glupteba | 1cd649ea4273fd977b6a350bfe8f3b62f1d0aee1408b9966aa3d6ad39ba5af6a

Target

Setup (23).exe
Size

631KB
MD5

cb927513ff8ebff4dd52a47f7e42f934
SHA1

0de47c02a8adc4940a6c18621b4e4a619641d029
SHA256

fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
SHA512

988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score

10^/10

glupteba metasploit redline smokeloader vidar 19.08 20_8_rs second_7.5k www backdoor discovery dropper evasion infostealer loader stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

www

185.204.109.146:54891

Extracted

Family

redline

Botnet

Second_7.5K

45.14.49.200:27625

Extracted

Family

redline

Botnet

19.08

95.181.172.100:6795

Extracted

Family

redline

Botnet

20_8_rs

jekorikani.xyz:80

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 2 IoCs

resource	yara_rule
behavioral31/memory/1800-305-0x0000000004460000-0x0000000004D86000-memory.dmp	family_glupteba
behavioral31/memory/1800-307-0x0000000000400000-0x00000000027DB000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 12 IoCs

resource	yara_rule
behavioral31/files/0x000300000001313e-64.dat	family_redline
behavioral31/files/0x0003000000013153-74.dat	family_redline
behavioral31/files/0x000300000001313e-73.dat	family_redline
behavioral31/files/0x0003000000013153-90.dat	family_redline
behavioral31/files/0x0003000000013153-99.dat	family_redline
behavioral31/memory/1252-155-0x0000000002D50000-0x0000000002D6C000-memory.dmp	family_redline
behavioral31/memory/1868-157-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral31/memory/1868-158-0x000000000041905A-mapping.dmp	family_redline
behavioral31/memory/1868-160-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral31/memory/2588-172-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral31/memory/2588-173-0x0000000000418F7A-mapping.dmp	family_redline
behavioral31/memory/2588-175-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral31/memory/1976-140-0x0000000004460000-0x00000000044FD000-memory.dmp	family_vidar

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

pid	Process
1624	n666T662u2CdxaFQXD5gI304.exe
316	4YpBozen1I5_9W7lgo6MqtJK.exe
1800	yTGMOYQ5CAzcLmKxcFZLWINg.exe
1392	uV82QR2d6Qjk9oeSxdudUFii.exe
956	ZKT4h33nh6xNLZRjlOjSqYOZ.exe
1396	Pm28RCyUz1cqlXesgjAhcbQW.exe
936	Gpd5VV8sWZ20hsauN6jia8iq.exe
2008	Zq11_N2R8wRsUAhP9ie_PeU6.exe
1804	VrXj68A5S2PezomJ6BwMM_Lh.exe
1968	zowIj0vOuJANYX3aDpWSk0xY.exe
1252	WrNNEFNYAlc1ffMSNbEOlyzH.exe
1976	3GOKBc6Zz43Q1tcEDGdOZBS9.exe
1888	mBvErKimNiqA_ndG4qJuZ0Uv.exe
684	wXmjgcXT_dxEv8z5T22Nos9Y.exe
1948	w4Hz6KhgRbxY6S87_ralfbNo.exe
1576	xnUmI92yIlBDAwZdzTha7fsK.exe
776	KTwNaicTuxE10x5bZPEAIMMq.exe
1060	VrXj68A5S2PezomJ6BwMM_Lh.exe
268	Zq11_N2R8wRsUAhP9ie_PeU6.exe
1868	Zq11_N2R8wRsUAhP9ie_PeU6.exe
1920	DplSlV7JD4QYkyXzQTt2P5m5.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	w4Hz6KhgRbxY6S87_ralfbNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	w4Hz6KhgRbxY6S87_ralfbNo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KTwNaicTuxE10x5bZPEAIMMq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KTwNaicTuxE10x5bZPEAIMMq.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	Setup (23).exe

