ffdroider | ed60315ceda29939209fca009b94888abaa3662c4473ae42c5a73b6a0e4bf620

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b334bca600acc9630ad54bd3a942391.exe
Size

6.1MB
MD5

8b334bca600acc9630ad54bd3a942391
SHA1

04a52ad3b01f535f6d3df9151a415f1ed8afbc9e
SHA256

ed60315ceda29939209fca009b94888abaa3662c4473ae42c5a73b6a0e4bf620
SHA512

000c5a801c446b71dc8c54540064e48e2d682b873f984c4cef06a05e57a2d813fdb8c348c35c9794fe7fc1ab4ef651e7ec6df38e6dc9032682836e2a0e35ec95
SSDEEP

98304:pAI+u4UsuNxyflztzvp44Z+9uhJP1ZAxXNxAMg7HCM7wVhOAn0tq++13F+/GzUJg:ituJsuNxwlzFvtZ+Ybw2hOEPPeYJDGf

Score

10^/10

ffdroider raccoon discovery persistence spyware stealer vmprotect

Malware Config

Extracted

Family

ffdroider

http://186.2.171.3

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 2 IoCs

resource	yara_rule
behavioral2/memory/4448-167-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider
behavioral2/memory/4448-120-0x0000000000400000-0x000000000067D000-memory.dmp	family_ffdroider

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	1668	rUNdlL32.eXe	106

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

resource	yara_rule
behavioral2/memory/4284-59-0x0000000004940000-0x00000000049D3000-memory.dmp	family_raccoon_v1
behavioral2/memory/4284-140-0x0000000000400000-0x0000000002CB4000-memory.dmp	family_raccoon_v1

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	8b334bca600acc9630ad54bd3a942391.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	BotCheck.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	aipackagechainer.exe

Executes dropped EXE 11 IoCs

pid	Process
4284	GameBox64bit.exe
4856	GameBoxWin64.exe
1580	Weather Installation.exe
3932	WerFault.exe
2284	GameBox32Bit.exe
2100	BotCheck.exe
4448	note8876.exe
4500	GameBoxWin32.exe
2696	GameBoxWin32.tmp
4344	BotCheck.exe
4236	aipackagechainer.exe

Loads dropped DLL 21 IoCs

pid	Process
4856	GameBoxWin64.exe
4856	GameBoxWin64.exe
1580	Weather Installation.exe
2696	GameBoxWin32.tmp
4856	GameBoxWin64.exe
3512	rundll32.exe
4304	MsiExec.exe
4788	MsiExec.exe
4304	MsiExec.exe
4788	MsiExec.exe
4788	MsiExec.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe
4136	backgroundTaskHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4448-167-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral2/memory/4448-120-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect
behavioral2/files/0x0003000000000749-110.dat	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	aipackagechainer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Weather Installation.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	GameBoxWin64.exe
File opened (read-only)	\??\M:	Weather Installation.exe
File opened (read-only)	\??\V:	GameBoxWin64.exe
File opened (read-only)	\??\Y:	GameBoxWin64.exe
File opened (read-only)	\??\A:	Weather Installation.exe
File opened (read-only)	\??\V:	Weather Installation.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	GameBoxWin64.exe
File opened (read-only)	\??\U:	GameBoxWin64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	GameBoxWin64.exe
File opened (read-only)	\??\S:	GameBoxWin64.exe
File opened (read-only)	\??\L:	Weather Installation.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	GameBoxWin64.exe
File opened (read-only)	\??\Q:	GameBoxWin64.exe
File opened (read-only)	\??\T:	Weather Installation.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	GameBoxWin64.exe
File opened (read-only)	\??\G:	Weather Installation.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	GameBoxWin64.exe
File opened (read-only)	\??\B:	Weather Installation.exe
File opened (read-only)	\??\O:	GameBoxWin64.exe
File opened (read-only)	\??\N:	Weather Installation.exe
File opened (read-only)	\??\U:	Weather Installation.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	GameBoxWin64.exe
File opened (read-only)	\??\N:	GameBoxWin64.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	Weather Installation.exe
File opened (read-only)	\??\R:	Weather Installation.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	GameBoxWin64.exe
File opened (read-only)	\??\I:	Weather Installation.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	GameBoxWin64.exe
File opened (read-only)	\??\O:	Weather Installation.exe
File opened (read-only)	\??\Y:	Weather Installation.exe
File opened (read-only)	\??\Z:	Weather Installation.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	Weather Installation.exe
File opened (read-only)	\??\K:	Weather Installation.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	iplogger.org
16	iplogger.org
21	iplogger.org

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe	8b334bca600acc9630ad54bd3a942391.exe
File created	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe	8b334bca600acc9630ad54bd3a942391.exe
File opened for modification	C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe	8b334bca600acc9630ad54bd3a942391.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e577b4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84F8.tmp	msiexec.exe
File created	C:\Windows\Installer\e577b4a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI837F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI839F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI870D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI835F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8566.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CF0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DAF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DEE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E5D.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

pid	pid_target	Process	procid_target
2472	4284	WerFault.exe	89
4212	4284	WerFault.exe	89
632	3512	WerFault.exe
2296	4284	WerFault.exe	89
3932	4284	WerFault.exe	89
2884	4284	WerFault.exe	89
3740	4848	WerFault.exe	127
2648	4284	WerFault.exe	89
4340	4848	WerFault.exe	127

