-MMVMB.tmp\MediaBurner2.tmp" /SL5="$3028C,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\is-V7FOR.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-V7FOR.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        8⤵
        
        PID:5284
        
        C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe
        
        "C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe" /VERYSILENT
        9⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6776
        
        C:\Users\Admin\AppData\Local\Temp\is-RJ7JP.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-RJ7JP.tmp\ultramediaburner.tmp" /SL5="$800AE,281924,62464,C:\Program Files\Microsoft Office 15\ATKMCPCBQB\ultramediaburner.exe" /VERYSILENT
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:5744
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        11⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\d2-de3b3-031-63687-a6b269a3643ce\Lishacidege.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2-de3b3-031-63687-a6b269a3643ce\Lishacidege.exe"
        9⤵
        
        PID:6916
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        10⤵
        
        PID:3792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5460
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        10⤵
        
        PID:4136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:772
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
        10⤵
        
        PID:6016
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:3996
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
        10⤵
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:5752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
        10⤵
        
        PID:5416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
        10⤵
        
        PID:4752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
        10⤵
        
        PID:5176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:4632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1492888&var=3
        10⤵
        
        PID:872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9fdcb46f8,0x7ff9fdcb4708,0x7ff9fdcb4718
        11⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\4d-76cb9-41c-d54a6-3a241b7d81929\Xuvylitadae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4d-76cb9-41c-d54a6-3a241b7d81929\Xuvylitadae.exe"
        9⤵
        Suspicious use of NtCreateProcessExOtherParentProcess
        
        PID:5372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe /qn CAMPAIGN="654" & exit
        10⤵
        
        PID:5172
        
        C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe /qn CAMPAIGN="654"
        11⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\pg4myhyb.nim\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        12⤵
        
        PID:5876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe & exit
        10⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6092
        
        C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe
        
        C:\Users\Admin\AppData\Local\Temp\ymcl0sd4.nao\ufgaa.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6508
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5628
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:5136
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6088
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        12⤵
        
        PID:5904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe & exit
        10⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe
        11⤵
        Suspicious use of SetWindowsHookEx
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dzu2hcjh.utr\anyname.exe" -q
        12⤵
        Suspicious use of SetWindowsHookEx
        
        PID:7084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 1392
        13⤵
        Program crash
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:6148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 1368
        13⤵
        Program crash
        
        PID:5792
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 1376
        13⤵
        Program crash
        
        PID:5512
      - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:5692
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        7⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5348
      - C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:3472
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
        7⤵
        
        PID:1056
      - C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        
        PID:2536
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1628849081 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        7⤵
        
        PID:2268
      - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1884
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 1908
        7⤵
        Program crash
        
        PID:5348
      - C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhangfei.exe" -a
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4856
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\md9_1sjm.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  PID:4252

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv spk7Mq6mdk6K+NQLk1ou5Q.0.2
1⤵
- Modifies data under HKEY_USERS
PID:4172

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:1096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 452
    3⤵
    - Drops file in Windows directory
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4504 -ip 4504
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5556 -ip 5556
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5276 -ip 5276
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5288 -ip 5288
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 5340 -ip 5340
1⤵
PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5592 -ip 5592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 5192 -ip 5192
1⤵
PID:5372

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:4176
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  - Loads dropped DLL
  PID:2000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 448
    3⤵
    - Suspicious use of SetThreadContext
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2000 -ip 2000
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:4992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 746450773384A016A2AFC0A8030AEDA5 C
  2⤵
  - Loads dropped DLL
  PID:2488
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EED348EC35EAE2F5393D136883315BB8 C
  2⤵
  - Loads dropped DLL
  PID:4976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1F4A76F4E90F1B5C39492027BD6B7113 C
  2⤵
  - Loads dropped DLL
  PID:5504
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3AD28EA06C7BA358D002BA422BE6650A
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:6456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F1A54687B998F4DB192D8541B949025D C
  2⤵
  - Loads dropped DLL
  PID:6816
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Program Files directory
  PID:5284
- - C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe
    "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\RequiredApplication_1\Weather_Installation.exe" -silent=1 -AF=715 -BF=715 -uncf=default
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    PID:5424
  - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
      "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" "--PH33"
      4⤵
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4032
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        C:\Users\Admin\AppData\Roaming\Weather\Weather.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Weather\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Weather\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Weather\User Data" --annotation=plat=Win64 --annotation=prod=Weather --annotation=ver=0.0.2 --initial-client-data=0xac,0xb0,0x20c,0x1f0,0x210,0x7ff9ead29ec0,0x7ff9ead29ed0,0x7ff9ead29ee0
        5⤵
        Loads dropped DLL
        