Loads dropped DLL 27 IoCs

pid	Process
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe
372	Setup (23).exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2272	icacls.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral31/files/0x0003000000013159-62.dat	themida
behavioral31/files/0x0003000000013159-66.dat	themida
behavioral31/files/0x0003000000013172-76.dat	themida
behavioral31/files/0x0003000000013172-91.dat	themida
behavioral31/files/0x000300000001318f-121.dat	themida
behavioral31/files/0x000300000001318c-119.dat	themida
behavioral31/files/0x000300000001318f-133.dat	themida
behavioral31/files/0x000300000001318c-130.dat	themida
behavioral31/memory/1948-150-0x00000000009A0000-0x00000000009A1000-memory.dmp	themida
behavioral31/memory/776-153-0x00000000003F0000-0x00000000003F1000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KTwNaicTuxE10x5bZPEAIMMq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	w4Hz6KhgRbxY6S87_ralfbNo.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 16 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
264	api.2ip.ua
279	api.2ip.ua
588	api.2ip.ua
589	api.2ip.ua
21	ipinfo.io
161	ipinfo.io
212	ipinfo.io
216	ipinfo.io
261	api.2ip.ua
157	ipinfo.io
192	ipinfo.io
276	ipinfo.io
22	ipinfo.io
146	ip-api.com
195	ipinfo.io
856	api.2ip.ua

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2592	2544	WerFault.exe	91
3048	2096	WerFault.exe	81
3336	2036	WerFault.exe	100
3136	3420	WerFault.exe	139
2864	1656	WerFault.exe	181

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1948	w4Hz6KhgRbxY6S87_ralfbNo.exe
776	KTwNaicTuxE10x5bZPEAIMMq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1868	2008	Zq11_N2R8wRsUAhP9ie_PeU6.exe	64

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3480	schtasks.exe
3780	schtasks.exe
2652	schtasks.exe
2152	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2400	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1428	taskkill.exe
2800	taskkill.exe
2228	taskkill.exe
3976	taskkill.exe
2132	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Setup (23).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (23).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Setup (23).exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Setup (23).exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Setup (23).exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3392	PING.EXE

