Analysis

  • max time kernel
    1803s
  • max time network
    1802s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2024 11:08

General

  • Target

    https://www.download-free-games.com/arcade_game_download/chicken_invaders2.htm

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 28 IoCs
  • Modifies system certificate store 2 TTPs 13 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.download-free-games.com/arcade_game_download/chicken_invaders2.htm
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd661146f8,0x7ffd66114708,0x7ffd66114718
      2⤵
        PID:1356
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
        2⤵
          PID:3920
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:3028
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
          2⤵
            PID:1172
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
            2⤵
              PID:4244
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
              2⤵
                PID:3164
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
                2⤵
                  PID:2504
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
                  2⤵
                    PID:4556
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4228
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
                    2⤵
                      PID:3368
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
                      2⤵
                        PID:4584
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
                        2⤵
                          PID:1404
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
                          2⤵
                            PID:3128
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
                            2⤵
                              PID:2780
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
                              2⤵
                                PID:4400
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
                                2⤵
                                  PID:5380
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4576 /prefetch:8
                                  2⤵
                                    PID:5408
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
                                    2⤵
                                      PID:5668
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
                                      2⤵
                                        PID:5680
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7128 /prefetch:8
                                        2⤵
                                          PID:5852
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
                                          2⤵
                                            PID:6040
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
                                            2⤵
                                              PID:6048
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5348
                                            • C:\Users\Admin\Downloads\chicken-invaders-2-freeSetup.exe
                                              "C:\Users\Admin\Downloads\chicken-invaders-2-freeSetup.exe"
                                              2⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Suspicious use of SetWindowsHookEx
                                              PID:5604
                                              • C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\GamesManagerInstaller.exe
                                                "C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\GamesManagerInstaller.exe" -installer.createiwinshortcuts=yes -config.channel=20000006 -config.uri=https://www.iwin.com/ -config.channelName=IWinStreaming -config.iwinrequest="PF/1735078040630641019/chicken-invaders-2-free/48/0"
                                                3⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2800
                                                • C:\Users\Admin\AppData\Local\Temp\GMInstaller\GamesManagerInstaller.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\GMInstaller\GamesManagerInstaller.exe" -installer.logstartsent=true -config.channel=20000006 -config.uri="https://www.iwin.com/" -config.channelName="iWin" -config.sku=FIRST_INSTALL -installer.createshortcutswithname="iWin Games" -autoupdate=1 -config.iwinrequest="PF/1735078040630641019/chicken-invaders-2-free/48/0"
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:464
                                                  • C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\toasterinstaller.exe
                                                    "C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\toasterinstaller.exe" /S --no-desktop-shortcut
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3660
                                                  • C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\GamesManager.exe
                                                    "C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\GamesManager.exe" -config.uri=https://www.iwin.com/ -config.channel="20000006" -config.sku="FIRST_INSTALL" -config.iwinrequest="PF/1735078040630641019/chicken-invaders-2-free/48/0"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Modifies system certificate store
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SendNotifyMessage
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:5440
                                                    • C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\GamesManager.exe
                                                      "C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\GamesManager.exe" --type=renderer --no-sandbox --service-pipe-token=2464D12238DC21DAB059660E394E919F --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) Chromium/61.0.0.0 Chrome/61.0.0.0 Version/3.9.6.640 GamesManager/3.9.6.640 20000006 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=2464D12238DC21DAB059660E394E919F --renderer-client-id=2 --mojo-platform-channel-handle=2676 /prefetch:1
                                                      6⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:4516
                                                    • C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\GamesManager.exe
                                                      "C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\GamesManager.exe" --type=renderer --no-sandbox --service-pipe-token=24CF5C4B93DF89916EA363F3BD546236 --lang=en-US --lang=en-US --log-file="C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\debug.log" --user-agent="Mozilla/5.0 (Windows NT 10.0; Win32; x86) Chromium/61.0.0.0 Chrome/61.0.0.0 Version/3.9.6.640 GamesManager/3.9.6.640 20000006 WinVer/10.0 [x64] CEF/3.3163.1651.gf229796 UAPI" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553 --disable-accelerated-video-decode --disable-gpu-compositing --enable-gpu-async-worker-context --service-request-channel-token=24CF5C4B93DF89916EA363F3BD546236 --renderer-client-id=3 --mojo-platform-channel-handle=3348 /prefetch:1
                                                      6⤵
                                                      • Checks computer location settings
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1468
                                                    • C:\Users\Admin\AppData\Local\UGMgames\20000006\chicken-invaders-2-free\chicken-invaders-2-free\GLWorker.exe
                                                      C:\Users\Admin\AppData\Local\UGMgames\20000006\chicken-invaders-2-free\chicken-invaders-2-free\GLWorker.exe ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971044141112419747
                                                      6⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:3760
                                                    • C:\Users\Admin\AppData\Local\UGMgames\20000006\chicken-invaders-2-free\chicken-invaders-2-free\GLWorker.exe
                                                      C:\Users\Admin\AppData\Local\UGMgames\20000006\chicken-invaders-2-free\chicken-invaders-2-free\GLWorker.exe ALTUSERNAME;DAYSLEFT;TIMELEFTTOTAL;gid7971044141112419747
                                                      6⤵
                                                      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:5932
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6154581016489020177,8179296673611481459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5380 /prefetch:2
                                              2⤵
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:5380
                                          • C:\Windows\System32\CompPkgSrv.exe
                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                            1⤵
                                              PID:2180
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:2784
                                              • C:\Windows\system32\rundll32.exe
                                                "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                                                1⤵
                                                  PID:4828
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                                  1⤵
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2320