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GameBoxWin64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Weather Installation.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B\Blob = 0300000001000000140000008d4c4a23ba9ee84ea7348fa98cc6e65fbb69de7b140000000100000014000000bbaf7e023dfaa6f13c848eadee3898ecd93232d4040000000100000010000000ab9b109ce8934f11e7cd22ed550680da0f0000000100000030000000a768343c4aeaced5c72f3571938864983a67ed49031c1da2495863caf65fe507011f7f0e70b6cb40e5631c07721be03419000000010000001000000082218ffb91733e64136be5719f57c3a15c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000820500003082057e30820466a003020102021067def43ef17bdae24ff5940606d2c084300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a308185310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312b302906035504031322434f4d4f444f205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010091e85492d20a56b1ac0d24ddc5cf446774992b37a37d23700071bc53dfc4fa2a128f4b7f1056bd9f7072b7617fc94b0f17a73de3b00461eeff1197c7f4863e0afa3e5cf993e6347ad9146be79cb385a0827a76af7190d7ecfd0dfa9c6cfadfb082f4147ef9bec4a62f4f7f997fb5fc674372bd0c00d689eb6b2cd3ed8f981c14ab7ee5e36efcd8a8e49224da436b62b855fdeac1bc6cb68bf30e8d9ae49b6c6999f878483045d5ade10d3c4560fc32965127bc67c3ca2eb66bea46c7c720a0b11f65de4808baa44ea9f283463784ebe8cc814843674e722a9b5cbd4c1b288a5c227bb4ab98d9eee05183c309464e6d3e99fa9517da7c3357413c8d51ed0bb65caf2c631adf57c83fbce95dc49baf4599e2a35a24b4baa9563dcf6faaff4958bef0a8fff4b8ade937fbbab8f40b3af9e843421e89d884cb13f1d9bbe18960b88c2856ac141d9c0ae771ebcf0edd3da996a148bd3cf7afb50d224cc01181ec563bf6d3a2e25bb7b204225295809369e88e4c65f191032d707402ea8b671529695202bbd7df506a5546bfa0a328617f70d0c3a2aa2c21aa47ce289c064576bf821827b4d5aeb4cb50e66bf44c867130e9a6df1686e0d8ff40ddfbd042887fa3333a2e5c1e41118163ce18716b2beca68ab7315c3a6a47e0c37959d6201aaff26a98aa72bc574ad24b9dbb10fcb04c41e5ed1d3d5e289d9cccbfb351daa747e584530203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e04160414bbaf7e023dfaa6f13c848eadee3898ecd93232d4300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c050003820101007ff25635b06d954a4e74af3ae26f018b87d33297edf840d2775311d7c7162ec69de64856be80a9f8bc78d2c86317ae8ced1631fa1f18c90ec7ee48799fc7c9b9bccc8815e36861d19f1d4b6181d7560463c2086926f0f0e52fdfc00a2ba905f4025a6a89d7b4844295e3ebf776205e35d9c0cd2508134c71388e87b0338491991e91f1ac9e3fa71d60812c364154a0e246060bac1bc799368c5ea10ba49ed9424624c5c55b81aeada0a0dc9f36b88dc21d15fa88ad8110391f44f02b9fdd10540c0734b136d114fd07023dff7255ab27d62c814171298d41f450571a7e6560afcbc5287698aeb3a853768be621526bea21d0840e494e8853da922ee71d0866d7	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	GameBoxWin64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	GameBoxWin64.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\8D4C4A23BA9EE84EA7348FA98CC6E65FBB69DE7B	Weather Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Weather Installation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	Weather Installation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	GameBoxWin64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	GameBoxWin64.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4304	MsiExec.exe
4304	MsiExec.exe
4776	msiexec.exe
4776	msiexec.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	WerFault.exe
Token: SeSecurityPrivilege	4776	msiexec.exe
Token: SeCreateTokenPrivilege	4856	GameBoxWin64.exe
Token: SeAssignPrimaryTokenPrivilege	4856	GameBoxWin64.exe
Token: SeLockMemoryPrivilege	4856	GameBoxWin64.exe
Token: SeIncreaseQuotaPrivilege	4856	GameBoxWin64.exe
Token: SeMachineAccountPrivilege	4856	GameBoxWin64.exe
Token: SeTcbPrivilege	4856	GameBoxWin64.exe
Token: SeSecurityPrivilege	4856	GameBoxWin64.exe
Token: SeTakeOwnershipPrivilege	4856	GameBoxWin64.exe
Token: SeLoadDriverPrivilege	4856	GameBoxWin64.exe
Token: SeSystemProfilePrivilege	4856	GameBoxWin64.exe
Token: SeSystemtimePrivilege	4856	GameBoxWin64.exe
Token: SeProfSingleProcessPrivilege	4856	GameBoxWin64.exe
Token: SeIncBasePriorityPrivilege	4856	GameBoxWin64.exe
Token: SeCreatePagefilePrivilege	4856	GameBoxWin64.exe
Token: SeCreatePermanentPrivilege	4856	GameBoxWin64.exe
Token: SeBackupPrivilege	4856	GameBoxWin64.exe
Token: SeRestorePrivilege	4856	GameBoxWin64.exe
Token: SeShutdownPrivilege	4856	GameBoxWin64.exe
Token: SeDebugPrivilege	4856	GameBoxWin64.exe
Token: SeAuditPrivilege	4856	GameBoxWin64.exe
Token: SeSystemEnvironmentPrivilege	4856	GameBoxWin64.exe
Token: SeChangeNotifyPrivilege	4856	GameBoxWin64.exe
Token: SeRemoteShutdownPrivilege	4856	GameBoxWin64.exe
Token: SeUndockPrivilege	4856	GameBoxWin64.exe
Token: SeSyncAgentPrivilege	4856	GameBoxWin64.exe
Token: SeEnableDelegationPrivilege	4856	GameBoxWin64.exe
Token: SeManageVolumePrivilege	4856	GameBoxWin64.exe
Token: SeImpersonatePrivilege	4856	GameBoxWin64.exe
Token: SeCreateGlobalPrivilege	4856	GameBoxWin64.exe
Token: SeCreateTokenPrivilege	1580	Weather Installation.exe
Token: SeAssignPrimaryTokenPrivilege	1580	Weather Installation.exe
Token: SeLockMemoryPrivilege	1580	Weather Installation.exe
Token: SeIncreaseQuotaPrivilege	1580	Weather Installation.exe
Token: SeMachineAccountPrivilege	1580	Weather Installation.exe
Token: SeTcbPrivilege	1580	Weather Installation.exe
Token: SeSecurityPrivilege	1580	Weather Installation.exe
Token: SeTakeOwnershipPrivilege	1580	Weather Installation.exe
Token: SeLoadDriverPrivilege	1580	Weather Installation.exe
Token: SeSystemProfilePrivilege	1580	Weather Installation.exe
Token: SeSystemtimePrivilege	1580	Weather Installation.exe
Token: SeProfSingleProcessPrivilege	1580	Weather Installation.exe
Token: SeIncBasePriorityPrivilege	1580	Weather Installation.exe
Token: SeCreatePagefilePrivilege	1580	Weather Installation.exe
Token: SeCreatePermanentPrivilege	1580	Weather Installation.exe
Token: SeBackupPrivilege	1580	Weather Installation.exe
Token: SeRestorePrivilege	1580	Weather Installation.exe
Token: SeShutdownPrivilege	1580	Weather Installation.exe
Token: SeDebugPrivilege	1580	Weather Installation.exe
Token: SeAuditPrivilege	1580	Weather Installation.exe
Token: SeSystemEnvironmentPrivilege	1580	Weather Installation.exe
Token: SeChangeNotifyPrivilege	1580	Weather Installation.exe
Token: SeRemoteShutdownPrivilege	1580	Weather Installation.exe
Token: SeUndockPrivilege	1580	Weather Installation.exe
Token: SeSyncAgentPrivilege	1580	Weather Installation.exe
Token: SeEnableDelegationPrivilege	1580	Weather Installation.exe
Token: SeManageVolumePrivilege	1580	Weather Installation.exe
Token: SeImpersonatePrivilege	1580	Weather Installation.exe
Token: SeCreateGlobalPrivilege	1580	Weather Installation.exe
Token: SeCreateTokenPrivilege	1580	Weather Installation.exe
Token: SeAssignPrimaryTokenPrivilege	1580	Weather Installation.exe
Token: SeLockMemoryPrivilege	1580	Weather Installation.exe
Token: SeIncreaseQuotaPrivilege	1580	Weather Installation.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4856	GameBoxWin64.exe
1580	Weather Installation.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 4284	3096	8b334bca600acc9630ad54bd3a942391.exe	89
PID 3096 wrote to memory of 4284	3096	8b334bca600acc9630ad54bd3a942391.exe	89
PID 3096 wrote to memory of 4284	3096	8b334bca600acc9630ad54bd3a942391.exe	89
PID 3096 wrote to memory of 4856	3096	8b334bca600acc9630ad54bd3a942391.exe	90
PID 3096 wrote to memory of 4856	3096	8b334bca600acc9630ad54bd3a942391.exe	90
PID 3096 wrote to memory of 4856	3096	8b334bca600acc9630ad54bd3a942391.exe	90
PID 3096 wrote to memory of 1580	3096	8b334bca600acc9630ad54bd3a942391.exe	91
PID 3096 wrote to memory of 1580	3096	8b334bca600acc9630ad54bd3a942391.exe	91
PID 3096 wrote to memory of 1580	3096	8b334bca600acc9630ad54bd3a942391.exe	91
PID 3096 wrote to memory of 3932	3096	8b334bca600acc9630ad54bd3a942391.exe	120
PID 3096 wrote to memory of 3932	3096	8b334bca600acc9630ad54bd3a942391.exe	120
PID 3096 wrote to memory of 2284	3096	8b334bca600acc9630ad54bd3a942391.exe	103
PID 3096 wrote to memory of 2284	3096	8b334bca600acc9630ad54bd3a942391.exe	103
PID 3096 wrote to memory of 2100	3096	8b334bca600acc9630ad54bd3a942391.exe	93
PID 3096 wrote to memory of 2100	3096	8b334bca600acc9630ad54bd3a942391.exe	93
PID 3096 wrote to memory of 2100	3096	8b334bca600acc9630ad54bd3a942391.exe	93
PID 3096 wrote to memory of 4448	3096	8b334bca600acc9630ad54bd3a942391.exe	100
PID 3096 wrote to memory of 4448	3096	8b334bca600acc9630ad54bd3a942391.exe	100
PID 3096 wrote to memory of 4448	3096	8b334bca600acc9630ad54bd3a942391.exe	100
PID 3096 wrote to memory of 4500	3096	8b334bca600acc9630ad54bd3a942391.exe	99
PID 3096 wrote to memory of 4500	3096	8b334bca600acc9630ad54bd3a942391.exe	99
PID 3096 wrote to memory of 4500	3096	8b334bca600acc9630ad54bd3a942391.exe	99
PID 4500 wrote to memory of 2696	4500	GameBoxWin32.exe	97
PID 4500 wrote to memory of 2696	4500	GameBoxWin32.exe	97
PID 4500 wrote to memory of 2696	4500	GameBoxWin32.exe	97
PID 2100 wrote to memory of 4344	2100	BotCheck.exe	102
PID 2100 wrote to memory of 4344	2100	BotCheck.exe	102
PID 2100 wrote to memory of 4344	2100	BotCheck.exe	102
PID 4544 wrote to memory of 3512	4544	rUNdlL32.eXe	116
PID 4544 wrote to memory of 3512	4544	rUNdlL32.eXe	116
PID 4544 wrote to memory of 3512	4544	rUNdlL32.eXe	116
PID 4776 wrote to memory of 4304	4776	msiexec.exe	110
PID 4776 wrote to memory of 4304	4776	msiexec.exe	110
PID 4776 wrote to memory of 4304	4776	msiexec.exe	110
PID 4776 wrote to memory of 4788	4776	msiexec.exe	111
PID 4776 wrote to memory of 4788	4776	msiexec.exe	111
PID 4776 wrote to memory of 4788	4776	msiexec.exe	111
PID 1580 wrote to memory of 4072	1580	Weather Installation.exe	117
PID 1580 wrote to memory of 4072	1580	Weather Installation.exe	117
PID 1580 wrote to memory of 4072	1580	Weather Installation.exe	117
PID 4856 wrote to memory of 3572	4856	GameBoxWin64.exe	119
PID 4856 wrote to memory of 3572	4856	GameBoxWin64.exe	119
PID 4856 wrote to memory of 3572	4856	GameBoxWin64.exe	119
PID 4776 wrote to memory of 4136	4776	msiexec.exe	140
PID 4776 wrote to memory of 4136	4776	msiexec.exe	140
PID 4776 wrote to memory of 4136	4776	msiexec.exe	140
PID 4776 wrote to memory of 4236	4776	msiexec.exe	126
PID 4776 wrote to memory of 4236	4776	msiexec.exe	126
PID 4776 wrote to memory of 4236	4776	msiexec.exe	126
PID 4236 wrote to memory of 4848	4236	aipackagechainer.exe	127
PID 4236 wrote to memory of 4848	4236	aipackagechainer.exe	127
PID 4236 wrote to memory of 4848	4236	aipackagechainer.exe	127