Script User-Agent 5 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	215	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	277	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	159	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	163	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	194	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
372	Setup (23).exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	w4Hz6KhgRbxY6S87_ralfbNo.exe
Token: SeDebugPrivilege	1868	Zq11_N2R8wRsUAhP9ie_PeU6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 1624	372	Setup (23).exe	32
PID 372 wrote to memory of 316	372	Setup (23).exe	31
PID 372 wrote to memory of 316	372	Setup (23).exe	31
PID 372 wrote to memory of 316	372	Setup (23).exe	31
PID 372 wrote to memory of 316	372	Setup (23).exe	31
PID 372 wrote to memory of 1568	372	Setup (23).exe	34
PID 372 wrote to memory of 1568	372	Setup (23).exe	34
PID 372 wrote to memory of 1568	372	Setup (23).exe	34
PID 372 wrote to memory of 1568	372	Setup (23).exe	34
PID 372 wrote to memory of 1800	372	Setup (23).exe	42
PID 372 wrote to memory of 1800	372	Setup (23).exe	42
PID 372 wrote to memory of 1800	372	Setup (23).exe	42
PID 372 wrote to memory of 1800	372	Setup (23).exe	42
PID 372 wrote to memory of 1392	372	Setup (23).exe	41
PID 372 wrote to memory of 1392	372	Setup (23).exe	41
PID 372 wrote to memory of 1392	372	Setup (23).exe	41
PID 372 wrote to memory of 1392	372	Setup (23).exe	41
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 956	372	Setup (23).exe	39
PID 372 wrote to memory of 936	372	Setup (23).exe	38
PID 372 wrote to memory of 936	372	Setup (23).exe	38
PID 372 wrote to memory of 936	372	Setup (23).exe	38
PID 372 wrote to memory of 936	372	Setup (23).exe	38
PID 372 wrote to memory of 2008	372	Setup (23).exe	37
PID 372 wrote to memory of 2008	372	Setup (23).exe	37
PID 372 wrote to memory of 2008	372	Setup (23).exe	37
PID 372 wrote to memory of 2008	372	Setup (23).exe	37
PID 372 wrote to memory of 1396	372	Setup (23).exe	36
PID 372 wrote to memory of 1396	372	Setup (23).exe	36
PID 372 wrote to memory of 1396	372	Setup (23).exe	36
PID 372 wrote to memory of 1396	372	Setup (23).exe	36
PID 372 wrote to memory of 1920	372	Setup (23).exe	35
PID 372 wrote to memory of 1920	372	Setup (23).exe	35
PID 372 wrote to memory of 1920	372	Setup (23).exe	35
PID 372 wrote to memory of 1920	372	Setup (23).exe	35
PID 372 wrote to memory of 1804	372	Setup (23).exe	57
PID 372 wrote to memory of 1804	372	Setup (23).exe	57
PID 372 wrote to memory of 1804	372	Setup (23).exe	57
PID 372 wrote to memory of 1804	372	Setup (23).exe	57
PID 372 wrote to memory of 1968	372	Setup (23).exe	56
PID 372 wrote to memory of 1968	372	Setup (23).exe	56
PID 372 wrote to memory of 1968	372	Setup (23).exe	56
PID 372 wrote to memory of 1968	372	Setup (23).exe	56
PID 372 wrote to memory of 1976	372	Setup (23).exe	55
PID 372 wrote to memory of 1976	372	Setup (23).exe	55
PID 372 wrote to memory of 1976	372	Setup (23).exe	55
PID 372 wrote to memory of 1976	372	Setup (23).exe	55
PID 372 wrote to memory of 684	372	Setup (23).exe	54
PID 372 wrote to memory of 684	372	Setup (23).exe	54
PID 372 wrote to memory of 684	372	Setup (23).exe	54
PID 372 wrote to memory of 684	372	Setup (23).exe	54
PID 372 wrote to memory of 1252	372	Setup (23).exe	53
PID 372 wrote to memory of 1252	372	Setup (23).exe	53