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\GamesManager_iWin_ugm3\20000006\webdata\Cache\f_000003

                                                  Filesize

                                                  29KB

                                                  MD5

                                                  0a1cc39cc3f6049e8d97ebe2de642c32

                                                  SHA1

                                                  93d4f34e2d9212930a53cba847d2d86b3ace96d6

                                                  SHA256

                                                  92a177028e4c6d62950420ace948e04fd294a749ee5d1e998d05d053eb87853c

                                                  SHA512

                                                  00cb2f6187d1c4d511a0996db494f9716878962e884d271905f51c5fb6429fbad1a44ffcb87f0e5875756edb25e3530be4f4bc0a2a8744f3d100cffc5446a5b5

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  fd7944a4ff1be37517983ffaf5700b11

                                                  SHA1

                                                  c4287796d78e00969af85b7e16a2d04230961240

                                                  SHA256

                                                  b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

                                                  SHA512

                                                  28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                  Filesize

                                                  152B

                                                  MD5

                                                  a774512b00820b61a51258335097b2c9

                                                  SHA1

                                                  38c28d1ea3907a1af6c0443255ab610dd9285095

                                                  SHA256

                                                  01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

                                                  SHA512

                                                  ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

                                                  Filesize

                                                  62KB

                                                  MD5

                                                  e1b1b180e0ac6fa588cc6a536e379f84

                                                  SHA1

                                                  e850ccdf4ca521e614e6c1bf31e4a2dfe08ae462

                                                  SHA256

                                                  72d84e0126277ef39e8ac647c57330904b3aa34f238ae51b671472db6bfcea0c

                                                  SHA512

                                                  2031f73585c9d6c8966ddd65e4534c391dadeccb875b659054f96dd7a6114fa9b2ca99593b0f74cba8b90b358b141404db12d4dafd3d347d248b5034e54cfa01

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  dd4f146eadae5fe1fe601de687e7770d

                                                  SHA1

                                                  f52582fdb3553b9ce3f4f166de888e41e85b05dd

                                                  SHA256

                                                  e028c84d05d56238d3261efda1cdb34cf097d226293f47baa23fac5e420cb134

                                                  SHA512

                                                  255a441376c8ad85cab4ad693a2bfa233b9e28871772cdf8f5eb869be190205462576ad234dadb53093784e04ad4d206f1093e59bc5755bfb54eca7084bd93c5

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                  Filesize

                                                  111B

                                                  MD5

                                                  285252a2f6327d41eab203dc2f402c67

                                                  SHA1

                                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                  SHA256

                                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                  SHA512

                                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                  Filesize

                                                  4KB

                                                  MD5

                                                  1d8e0ca4af56e2816576d927a4f6dc85

                                                  SHA1

                                                  89c5bc1884e8b8c1de3d986873beb8d6ccaf600e

                                                  SHA256

                                                  d04e818cdd2e0ceac69eab837d95c4de828f65e4a39bbabf417d09aa39076638

                                                  SHA512

                                                  77968e17ec0da8a1ed880418d849fa19d79e819dfbd0a281dd15424ef7fa60ef7016fd3e6ab82e2d70fed2ffbdaa504ab84f31be923ab3657a7ee654136b2cf7

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  6KB

                                                  MD5

                                                  7ce78cfbab20eea2ea49e9ebcec2c2c8

                                                  SHA1

                                                  492769c8d0a130f2f6772b7248c1ba0b816a0663

                                                  SHA256

                                                  ef5ef8c5c93a57abc312129eb1d584fd117d0c0c18d152054144ddfaf1277715

                                                  SHA512

                                                  60023c99220fe5b37fc32ff605489b078c5c2df02f84b4e61b9472c9ce68054a6797c585887e417ce541d5a525754d5293249b8df467f37da61a74c0f834d85d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  7KB