C:\Users\Admin\AppData\Local\Temp\8b334bca600acc9630ad54bd3a942391.exe
"C:\Users\Admin\AppData\Local\Temp\8b334bca600acc9630ad54bd3a942391.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
  2⤵
  - Executes dropped EXE
  PID:4284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 740
    3⤵
    - Program crash
    PID:2472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 776
    3⤵
    - Program crash
    PID:4212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 756
    3⤵
    - Program crash
    PID:2296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 900
    3⤵
    - Executes dropped EXE
    - Program crash
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1196
    3⤵
    - Program crash
    PID:2884
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 868
    3⤵
    - Program crash
    PID:2648
- C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706687887 /qn CAMPAIGN=""710"" " CAMPAIGN="710"
    3⤵
    PID:3572
- C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" /quiet SILENT=1 AF=715 BF=715
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1706687887 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"
    3⤵
    - Enumerates connected drives
    PID:4072
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
  2⤵
  PID:3932
- C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
    "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
    3⤵
    - Executes dropped EXE
    PID:4344
- C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4500
- C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
  "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
  2⤵
  - Executes dropped EXE
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4284 -ip 4284
1⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\is-9QRVV.tmp\GameBoxWin32.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9QRVV.tmp\GameBoxWin32.tmp" /SL5="$801F8,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BD54DE7552B841C71349C2D43776406F C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C034A8BCF41A15469AA1DDED886561AD C
  2⤵
  - Loads dropped DLL
  PID:4788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 603BBE97A83F9146CC7F760351E93754
  2⤵
  PID:4136
- C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe
  "C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4236
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_880C.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Weather\Weather\prerequisites' -retry_count 10"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2060
      4⤵
      Program crash
      PID:3740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2152
      4⤵
      Program crash
      PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4284 -ip 4284
1⤵
PID:4824