C:\Users\Admin\AppData\Local\Temp\Setup (23).exe
"C:\Users\Admin\AppData\Local\Temp\Setup (23).exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\Documents\4YpBozen1I5_9W7lgo6MqtJK.exe
  "C:\Users\Admin\Documents\4YpBozen1I5_9W7lgo6MqtJK.exe"
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Users\Admin\Documents\n666T662u2CdxaFQXD5gI304.exe
  "C:\Users\Admin\Documents\n666T662u2CdxaFQXD5gI304.exe"
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Users\Admin\Documents\dNfGlKYiBxTpop5ehQmjwWaf.exe
  "C:\Users\Admin\Documents\dNfGlKYiBxTpop5ehQmjwWaf.exe"
  2⤵
  PID:1568
- C:\Users\Admin\Documents\DplSlV7JD4QYkyXzQTt2P5m5.exe
  "C:\Users\Admin\Documents\DplSlV7JD4QYkyXzQTt2P5m5.exe"
  2⤵
  - Executes dropped EXE
  PID:1920
- - C:\Users\Admin\Documents\DplSlV7JD4QYkyXzQTt2P5m5.exe
    C:\Users\Admin\Documents\DplSlV7JD4QYkyXzQTt2P5m5.exe
    3⤵
    PID:2576
- - C:\Users\Admin\Documents\DplSlV7JD4QYkyXzQTt2P5m5.exe
    C:\Users\Admin\Documents\DplSlV7JD4QYkyXzQTt2P5m5.exe
    3⤵
    PID:2588
- C:\Users\Admin\Documents\Pm28RCyUz1cqlXesgjAhcbQW.exe
  "C:\Users\Admin\Documents\Pm28RCyUz1cqlXesgjAhcbQW.exe"
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Users\Admin\Documents\Zq11_N2R8wRsUAhP9ie_PeU6.exe
  "C:\Users\Admin\Documents\Zq11_N2R8wRsUAhP9ie_PeU6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2008
- - C:\Users\Admin\Documents\Zq11_N2R8wRsUAhP9ie_PeU6.exe
    C:\Users\Admin\Documents\Zq11_N2R8wRsUAhP9ie_PeU6.exe
    3⤵
    - Executes dropped EXE
    PID:268
- - C:\Users\Admin\Documents\Zq11_N2R8wRsUAhP9ie_PeU6.exe
    C:\Users\Admin\Documents\Zq11_N2R8wRsUAhP9ie_PeU6.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Users\Admin\Documents\Gpd5VV8sWZ20hsauN6jia8iq.exe
  "C:\Users\Admin\Documents\Gpd5VV8sWZ20hsauN6jia8iq.exe"
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Users\Admin\Documents\ZKT4h33nh6xNLZRjlOjSqYOZ.exe
  "C:\Users\Admin\Documents\ZKT4h33nh6xNLZRjlOjSqYOZ.exe"
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Users\Admin\Documents\uV82QR2d6Qjk9oeSxdudUFii.exe
  "C:\Users\Admin\Documents\uV82QR2d6Qjk9oeSxdudUFii.exe"
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Users\Admin\Documents\yTGMOYQ5CAzcLmKxcFZLWINg.exe
  "C:\Users\Admin\Documents\yTGMOYQ5CAzcLmKxcFZLWINg.exe"
  2⤵
  - Executes dropped EXE
  PID:1800
- - C:\Users\Admin\Documents\yTGMOYQ5CAzcLmKxcFZLWINg.exe
    "C:\Users\Admin\Documents\yTGMOYQ5CAzcLmKxcFZLWINg.exe"
    3⤵
    PID:2212
- C:\Users\Admin\Documents\KTwNaicTuxE10x5bZPEAIMMq.exe
  "C:\Users\Admin\Documents\KTwNaicTuxE10x5bZPEAIMMq.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:776
- C:\Users\Admin\Documents\w4Hz6KhgRbxY6S87_ralfbNo.exe
  "C:\Users\Admin\Documents\w4Hz6KhgRbxY6S87_ralfbNo.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Users\Admin\Documents\xnUmI92yIlBDAwZdzTha7fsK.exe
  "C:\Users\Admin\Documents\xnUmI92yIlBDAwZdzTha7fsK.exe"
  2⤵
  - Executes dropped EXE
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\is-AV08U.tmp\xnUmI92yIlBDAwZdzTha7fsK.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-AV08U.tmp\xnUmI92yIlBDAwZdzTha7fsK.tmp" /SL5="$301A2,138429,56832,C:\Users\Admin\Documents\xnUmI92yIlBDAwZdzTha7fsK.exe"
    3⤵
    PID:664
  - - C:\Users\Admin\AppData\Local\Temp\is-L6NKT.tmp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\is-L6NKT.tmp\Setup.exe" /Verysilent
      4⤵
      PID:2464
    - - C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"
        5⤵
        
        PID:2096
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 1408
        6⤵
        Program crash
        
        PID:3048
    - - C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet
        5⤵
        
        PID:2132
      - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274925 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"
        6⤵
        
        PID:1256
    - - C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        5⤵
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\is-CP1RG.tmp\WEATHER Manager.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-CP1RG.tmp\WEATHER Manager.tmp" /SL5="$10218,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent
        6⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\is-SNHPJ.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SNHPJ.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=715
        7⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-SNHPJ.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-SNHPJ.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274925 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
        8⤵
        
        PID:1892
    - - C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"
        5⤵
        
        PID:2644
    - - C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        5⤵
        
        PID:1652
      - C:\Users\Admin\AppData\Local\Temp\is-3OJ1I.tmp\MediaBurner2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3OJ1I.tmp\MediaBurner2.tmp" /SL5="$1021C,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"
        6⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\is-2BBPK.tmp\3377047_logo_media.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2BBPK.tmp\3377047_logo_media.exe" /S /UID=burnerch2
        7⤵
        