        PID:2788
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1628 /prefetch:2
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:2360
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2012 /prefetch:8
        5⤵
        Loads dropped DLL
        
        PID:6012
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2408 /prefetch:8
        5⤵
        Loads dropped DLL
        
        PID:1108
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Weather\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --nwjs --extension-process --enable-auto-reload --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2536 /prefetch:1
        5⤵
        Loads dropped DLL
        
        PID:6656
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3160 /prefetch:8
        5⤵
        Loads dropped DLL
        
        PID:492
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=gpu-process --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1992 /prefetch:2
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6396
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=2000 /prefetch:8
        5⤵
        
        PID:6684
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3456 /prefetch:8
        5⤵
        
        PID:1324
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=3552 /prefetch:8
        5⤵
        
        PID:5084
    - - C:\Users\Admin\AppData\Roaming\Weather\Weather.exe
        
        "C:\Users\Admin\AppData\Roaming\Weather\Weather.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1612,12098843307284300968,17952775453086869890,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --enable-audio-service-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Weather\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4032_535539371" --mojo-platform-channel-handle=1104 /prefetch:8
        5⤵
        
        PID:876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_2547.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
    3⤵
    - Blocklisted process makes network request
    PID:4276

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:5264
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 448
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4408 -ip 4408
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 1884 -ip 1884
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 7084 -ip 7084
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5524

C:\Users\Admin\AppData\Local\Temp\804C.exe
C:\Users\Admin\AppData\Local\Temp\804C.exe
1⤵
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Users\Admin\AppData\Local\Temp\8F03.exe
C:\Users\Admin\AppData\Local\Temp\8F03.exe
1⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\9A5E.exe
C:\Users\Admin\AppData\Local\Temp\9A5E.exe
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5772

C:\Users\Admin\AppData\Local\Temp\A126.exe
C:\Users\Admin\AppData\Local\Temp\A126.exe
1⤵
PID:3128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 296
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3128 -ip 3128
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3896

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5452 -s 876
  2⤵
  - Program crash
  PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 5452 -ip 5452
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
- Suspicious behavior: MapViewOfSection
PID:3280

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4548

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 612 -p 1400 -ip 1400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5764

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2980

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 4780 -ip 4780
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5344 -ip 5344
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3004

C:\Program Files\Windows Defender\mpcmdrun.exe
"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
1⤵
PID:5172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-518-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/796-329-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1284-391-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

Filesize
4KB

Download
memory/1284-405-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/1284-366-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/1284-361-0x00000000031C0000-0x00000000031FC000-memory.dmp

Filesize
240KB

Download
memory/1284-368-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/1284-369-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/1284-371-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/1284-373-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/1284-377-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/1284-380-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/1284-384-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/1284-398-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/1284-382-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1284-423-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/1284-421-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/1284-413-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/1284-418-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/1284-410-0x0000000005B20000-0x0000000005B21000-memory.dmp

Filesize
4KB

Download
memory/1284-387-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/1284-394-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/1400-459-0x000000001BB10000-0x000000001BB12000-memory.dmp

Filesize
8KB

Download
memory/1568-437-0x000001FBA1010000-0x000001FBA107E000-memory.dmp

Filesize
440KB

Download
memory/1568-438-0x000001FBA14F0000-0x000001FBA15BF000-memory.dmp

Filesize
828KB

Download
memory/1588-476-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/2240-532-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/2260-354-0x0000000001460000-0x0000000001476000-memory.dmp

Filesize
88KB

Download
memory/2260-365-0x000000001BCB0000-0x000000001BCB2000-memory.dmp

Filesize
8KB

Download
memory/2260-331-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2368-180-0x00007FFA1D5F0000-0x00007FFA1D5F1000-memory.dmp