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3512 -ip 3512
1⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3512 -s 600
1⤵
- Program crash
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4284 -ip 4284
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4284 -ip 4284
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4284 -ip 4284
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4284 -ip 4284
1⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4848 -ip 4848
1⤵
PID:4224

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
PID:3568

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
- Loads dropped DLL
PID:4136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e577b4d.rbs

Filesize
1KB

MD5
617a9932dcbe32619fe575662d37ef4e

SHA1
dadc1ccc145bef625a867ba51ab00f339cb5c23f

SHA256
6c3cd0cb43b32241c2ae22ef2476f10ae2ec22c1bc2c3052523491ccbc41def8

SHA512
f389071a3176132b5687cbd8cc9319ac8b5c8078fe70b1cdfd1cd6a34d4f48b8598db8cd71712fb62479d174936402e4ca64a9d06e04c1ee4098f588cc448553

Download Submit
C:\Config.Msi\e577b4e.rbs

Filesize
395B

MD5
058140f3c61cf796f78a5c19f0f0adb4

SHA1
b6ab20e8d34412c99b2c615f7153acebb463856a

SHA256
89a5473a1a32fc4455831926c479e54f49687cb5510ae0aaeb4ad423d26f7f9a

SHA512
a7812bc24ad80941a4bc2f4fbfecd3ab768498e1334c6d7069237baccdbc90c77941522c2340eaa43e624eab29e4d6408323c865b68db887c84014b90aaf4821

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe

Filesize
712KB

MD5
adfe31c40569ca5b0b403f0ba3f7b24c

SHA1
76ad7f27ae76bc852b64ac248d85e6996fe88d20

SHA256
68d1b6dbfc303f1949267ce03ac2164ee9cda951231e72e6a5e39a44764ebbf2

SHA512
b9c96413ae2d40895bfe31e608de712349be08acf9d8ffa46150cc46bbdbaa4aa86b3e2901c73515545e6810ba99335c5441d8114ae1436710ea2b30772df44e

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe

Filesize
494KB

MD5
1ca48fc48e752b85703fdbe91bf10a32

SHA1
28ea35094238603cf85ff34a8f7adedf03c436b8

SHA256
fbe92b55ca85441500db791d1783101342accd0971524dca8e5c017b755d2882

SHA512
7594d178d06da6e2e5d02e6383f77d7eb5b76055e1fd55fcc35d6e7e3cd56675955492da156a5a25b52976bd5109fc728b3835aa8ee9ad2dc654e77cc5bd163d

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe

Filesize
163KB

MD5
b1dbc3b027105d8032541bc0c5e71abb

SHA1
1ef1950ecb44e6bd8d0a3849868ec9a0ceaa1130

SHA256
b0eb54f46e5919460cb8d21fdcd695e3356b6311ab0547f18dc3d84a66a14bc4

SHA512
3f7fd0aa71e6fae5eeaf16cc47a1ac43cdd1f643c1e7e439eb068685558929cf3c74552ad70fbf2d6cad94cc11bb8ea9c099ef1401b868947f1a9e5e44b34f7b

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe

Filesize
252KB

MD5
ee19bc8a2b6c6fd7c30037389457a4df

SHA1
e1fca1cc33574e59dec62763ee6e7de1a5198095

SHA256
76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0

SHA512
38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe

Filesize
504KB

MD5
8479bce60218cd871c118308ded82d39

SHA1
0388ec861b2ac5c7f4dc6eed249d92d3002fe66e

SHA256
15078be80772a449383c5f6a7631955039b82ebaf507ab67e61093b70b98dc43

SHA512
f4be47baee6baeacbe1e27174ad83700efc78ab2d02262d718c7436d2304fc16618a5911bed63ed8d2e947af3c511d17b77ddfccea9a4e6aab9f3956fcf322f8

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe

Filesize
320KB

MD5
3c539c7a8fb29ebf11ec352bace16e44

SHA1
07a503da0d61276e404599d1945f2136942695b6

SHA256
79978187902e65219a9b1a9edd772559563efc8d497f814c656debc00898c844

SHA512
c3554a39436397382a7d418ba9ff600f57cdba51be0990c2f5f3c6d49cdda31af3901643d8f0bb6ad6421f3f73ff6f513eb0ad45ebcf39c5e028bdcf0c435d9a

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe

Filesize
746KB

MD5
393d6260e39b68b2d60300e4f62ebc83

SHA1
16c58c5b7dee3ce4c3a40925ba4eed3c188faf46

SHA256
e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3

SHA512
d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe

Filesize
1.3MB

MD5
c2ceecbfb2075f896a347638a6856780

SHA1
e216f9efae622b375acf1c41a0dc0d60bbee1c4e

SHA256
206b47141d93c76fb326dbff8872a8092f10eedf537d5c2fb0af431d4f7192c4

SHA512
e2b6d021451b71e54bbfcc183d599eead7b97c1d3cf76fcbb14f27761a3eabf26013bfea66bc1f0409321a9952db6f21fe6d72eeac3786784da6468f48af5879

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe

Filesize
1.6MB

MD5
3cf29fca1b6b789aeec13daa05a408ac

SHA1
45ed25e410dc985132f6a9f1e2ed67179ad2a60b

SHA256
42ad46fc840e9e3ff3029a7bd76daa1d9ddac5e16ed9f552d090eb11cdbdeced

SHA512
c4f6e7519c12f39d3edcbfda37712a47b925ce9c1de8d07705ab1334d22aff0a80bf289f2691b5c8fe37f8f8532f9d4964e4c23a3628a44099013866eea2e1c1

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe

Filesize
1.3MB

MD5
0271286152c72fa06bb424411bf7ab94

SHA1
3c0cfee60bec6f6beb2ca9d8f5fd2499b739d337

SHA256
e90086a87644dd9cfa7c8a4f79908a38373ca9a095d4a6394dcbf7e86b21a770

SHA512
aa148c4308af583e3e017015a47dd5dfed21635bac8321cd00fe5ca025535235f2dd8f41cb2e3b7fe575a29ed549f3af44147f12a14c54965d554b8fcada5a24

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe

Filesize
188KB

MD5
d05ad5ee40e3b2a974094d57723f7446

SHA1
22c5f99020167aee1d166bf292d96e9aa97a773f

SHA256
4d7be7b9b1b3cf3c8eadc23ffa6e6ab08b1d807a7b75ce0edb24eb604365af00

SHA512
d8bbe7ca2375ce3c95ebd9c6bbb73ca50c80951a06e45b308d312b7153f96cd99e1033399b157931146e6c78d6cad326ac7117c78611bd885ccff675470c17ad