        PID:2696
        
        C:\Program Files\Common Files\XRXHYKZXQY\ultramediaburner.exe
        
        "C:\Program Files\Common Files\XRXHYKZXQY\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\is-GAVHD.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GAVHD.tmp\ultramediaburner.tmp" /SL5="$10332,281924,62464,C:\Program Files\Common Files\XRXHYKZXQY\ultramediaburner.exe" /VERYSILENT
        9⤵
        
        PID:3896
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        10⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\91-9f2c0-9c5-c5f9d-a3f14b5e16eef\ZHoxihywashi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\91-9f2c0-9c5-c5f9d-a3f14b5e16eef\ZHoxihywashi.exe"
        8⤵
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        9⤵
        
        PID:3520
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 2300
        11⤵
        Program crash
        
        PID:2864
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3520 CREDAT:799752 /prefetch:2
        10⤵
        
        PID:3612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad
        9⤵
        
        PID:3636
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:1308
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:1127438 /prefetch:2
        10⤵
        
        PID:2904
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:340995 /prefetch:2
        10⤵
        
        PID:2384
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:603150 /prefetch:2
        10⤵
        
        PID:3236
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:275485 /prefetch:2
        10⤵
        
        PID:2008
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:2110480 /prefetch:2
        10⤵
        
        PID:2860
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3636 CREDAT:1717270 /prefetch:2
        10⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://vexacion.com/afu.php?zoneid=1851483
        9⤵
        
        PID:1720
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1720 CREDAT:275457 /prefetch:2
        10⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\60-a5719-8af-179ad-e487c511ef4cf\ZHasaewisaeli.exe
        
        "C:\Users\Admin\AppData\Local\Temp\60-a5719-8af-179ad-e487c511ef4cf\ZHasaewisaeli.exe"
        8⤵
        
        PID:3228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lqyll4h4.t5d\GcleanerEU.exe /eufive & exit
        9⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\lqyll4h4.t5d\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\lqyll4h4.t5d\GcleanerEU.exe /eufive
        10⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\lqyll4h4.t5d\GcleanerEU.exe" & exit
        11⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yvp0vd12.j3p\installer.exe /qn CAMPAIGN="654" & exit
        9⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\yvp0vd12.j3p\installer.exe
        
        C:\Users\Admin\AppData\Local\Temp\yvp0vd12.j3p\installer.exe /qn CAMPAIGN="654"
        10⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\yvp0vd12.j3p\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\yvp0vd12.j3p\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274925 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
        11⤵
        
        PID:3468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4mqt1p3e.odg\ufgaa.exe & exit
        9⤵
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\drbgevnu.zvr\anyname.exe & exit
        9⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\drbgevnu.zvr\anyname.exe
        
        C:\Users\Admin\AppData\Local\Temp\drbgevnu.zvr\anyname.exe
        10⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\drbgevnu.zvr\anyname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\drbgevnu.zvr\anyname.exe" -q
        11⤵
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\teutpzmz.mdo\gcleaner.exe /mixfive & exit
        9⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\teutpzmz.mdo\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\teutpzmz.mdo\gcleaner.exe /mixfive
        10⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\teutpzmz.mdo\gcleaner.exe" & exit
        11⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        12⤵
        Kills process with taskkill
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\oij1habu.uqx\autosubplayer.exe /S & exit
        9⤵
        
        PID:2200
    - - C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"
        5⤵
        
        PID:2916
      - C:\Users\Admin\AppData\Roaming\6638866.exe
        
        "C:\Users\Admin\AppData\Roaming\6638866.exe"
        6⤵
        
        PID:2036
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2036 -s 1592
        7⤵
        Program crash
        
        PID:3336
      - C:\Users\Admin\AppData\Roaming\8697306.exe
        
        "C:\Users\Admin\AppData\Roaming\8697306.exe"
        6⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:1944
      - C:\Users\Admin\AppData\Roaming\3163625.exe
        