Filesize
4KB

Download
memory/3192-378-0x000000000AD30000-0x000000000AD40000-memory.dmp

Filesize
64KB

Download
memory/3192-376-0x0000000008700000-0x0000000008710000-memory.dmp

Filesize
64KB

Download
memory/3192-341-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/3284-534-0x000000001B470000-0x000000001B472000-memory.dmp

Filesize
8KB

Download
memory/3632-514-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3980-529-0x0000000000800000-0x0000000000803000-memory.dmp

Filesize
12KB

Download
memory/3980-227-0x0000000003F70000-0x00000000040AD000-memory.dmp

Filesize
1.2MB

Download
memory/4504-206-0x0000000001650000-0x0000000001F76000-memory.dmp

Filesize
9.1MB

Download
memory/4636-461-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/4780-153-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4780-151-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/4780-154-0x0000000000EB0000-0x0000000000ECC000-memory.dmp

Filesize
112KB

Download
memory/4780-155-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4780-156-0x000000001B8B0000-0x000000001B8B2000-memory.dmp

Filesize
8KB

Download
memory/4780-570-0x000000001B7A0000-0x000000001B7A2000-memory.dmp

Filesize
8KB

Download
memory/4840-523-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/5128-583-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/5168-345-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/5168-330-0x00000000052E0000-0x0000000005886000-memory.dmp

Filesize
5.6MB

Download
memory/5168-288-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/5168-298-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/5180-362-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/5180-340-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/5204-441-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/5216-306-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/5216-334-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/5216-309-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/5216-302-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/5216-287-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/5216-299-0x0000000005630000-0x0000000005631000-memory.dmp

Filesize
4KB

Download
memory/5216-323-0x0000000005080000-0x0000000005626000-memory.dmp

Filesize
5.6MB

Download
memory/5228-359-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/5228-346-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/5228-335-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/5236-337-0x000001AEC8E20000-0x000001AEC8E39000-memory.dmp

Filesize
100KB

Download
memory/5236-294-0x00007FF9EEC70000-0x00007FF9EEDBF000-memory.dmp

Filesize
1.3MB

Download
memory/5236-254-0x000001AEC7020000-0x000001AEC7021000-memory.dmp

Filesize
4KB

Download
memory/5236-350-0x000001AEE1820000-0x000001AEE1821000-memory.dmp

Filesize
4KB

Download
memory/5236-286-0x000001AEE1870000-0x000001AEE1872000-memory.dmp

Filesize
8KB

Download
memory/5236-349-0x000001AEC8E60000-0x000001AEC8E61000-memory.dmp

Filesize
4KB

Download
memory/5252-355-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/5252-356-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/5252-333-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/5264-290-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/5264-319-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download
memory/5264-307-0x000000001AC70000-0x000000001AC85000-memory.dmp

Filesize
84KB

Download
memory/5276-284-0x0000000004890000-0x00000000048C0000-memory.dmp

Filesize
192KB

Download
memory/5284-545-0x00000000011A0000-0x00000000011A2000-memory.dmp

Filesize
8KB

Download
memory/5288-300-0x0000000002DC0000-0x0000000002DC9000-memory.dmp

Filesize
36KB

Download
memory/5300-364-0x0000020324C60000-0x0000020324D2F000-memory.dmp

Filesize
828KB

Download
memory/5300-352-0x0000020324BF0000-0x0000020324C5F000-memory.dmp

Filesize
444KB

Download
memory/5316-304-0x0000000002E60000-0x0000000002E6A000-memory.dmp

Filesize
40KB

Download
memory/5328-289-0x0000000001260000-0x0000000001272000-memory.dmp

Filesize
72KB

Download
memory/5328-273-0x0000000001240000-0x0000000001250000-memory.dmp

Filesize
64KB

Download
memory/5340-332-0x00000000049C0000-0x00000000049EF000-memory.dmp

Filesize
188KB

Download
memory/5344-567-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/5364-415-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/5364-370-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/5392-526-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/5556-296-0x00000000049F0000-0x0000000004A8D000-memory.dmp

Filesize
628KB

Download
memory/5592-402-0x0000000000CA0000-0x0000000000D2F000-memory.dmp

Filesize
572KB

Download
memory/5688-609-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/5744-686-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/5884-367-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/6108-311-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6132-593-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/6776-685-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download