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe

Filesize
832KB

MD5
694730a5c940369bdfee0e846638ecd0

SHA1
cadf59c829ee6c0f00ac744a4a7d9089f0b17019

SHA256
a9cbecccc569515564dc32e66fcee984d7264bcddd22c9dd8919d06364869e2a

SHA512
3387bd58ab9269a5963689f80746497dd1a1042a83c4ba8a214c32ec24eca5c56d954ceb46be4598d9e8a6ed50e213cefb60aad1183ceb2a4d920f8b838031df

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\Weather Installation.exe

Filesize
1.2MB

MD5
ee8490455463f8cdde01c5ea83af075a

SHA1
5da768f91ca47defeb65dc58438d94db3f912049

SHA256
c5dc5525de2343e3b4aed805b26f53762bbefbb835c11b51a97e6a9a86cdbbe1

SHA512
f99c34b3b8ad8d81f6e8d01549df9c271a36ff496b250396b8032c55d3fc75dab05e18cc6b1819c0409478d5ba01d27308c0d4cd79b2f45f4303b3880788460b

Download Submit
C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe

Filesize
955KB

MD5
3c7117f96c0c2879798a78a32d5d34cc

SHA1
197c7dea513f8cbb7ebc17610f247d774c234213

SHA256
6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

SHA512
b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
2KB

MD5
902083235d0c8837117ccaf637a3212a

SHA1
34a28fe39c0318aa33575324d366fb8ec5cfd1ab

SHA256
d6de6f83a1d9975ac77513766d4a376ba3dd1f64d635a99722cb9e392627b822

SHA512
05c853ecd401f536b04db738860411e7abf7e1ddf9d95353f552bd49ff7489c817b5f71fb24841ac48a992d48acbf72f569598d472f97a67d6e2d9f5b26a6c67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7

Filesize
509B

MD5
b4ff3708cc5259f7c1d7359bb92bb3a4

SHA1
d3c7182e303a332baf7e0b26e94908c369c1c3f0

SHA256
b7c25c7c635c49c58d5c7d7a035d0439c6558a144e63f1d5774cc0c1bdc554ef

SHA512
3c551128ba7c67b142b0cb75ce8175a6187695108e581db407d61d46ebafb3cf9ddb1917e6684b536e54a304f3ac3f7bd86b24ee7ead411d6ea51793c5f4084c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
1KB

MD5
58e7b17615f01b38e5291146abb5283d

SHA1
f56e882bedc9b3db63f564977062d8a444884451

SHA256
c4e2253396b054fe0226327f1c27c01d364af6cece337f96303bc3c489bf2fa2

SHA512
b39fdeb5d76e3e4bcf759b1d831ec952c8cc9549d1d6eae3479b5c22f264e9a69b50dc337941045edf10518076f3af58169b9006772f1b24c6334fb5f6fdf9eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_79CFD3DF2894C4BFDA2ADFD6675FA18B

Filesize
490B

MD5
2b4ab5a4baa6edd77466fc94b1d61b7f

SHA1
962152454873d726215eb7cf4e07d5656a835c1b

SHA256
52caff3d1fde2e77478e2602c51ad6348f4146bd86ac3644e1f26da244b68e62

SHA512
05ee4ad4d7929576243fa05fd548bec860cf0e54e06e4826fff646e3e0ced3b499bd8b655c0f41781e57f6a6fe43480dd3c61ca864043b16394344e6886e175d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D11549FC90445E1CE90F96A21958A17_FB353789C9BBDA933068CD2920BDF3B7

Filesize
486B

MD5
aa015e1ded2e4dea8b87e008c9b8ffb7

SHA1
d1502d4c087d23f4e5a87d7daa2aae80dcd31dc2

SHA256
9ab6b15c482ebf4516dd6173131b5f5ab6475390df16148ce2ba058aff8bbe75

SHA512
f4a01aeb5e74c115484c916a7fcb844dd96135ab5ca68a2dbb40c59da3d96171cd507815391293d6856f9404fb09751ff106b49b61a198f7df37262442754c15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_2DBE917624E9880FE0C7C5570D56E691

Filesize
486B

MD5
4153fd6d18c20a61454a27f703ccd460

SHA1
04ce3155b0afb5fd959ed1ae1d0b41b0e8b9c999

SHA256
d3247484a64de1adf495f900fa7ce814a74277b21eaeeaa853b82d3bc5de56ce

SHA512
0eb4b9c47494ed1bf2ae34b108f82883c66187f07dc1d7c39ecb5353cac097509b5bd06ff9dedeadc1846b49beab1a71a224f87da2ef6486ca7a35f18283cd60

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6073fee5118372253d99d22b\1.0.0\tracking.ini

Filesize
11B

MD5
ec3584f3db838942ec3669db02dc908e

SHA1
8dceb96874d5c6425ebb81bfee587244c89416da

SHA256
77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340

SHA512
35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

Download Submit
C:\Users\Admin\AppData\Local\Temp\INA75BC.tmp

Filesize
257KB

MD5
9b5cab7cc5a95e912c5273a4cd7d84c7

SHA1
cdf8ac4f1f534895e43fbe86665e88813c17453e

SHA256
0fe40a1d4448a0a2fd2d684e2e8bdf9577bb0f6a46d99b2d7576aba4eade57aa

SHA512
c907e3aa60e9f8ac1e05b3310eb161c6ceb64eb97f42d9c2bac3682fa3b888d1901faf37cd30f67c7b791e223b07b14a84ac057ac0c784879f685dd12500587b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7698.tmp

Filesize
139KB

MD5
e9eaf1cb5e57935983cb5f7791b2ae11

SHA1
fc6436dc9ebd079ad3c1f2ed151547caf3ddad84

SHA256
7d2d1ee7a7cb93bd9606d619b9ee113e6099e1f24262d981ff10a69e490ad475

SHA512
69179333534d8c8e079d5a181eea4deab086ff54f17dd60092a43a07ac3d0d95b7a7935faaf7cc6a2c0c8ed0b42bdbfebcfb4a9b4dbec1e614a918dd778fef3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7698.tmp

Filesize
258KB

MD5
72578ec36bb0b6c4094d4b602e9091e4

SHA1
c1b6594bac50bcbc0bfd256e036867e4a7b90556

SHA256
fe43d41126191e7f79bfb332de342730ed8271cda3d77cb30d88f5c80922abb3

SHA512
53d172b6a0dfc6bdb904b14abb023f57b31e8e8413fe0e7497c24a208ef8ac28efc97cc758e0377f4c9dfb62503b8a6f854157aa064274355920c1444e1ce84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI76A9.tmp

Filesize
301KB

MD5
818d58a8d6b356f5ddae49ab6af77149

SHA1
c104c552d33e1e999f1feaefb72a5015cb2be6b8

SHA256
ab75a845ba5e659bba579d3b0687b021887f8a71e0aeb6a1de68afceb7646b3f

SHA512
1e0c27662c091f5bf5f7eff364285aa49f4d2012c4354b3853289474d87200d3101378160051373b3534b6698e85da0223eb4abebab59b44601650c2d93c142e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI76A9.tmp