        "C:\Users\Admin\AppData\Roaming\3163625.exe"
        6⤵
        
        PID:2012
      - C:\Users\Admin\AppData\Roaming\5343497.exe
        
        "C:\Users\Admin\AppData\Roaming\5343497.exe"
        6⤵
        
        PID:1064
    - - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"
        5⤵
        
        PID:2656
      - C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q
        6⤵
        
        PID:2396
    - - C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"
        5⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\tmp39D5_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp39D5_tmp.exe"
        6⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        7⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks
        7⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        8⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping MRBKYMNO -n 30
        9⤵
        Runs ping.exe
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        Esplorarne.exe.com i
        9⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        10⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        11⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        12⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        13⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        14⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        15⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        16⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        17⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        18⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        19⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        20⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        21⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        22⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        23⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        24⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        25⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        26⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        27⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        28⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        29⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        30⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        31⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        32⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        33⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        34⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        35⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        36⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        37⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        38⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        39⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        40⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        41⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        42⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        43⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        44⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        45⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        46⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        47⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        48⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        49⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        50⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        51⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        52⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        53⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        54⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        55⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        56⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        57⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        58⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        59⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        60⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        61⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        62⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        63⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        64⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        65⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        66⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        67⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        68⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        69⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        70⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        71⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        72⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        73⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        74⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i
        75⤵
        
        PID:2180
    - - C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"
        5⤵
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:1428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 1504
        6⤵
        Program crash
        
        PID:2592
    - - C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"
        5⤵
        
        PID:1600
    - - C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        5⤵
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\is-7MEQ6.tmp\VPN.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7MEQ6.tmp\VPN.tmp" /SL5="$10204,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent
        6⤵
        
        PID:2688
    - - C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
        5⤵
        
        PID:2320
- C:\Users\Admin\Documents\mBvErKimNiqA_ndG4qJuZ0Uv.exe
  "C:\Users\Admin\Documents\mBvErKimNiqA_ndG4qJuZ0Uv.exe"
  2⤵
  - Executes dropped EXE
  PID:1888
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:1996
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      PID:3640
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2056
- - C:\Program Files (x86)\Company\NewProduct\customer3.exe
    "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
    3⤵
    PID:2464
- C:\Users\Admin\Documents\WrNNEFNYAlc1ffMSNbEOlyzH.exe
  "C:\Users\Admin\Documents\WrNNEFNYAlc1ffMSNbEOlyzH.exe"
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Users\Admin\Documents\wXmjgcXT_dxEv8z5T22Nos9Y.exe
  "C:\Users\Admin\Documents\wXmjgcXT_dxEv8z5T22Nos9Y.exe"
  2⤵
  - Executes dropped EXE
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "wXmjgcXT_dxEv8z5T22Nos9Y.exe" /f & erase "C:\Users\Admin\Documents\wXmjgcXT_dxEv8z5T22Nos9Y.exe" & exit
    3⤵
    PID:2008
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "wXmjgcXT_dxEv8z5T22Nos9Y.exe" /f
      4⤵
      Kills process with taskkill
      PID:2132
- C:\Users\Admin\Documents\3GOKBc6Zz43Q1tcEDGdOZBS9.exe
  "C:\Users\Admin\Documents\3GOKBc6Zz43Q1tcEDGdOZBS9.exe"
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Users\Admin\Documents\zowIj0vOuJANYX3aDpWSk0xY.exe
  "C:\Users\Admin\Documents\zowIj0vOuJANYX3aDpWSk0xY.exe"
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Users\Admin\Documents\VrXj68A5S2PezomJ6BwMM_Lh.exe
  "C:\Users\Admin\Documents\VrXj68A5S2PezomJ6BwMM_Lh.exe"
  2⤵
  - Executes dropped EXE
  PID:1804
- - C:\Users\Admin\Documents\VrXj68A5S2PezomJ6BwMM_Lh.exe
    "C:\Users\Admin\Documents\VrXj68A5S2PezomJ6BwMM_Lh.exe" -q
    3⤵
    - Executes dropped EXE
    PID:1060