Filesize
260KB

MD5
ef02b9a34dc374bd8f956f2b11a57f8d

SHA1
aeaafc0bf819e12ab713ebaaf0945e1e6e104e76

SHA256
3ac37617cb789bd7de4ac95b880b748cd6d5b09df3ff13a115e6496ced012fa7

SHA512
d09beb401e531046d20fa893640bc6a3e76f7a0d114bbe2d35a8b2d34d5d425dff9cfe5e8fc753a2b44f001d712a5fc2ba367a922901386b98442087fdb1f410

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI77E2.tmp

Filesize
96KB

MD5
7dbbc7dfbb19344149606b71bcdc4ad7

SHA1
394126befb8247396bdd9631e0a5efffc2c18369

SHA256
b895e00f96b4ad2ade86f1f455a56318fc4cf2fb8927b40d136610932953f2b4

SHA512
314d1ece88c50e118a5b1f3199feb3c8e84ee6934a31d047e70fda5f121ef4849ec8be5333d7a14af11b9fa391a19409b8b67f88ab24b51bac239b258447f1e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI77E2.tmp

Filesize
256KB

MD5
dc8bcaeb4df3658a2b3ef23aa0667c5a

SHA1
73ccf5b1849f7f8ce60919b16944b8a887a37d8a

SHA256
8be240b2ca09b1cb3638a3bc7ce18c847aa407c69fd0de08e2ced41e734c9815

SHA512
94e6fd27d6895a945480486332fbdaf305e23d6e6ef2a889919edbcdfe4e233b5edd42e38562df2f8b3bfc2e03ddc67ec7436ada03b3a845590256c009a7b125

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI782F.tmp

Filesize
49KB

MD5
467c3478a54061ed57dfde3158d263e1

SHA1
c995e8b531eab17ddd3c953acb765f97fd7590e5

SHA256
820b49c175be79eef6a7e59c9f502f482a53cd51b58e9c0641d3ce468e290014

SHA512
d8c8f16eb825b869318881e2f7ce895c0194d5c039b9f880ad8f7f4ef47618cc74f371775f38fa3b74ee886ad421ea076dd29c61b3cdee16d4823ce3be3401a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI782F.tmp

Filesize
214KB

MD5
829a3d468594cdd84f65dae8530e9137

SHA1
559ae741c874125f0039b27f3aa04a8ea6d43b4c

SHA256
e956956575bd7dc0abd90c51a37c49607870e58f445e2c0ce8e509a0a4ee024c

SHA512
1ba3cef06edd81921e3e3781c912bfb20e0e10cb2ae52821773033b480b062611111a575a9a4c5cf5020b85fff3a5af81ef7dcb277b7399d07d0d2ebf389cd46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI787F.tmp

Filesize
211KB

MD5
7cb2e74301ab015fea319ed234e97914

SHA1
51359b15a53def8c925dc7f4c35be3351a6dd7c7

SHA256
eb1272dba292f7bb20c1a3c106276dc591a6fec1a9af8b145617614ffce0b22f

SHA512
00e131336459fa61cf7382169aa853d7faac6648bcba00cd5d1288c7d66087728b89dcd541558b0129ff35911340675c11af81688c236c6299d2dfe76f47ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI787F.tmp

Filesize
149KB

MD5
7030b851d2713f353606b48d21f7497a

SHA1
46ba6b7b0c9a7fc6a0f2e4312b46f64c0febae9c

SHA256
9cc2f6f4339b60a0738ff9982db88ee4907ee0b012716d51c037cb875c7ae488

SHA512
15e09bd92924f00b98c15bdcfc54b9d0018d5e2573ffc9ee05c876116581ba85c991ebebc806e1df7f0e621b711ef25ec336333f79665bdb469a6fc27981bcb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zz0egdvh.xe1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
448KB

MD5
20f3f1184883208e938442ac1bf1ae8c

SHA1
3fb053f09a5e5553b3f0527dc0dd3f354e1bb64e

SHA256
4941421e9e495d6b58180b3e9432dc9880fd346b5277551a4dfe21ad712e2205

SHA512
f123211c205a9537908dacc966cc5ee07faaff884bd85f7c5d82c9264aae080dde5afe222ff79210b45570f9a4dbd1b4858731dd695bc65b83f86fdbdbb36bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6PLND.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9QRVV.tmp\GameBoxWin32.tmp

Filesize
862KB

MD5
0e24aeba2c5a3ee2f22430fd71426a34

SHA1
5903fd28351663d4c09e69e46021fd376035e969

SHA256
94634b47841010edff0657d8d32cc5c28fc1bfa045b9a47a21c1a255e05f3ad3

SHA512
ee18cf6d21a845775fdb688201e009b3e633aa3d6db0911d159140490f4c94f1337ab56aeb24757552b3139b0103d690424f9ac9db769d659955e7e85cf3e120

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi75DD.tmp

Filesize
302KB

MD5
d6100fa2e48fead379b9d24e13e4900a

SHA1
08454e962027a6c1b436e7049efacbe020dd93d6

SHA256
16e7cb9702373754d583dec1f75c643c68dcb58230513823a9f0ee804001cd02

SHA512
0380aecc4073750b0a491e1a9ca62a5159fcd05e4c48cbd0ca71a611c45ddef9ccdeb5a715d3df8b6bbedc002d450072dca4ff6446a1fa5603668f99f776efea

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi

Filesize
831KB

MD5
bb027e341297e2e9e40cc7f704013a1b

SHA1
02075bdf484c88a7ce3b6dd41324fdf650a62f18

SHA256
21fcbf1fdb69d99bff8bcf8ef878e977742e0c54642cfaed59fc7576a07f73b8

SHA512
e28b5cacf33c17074f799fcb1d5b8105f960c959d02403d2f724d37006e0e63985d155d164f1011e328eba800e17580c0402b0712125a8415b50019972fdc757

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi

Filesize
680KB

MD5
2ef1b621e82d1e2af3b61624320e06e1

SHA1
58fc568265376d40ca5432acd02577355124e009

SHA256
d8c8514b70fe12a9c3001c983026bc1e02103a777cdb64e36a865320ca0d9e08

SHA512
d8f14159567dd5568fc65c6fb323f91e88ecaabe2267cc8e2c2983713ca6114713a773305bfc41d430aad6cab1ff95caa4bec07f6ca1a9b0a3e72317b252b1b5

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

Filesize
202KB

MD5
2ca6d4ed5dd15fb7934c87e857f5ebfc

SHA1
383a55cc0ab890f41b71ca67e070ac7c903adeb6

SHA256
39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

SHA512
ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

Download Submit
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi

Filesize
841KB

MD5
1cc95c10da1240506cd49f6b7b55bb24

SHA1
8a7abace411cc045bd077500378023ae67654e81

SHA256
99bc9ca80ce486cf33febc1bf6c71d0b81e30097f0ab5946410f0f636231c706

SHA512
924b871005d72e6d259b843ddd6881c1809fa325b77cdc0874b74f6b04850774c83f24314dea9e32b18c327799e4ba587c400661869ce89858017b9659abf8fa

Download Submit
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi

Filesize
524KB

MD5
400e4f15752b5bbf33bb0de214153472

SHA1
d8487df74915ce8ce2c5b4af5201c66ada676db4

SHA256
8a7e121f61edfc6f8faa1d24c4616c3ca46d039d4e358ad3985e69979c9d0468

SHA512
a9b7c16fc1bbe005d5fc09f56e85facf87016a1d5481d60c6d1f7248eac0d14111c2f87c6d168a960f5de02ef4c3e0e1e429aaa61de6073d7f251235c6bc902f

Download Submit
C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\decoder.dll

Filesize
58KB

MD5
50427ea13a0e6620bae4f2958f948294

SHA1
2778ab10e8983d7f1a866a13e04e5c360e4fc560

SHA256
c5ddd43f90dde8009580b76e97fc57dc018cf2af0a5d458c4b87ad22cf3740d0

SHA512
a9631690024ed465cde961caf418c7a5baba04f5105834831ffbf49e70d61c73a09a1cee1fccfb3a0eaf755a0d4e23e4630d9018c0594e10b199ff74b7c60cc2

Download Submit
C:\Windows\Installer\MSI7CF0.tmp

Filesize
278KB

MD5
73532bff06dd284c4deb5f6676e8dd2a

SHA1
18270724f694be20e20f98823a72ec8a92e2732a

SHA256
98e69144bf3d0b6ec058117aa6a6d33369905097a7faafa65ce87921493276cc

SHA512
36abda8d58274c62dfdbeb763cb24b5fdc3c950eb03ddcddf86b628166c2788946760e0054fb9f59e3c751d0ad19f7aac92e24b960d7d1a981198627f3603d57

Download Submit
C:\Windows\Installer\MSI7CF0.tmp

Filesize
248KB

MD5
1b26b82ee66228d6899eb0533bbc4993

SHA1
2b9eec02dd629c62f83a276a4c12ea85229fdf6e

SHA256
30016f5fd51f35cb4f2df23ffed3bed6f064c427612e6f2aad06337763346820

SHA512
5db214535292fe74f5c7fba58593a1ca8a785aac397845a4a7e474ccde4aef33c9edccff37c5750629638c0daad6c5e4026ef11befaf821ac587fb399cafa13b

Download Submit
C:\Windows\Installer\MSI7D3F.tmp

Filesize
279KB

MD5
4705e571fbefc9f40ef82b6fe737a8f0

SHA1
15b03d89e259707c14c282893db692213ac956fd

SHA256
eb66e32268ceed70692262b986dc57d469cd06d54ee742a7cf43deb54defbade

SHA512
0c473096fa32d4b8d53c4de491e7e3073f5602aa3273ee84514249b14a41042db576ad17c069766588d6d035796e05577557fe56b1f76135bcf7e46127dbdce2

Download Submit
C:\Windows\Installer\MSI7D3F.tmp

Filesize
378KB

MD5
20c782eb64c81ac14c83a853546a8924

SHA1
a1506933d294de07a7a2ae1fbc6be468f51371d6

SHA256
0ed6836d55180af20f71f7852e3d728f2defe22aa6d2526c54cfbbb4b48cc6a1

SHA512
aff21e3e00b39f8983d101a0c616ca84cc3dc72d6464a0dd331965cf6beccf9b45025a7db2042d6e8b05221d3eb5813445c8ada69ae96e2727a607398a3de3d9

Download Submit
C:\Windows\Installer\MSI7DAF.tmp

Filesize
202KB

MD5
fef4650c29da34aadd5b76b07767a3d3

SHA1
d16fa063bca2debc1fc636ffd2712b227102b1d7

SHA256
2b918f86b6135f06cf8923d740e16faad6443575951a58c8d5b76a3e2c6e6300

SHA512
640b575f671e885a39360f196713d18885dc947c07fadb7ac3512714412942679a6a0a05be50b5cfc8f635de68f2062de7c9d637c803d903b312b8fa9110bb2d

Download Submit
C:\Windows\Installer\MSI7DAF.tmp

Filesize
129KB

MD5
0bf6b5e8b959ed4f194d7e9c883c782f

SHA1
b72b8631024423169dbc7433884de58d3383b166

SHA256
5126d969b82c3a1adf70479c93ddae7a91215080e72da20b7b68345100a72752

SHA512
3be8e8f331941f9fba3de11db705c32f18a10fb23697492b3fb18e925afd6adbbd47b83c6b7ba16babedbc6741ca99bc66a09704d80dab803ed0081dfd36d8ec

Download Submit
C:\Windows\Installer\MSI7DEE.tmp

Filesize
406KB

MD5
083bf8a6259dad688cd5534af6944211

SHA1
b5d92ad24107f69675dafdb7a101c75f75fb02b9

SHA256
869464157fa3d7c77c42ecc5e6274510746b7523bc70d94b3dd1a5d09dd36ba8

SHA512
4f7d0098f3aec40b6787123092599c781c3b10dea08cbd5966f15f94e0a048ed18a476bd0f47ad90ecd52d3877996411467b9273de042ca7853966f78d899866

Download Submit
C:\Windows\Installer\MSI7DEE.tmp

Filesize
396KB

MD5
d507f43e2880468be5632b107c0c1f0f

SHA1
376a2e8b014baa0cf4cddebe2b462b264b71b635

SHA256
0731ed56e3f4237ac5c0c53d2ebb32394aa8b3d7a5e5b0108b7c4a1f9879f036

SHA512
a77cd8bc9b0b12be37510f635cb0603705bd4e370d0cd401057ab3047b124b8d00a7cd8dbe17736a37303f4d74e333edf2e1e381cd2ecaa1566f8444a7909174

Download Submit
C:\Windows\Installer\MSI7E5D.tmp

Filesize
205KB

MD5
e989b188b5a23222cb89555c3d2a331d

SHA1
2bdb2e21336b88827e5f2b29e112d6f8f645395f

SHA256
181010a402b905bba8b7a3a918363332d448914d5f78b66a1269708876373a6a

SHA512
23676e4216bfe8bd9d3d4a3b33b00f9879f451e73200875e996e41dc26743b7a572e37765be79161c3a44aa5028ea854392f5d562372b6f1face80adade0d633