C:\Users\Admin\AppData\Local\Temp\is-O7O5Q.tmp\Inlog.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O7O5Q.tmp\Inlog.tmp" /SL5="$70128,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent
1⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\FCC6.exe
C:\Users\Admin\AppData\Local\Temp\FCC6.exe
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\FCC6.exe
  C:\Users\Admin\AppData\Local\Temp\FCC6.exe
  2⤵
  PID:468
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\FCC6.exe
    "C:\Users\Admin\AppData\Local\Temp\FCC6.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2568
  - - C:\Users\Admin\AppData\Local\Temp\FCC6.exe
      "C:\Users\Admin\AppData\Local\Temp\FCC6.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:1160
    - - C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build2.exe
        
        "C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build2.exe"
        5⤵
        
        PID:4020
      - C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build2.exe
        
        "C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build2.exe"
        6⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 884
        7⤵
        Program crash
        
        PID:3136
    - - C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build3.exe
        
        "C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build3.exe"
        5⤵
        
        PID:3116
      - C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build3.exe
        
        "C:\Users\Admin\AppData\Local\9bbc5c21-99ed-483b-afc1-a2ae5d458ea1\build3.exe"
        6⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:3480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC5189C0B25429A7DDF1E91F8C819F52 C
  2⤵
  PID:1608
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD86E943D04D5ED9C9B786A48124AA6E
  2⤵
  PID:4056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2E95860E5789E1476BD0B63C2056A031 C
  2⤵
  PID:3344
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C5E76DB45864790850ED9BA8FC17AF5 C
  2⤵
  PID:112
- C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_4692.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"
    3⤵
    PID:4060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9996A42C1BB28520EC2EF33133DFFCF8
  2⤵
  PID:296
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:3976

C:\Users\Admin\AppData\Local\Temp\5542.exe
C:\Users\Admin\AppData\Local\Temp\5542.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\2ADA.exe
C:\Users\Admin\AppData\Local\Temp\2ADA.exe
1⤵
PID:3664

C:\Windows\system32\taskeng.exe
taskeng.exe {7D46B9A6-4009-43CE-BCF0-CE83C46D313B} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]
1⤵
PID:3616
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:700
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3184
- C:\Users\Admin\AppData\Roaming\dejsbic
  C:\Users\Admin\AppData\Roaming\dejsbic
  2⤵
  PID:4008
- C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe
  C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe --Task
  2⤵
  PID:2724
- - C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe
    C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe --Task
    3⤵
    PID:3432
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  2⤵
  PID:3428
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:3556
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2824
- C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe
  C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe --Task
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe
    C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe --Task
    3⤵
    PID:3628
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:1996
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:2652
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  2⤵
  PID:2720
- C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
  2⤵
  PID:2868
- - C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
    3⤵
    PID:3464
- C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe
  C:\Users\Admin\AppData\Local\5aeb1e0d-a89f-4077-8277-7c462b54167f\FCC6.exe --Task
  2⤵
  PID:2224

C:\Users\Admin\AppData\Local\Temp\F5C7.exe
C:\Users\Admin\AppData\Local\Temp\F5C7.exe
1⤵
PID:3572
- C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe
  "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
    3⤵
    PID:3316
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\
      4⤵
      PID:1692
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3780

C:\Users\Admin\AppData\Local\Temp\77D3.exe
C:\Users\Admin\AppData\Local\Temp\77D3.exe
1⤵
PID:3956
- C:\Users\Admin\AppData\Local\Temp\kE3SW8H3uX.exe
  "C:\Users\Admin\AppData\Local\Temp\kE3SW8H3uX.exe"
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\77D3.exe"
  2⤵
  PID:3760
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\kkmz4TwJKo.exe
  "C:\Users\Admin\AppData\Local\Temp\kkmz4TwJKo.exe"
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
    3⤵
    PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-61-0x0000000003CD0000-0x0000000003E0F000-memory.dmp