Download Submit
C:\Windows\Installer\MSI7E5D.tmp

Filesize
349KB

MD5
68dd02e76485cc29531b5bd8edbb1c51

SHA1
f20413b19d82362e15f340f36efd33cdace115cd

SHA256
f950436b53b8f0c94b239fff265d8edccb1897de12b5696eca0bf9a88fc4e7e7

SHA512
acb31b3a2a36b0cd4fbf67ffbe7441f7f227ca7530ba2fb98ff36a865f49b550e78ccd5db9fee33ca9a81465ae4421da7c96be12307a1b1b2f2f0a6237150737

Download Submit
C:\Windows\Installer\MSI835F.tmp

Filesize
191KB

MD5
078130308d747fcebd172b53a0be2659

SHA1
1297f0568c3de223502c73f0795075344ce88536

SHA256
315e0e6c4f26b5d786fd0ae2b3918d55b4c831eb95e3b17ef29161d16ad3bb20

SHA512
e359b415a3b190a59aa10eb24e599ce7345594022fc9bc7c9c3f98e4329701e6ce6634ce46ab20a63c717035f48147e1594664b24d2908610b509dc03521b5b3

Download Submit
C:\Windows\Installer\MSI835F.tmp

Filesize
113KB

MD5
166fc05fff653d83e9fa6f232c1f0f06

SHA1
838433d4cb02e2619733bf80205010718efe1394

SHA256
f615b13f16876c10e9b3ac92249c954c65dfd6950b754c7e630042d49c76efb2

SHA512
7e991bacbebce04a3eec7cbc57928aec559a8e168a11f76747ec3feff3e0b69011c2b45855e2bebb12bc52f904470deef8a3b5161cc3d1847625ece93260a4c7

Download Submit
C:\Windows\Installer\MSI837F.tmp

Filesize
268KB

MD5
738c5cdfbe6c3efdd0af7eddf1221bb1

SHA1
531219359671aa3cc869b812fe354f33033f3ae4

SHA256
59e934fdc4174f312d35129af603160adb11233d7e795398d649e2ffa6ae7204

SHA512
78cfc88910691efa78ce79833c3d9017e1b18f47e09325381281a1d99bbc3afca072101f7b8d9365a37f3443936e231c36fb4fa4caa9daf12c890d6315526a40

Download Submit
C:\Windows\Installer\MSI839F.tmp

Filesize
231KB

MD5
7f70e53d817d479e31486f005ae25308

SHA1
2ea9e26ca38ce6f52d8b638355e8a7e029bbbf5c

SHA256
165c917969d156ef18eccd3d28b456daf603e5181efc6a07510757caf831f94c

SHA512
73cf8c0bdb7017e19afeabf63b271f9d66c7e10594d8f59e946c8bb0fb85c752b63a44698b6b7cfad8408eb868d78668ca08dba33dbb6fca5810c1818b0e7545

Download Submit
C:\Windows\Installer\MSI839F.tmp

Filesize
213KB

MD5
f4dd99212a35a7211bb0698e04b8cf4b

SHA1
4f7b4494bd4780fabde1a194a991041db5440e18

SHA256
b3529a604b0868517e65b0868e3dd8e7ba732a7bbffc89609a93225191042bc8

SHA512
37f1e9d3055b6ba1cf5adb0f78065f22e9abbd288dec5aece0914d2defb3d9a56c8c45d8067ba0ec1de2eb98859cc5bc6bf66cafbd21c60f33aba50fc689a6b3

Download Submit
C:\Windows\Installer\MSI839F.tmp

Filesize
277KB

MD5
6936fa0d2fe21399e3f100c40012caf4

SHA1
3d9fcc97d8b56d7ab15e9bcc1fa67a023dbcadae

SHA256
533d494baa444ee4f7cf07ed8ba254f912d44b38589e7fdd141fb9a6150f7a5d

SHA512
154a2705eb62716a9ebf46aa62d73ef0aee4f81f48d1c4cfda7ead3860e55b82903cbc3d1ce3f8685815b34516f70f37212f990c07b58b25e6856e1bd681a72b

Download Submit
C:\Windows\Installer\MSI8566.tmp

Filesize
362KB

MD5
7e0b08c2dac28b64a81d0220b286dd16

SHA1
e66ad0be631890ff515e45144b906a35cf14d8b6

SHA256
dcd51150c415595f5726d66df6953b47b2f830617506406f82c3f433a0927710

SHA512
9692496c3c54397653f7f9bd3f5df9db01623aa26799b207b38d7b97c8cd9b879c56c2271988b56a1437e5ad28991ce54e2418a202a7ff516ea9bf1fb9a70f8d

Download Submit
C:\Windows\Installer\MSI8566.tmp

Filesize
184KB

MD5
5d61ab66b8bffc50b1fe349ccb611d53

SHA1
74602e9bb4528db14e0fab47f5f2875dc3a96c06

SHA256
47a5b0de0e7a4db0992a9c05f4e87e0cf6e7bb3ce6325f4457e51ee22024f658

SHA512
25dc04b923308daef67fbe139e38baa4ecd52e275379709b95e251b971b18eb6f0aa74f7684bb9e3f55d73eb6dfba4638c8aeb0235ee4b1824719dc802e96261

Download Submit
memory/2696-170-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2696-386-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2696-378-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/3096-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-118-0x0000000001650000-0x0000000001656000-memory.dmp

Filesize
24KB

Download
memory/3932-143-0x0000000001680000-0x0000000001686000-memory.dmp

Filesize
24KB

Download
memory/3932-97-0x0000000000E80000-0x0000000000EAE000-memory.dmp

Filesize
184KB

Download
memory/3932-172-0x00007FF98A370000-0x00007FF98AE31000-memory.dmp

Filesize
10.8MB

Download
memory/3932-190-0x00007FF98A370000-0x00007FF98AE31000-memory.dmp

Filesize
10.8MB

Download
memory/3932-135-0x0000000001660000-0x0000000001682000-memory.dmp

Filesize
136KB

Download
memory/3932-171-0x000000001BC10000-0x000000001BC20000-memory.dmp

Filesize
64KB

Download
memory/4284-59-0x0000000004940000-0x00000000049D3000-memory.dmp

Filesize
588KB

Download
memory/4284-58-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/4284-140-0x0000000000400000-0x0000000002CB4000-memory.dmp

Filesize
40.7MB

Download
memory/4284-376-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

Filesize
1024KB

Download
memory/4448-120-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/4448-167-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/4500-116-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4500-388-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4500-169-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4848-359-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4848-368-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/4848-362-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/4848-361-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/4848-373-0x0000000005CB0000-0x0000000006004000-memory.dmp

Filesize
3.3MB

Download
memory/4848-374-0x0000000006190000-0x00000000061AE000-memory.dmp

Filesize
120KB

Download
memory/4848-375-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/4848-356-0x0000000004BA0000-0x0000000004BD6000-memory.dmp

Filesize
216KB

Download
memory/4848-358-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4848-360-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/4848-357-0x00000000713C0000-0x0000000071B70000-memory.dmp

Filesize
7.7MB

Download