Filesize
1.2MB

Download
memory/372-60-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/664-336-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/664-331-0x0000000003910000-0x0000000003911000-memory.dmp

Filesize
4KB

Download
memory/664-337-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/664-319-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/664-323-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/664-193-0x000000006BED1000-0x000000006BED3000-memory.dmp

Filesize
8KB

Download
memory/664-192-0x0000000001F20000-0x0000000001F5C000-memory.dmp

Filesize
240KB

Download
memory/664-328-0x0000000003710000-0x0000000003711000-memory.dmp

Filesize
4KB

Download
memory/664-329-0x0000000003900000-0x0000000003901000-memory.dmp

Filesize
4KB

Download
memory/664-325-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/664-327-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/664-338-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/664-335-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/664-334-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/664-339-0x00000000039A0000-0x00000000039A1000-memory.dmp

Filesize
4KB

Download
memory/664-320-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/664-324-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/664-340-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/664-333-0x0000000003940000-0x0000000003997000-memory.dmp

Filesize
348KB

Download
memory/664-322-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/664-332-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/684-303-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/684-304-0x0000000000400000-0x00000000023BB000-memory.dmp

Filesize
31.7MB

Download
memory/776-153-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/936-147-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1204-315-0x0000000002A10000-0x0000000002A26000-memory.dmp

Filesize
88KB

Download
memory/1252-142-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1252-155-0x0000000002D50000-0x0000000002D6C000-memory.dmp

Filesize
112KB

Download
memory/1252-300-0x0000000006F31000-0x0000000006F32000-memory.dmp

Filesize
4KB

Download
memory/1252-299-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/1392-145-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1396-95-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1568-314-0x0000000000400000-0x00000000023B0000-memory.dmp

Filesize
31.7MB

Download
memory/1568-313-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1576-317-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1652-346-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1800-307-0x0000000000400000-0x00000000027DB000-memory.dmp

Filesize
35.9MB

Download
memory/1800-305-0x0000000004460000-0x0000000004D86000-memory.dmp

Filesize
9.1MB

Download
memory/1868-160-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1868-306-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1868-157-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1920-165-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1920-308-0x0000000004690000-0x0000000004691000-memory.dmp

Filesize
4KB

Download
memory/1948-302-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/1948-150-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1968-310-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1968-312-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1976-140-0x0000000004460000-0x00000000044FD000-memory.dmp

Filesize
628KB

Download
memory/2008-298-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2008-144-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2056-316-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2132-219-0x0000000071AC1000-0x0000000071AC3000-memory.dmp

Filesize
8KB

Download
memory/2132-343-0x0000000000240000-0x00000000002DD000-memory.dmp

Filesize
628KB

Download
memory/2320-341-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2588-309-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2588-172-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2588-175-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2640-357-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2640-349-0x0000000002000000-0x000000000215C000-memory.dmp

Filesize
1.4MB

Download
memory/2640-355-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/2640-354-0x0000000002120000-0x0000000002177000-memory.dmp

Filesize
348KB

Download
memory/2640-359-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/2640-352-0x0000000002000000-0x000000000215C000-memory.dmp

Filesize
1.4MB

Download
memory/2640-363-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2640-347-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2640-364-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/2640-215-0x00000000004D0000-0x000000000050C000-memory.dmp

Filesize
240KB

Download
memory/2640-362-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/2640-351-0x0000000002000000-0x000000000215C000-memory.dmp

Filesize
1.4MB

Download
memory/2640-356-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2640-348-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2640-342-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2640-350-0x0000000002000000-0x000000000215C000-memory.dmp

Filesize
1.4MB

Download
memory/2856-345-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2916-227-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2916-230-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/2916-353-0x000000001AF80000-0x000000001AF82000-memory.dmp

Filesize
8KB

Download
memory/3000-344-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3056-239-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3056-301-0x000000001B256000-0x000000001B275000-memory.dmp

Filesize
124KB

Download
memory/3212-361-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3664-330-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download