                                                  MD5

                                                  2b6936c84efb85aed1f853f69dbcde85

                                                  SHA1

                                                  ac7385cc9185cf1dc24b9cb10522732a7823257f

                                                  SHA256

                                                  e1eaf248c40b46d888fe4380135bd779f9bb133f04f2eb7d2929e1b08cd7f485

                                                  SHA512

                                                  199a9ed6c87dce022afa08450479307a0fbd8eeb57a0010f87aeb816c23bdbd1dbda18033c27df8d6ade920b5e7fb1965a7216db2c7f8512369c95beec571e0d

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  40141c5d85e929426e788e023d28e4fc

                                                  SHA1

                                                  667bcf547ccc5e5cf57c1a918196de7b90ce2c2d

                                                  SHA256

                                                  9572d05726457ee0ec3546f2e056e91d9e67b8e186c855e9ad61cbe2d01e04dc

                                                  SHA512

                                                  074eaf3cb7961d92288351efea52462e379c250292461286bc29ad51264f452170d877b846de4a67169270513f81e0c0bab8130ce4bba90de9c34fda221e0e00

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  63648b0d0af4a3c94d3f784a4e5135bd

                                                  SHA1

                                                  af2f092a9421f5cec61674a7cb5281789bc1f9f4

                                                  SHA256

                                                  352a751238a2757a5197257fdd869f59214ef64a3709d395d206052886f56c7c

                                                  SHA512

                                                  aab12693cb3a4a2823abeaa180229ddbc97f3c56ae024a1649ddbba6c9d3bd0e42c3b60f1d0c62c3ada5fcf427408bfbeb7861231a413f4e6d6ae50442153d63

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                  Filesize

                                                  8KB

                                                  MD5

                                                  1798ea8877340fd842b34e3d08b003f9

                                                  SHA1

                                                  c522636b39231c11fab99674adb069efed124193

                                                  SHA256

                                                  6b8f5e593ed363b243c458ff567f5ad92080d98fd6a67e97f2e84f463b086fe5

                                                  SHA512

                                                  d58fc2a57c6e9f46832cf7cf4b75fa3e058cc5582c7f37d7425599e1a6e8e026e33720f16374b9618b2ca34de87cb6aa0c7af4aa980a9b218ded291336442494

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                  Filesize

                                                  1KB

                                                  MD5

                                                  4d06ff8a660e2a560837ecfdf8f027a5

                                                  SHA1

                                                  b65f3634389e1d28834ea3904ea2e18eb55a6804

                                                  SHA256

                                                  32b99c1d3079338c71df5bd975d270d83b6a9a661b53e71282755dca9ee424ed

                                                  SHA512

                                                  5aee2a3d36cfff2fbea89c7e2dc6458a9a7d11389e70f960435dfe7031523b01184897ad1c6fd3593dc25e631c341e5305f676f994bab83e1f240369fe4905c5

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff7e.TMP

                                                  Filesize

                                                  538B

                                                  MD5

                                                  b2a9b381ee90767fdb8047e85e927eae

                                                  SHA1

                                                  5680fcb4ecd6f6c30437e3d261bd49086e8e5693

                                                  SHA256

                                                  cc6838d7976a2b8f9b372e6e097ca957b7e9070c461a0e30a0224ff738919339

                                                  SHA512

                                                  8396498cd7f66fb33117a114f44201a77c760f0f03300f40847c15ae6a46dcf3386848743419fc611b0a0d79bf94ddac74be6e1b24974702577364ee0378f4ac

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  bdfa12a1c99355a801fb39adff9e6a2e

                                                  SHA1

                                                  17c1bd7e436605f2b4c3a3bb202eb7a8b04d4363

                                                  SHA256

                                                  10a15698002761f9a10c4f414acaa46f74f043116f2b5838cad85cfa13e39cd1

                                                  SHA512

                                                  06ac3d7bf653a69db33ad1dedfe3f985000e1b01c97ae145e2a6f2ab482ceff39842fa5cc46368514ee884afb4899eca15f62f3272f19f4051e41be1c3816be4

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  6dacfdeeb62f365a9c2e2c92a45f4be3

                                                  SHA1

                                                  e05ebf4c43229cf2a2359695c9c6c55d5f26cc8b

                                                  SHA256

                                                  b7bd35004ff108abf890d0e9fe54d5fb92beb923b0f9be54955a4eda8625b4a5

                                                  SHA512

                                                  d865cbcaa89ae2f4a697345d1811596df0b5b2ef65e48ab5038fceaac64378e745258673861351b459c7c747ecf01413bc42b7fb6f925afad2921ca6c81bfdb6

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                  Filesize

                                                  12KB

                                                  MD5

                                                  5eaf18e7dfad7b7f2c0ffaebf87b87f1

                                                  SHA1

                                                  82a48f9b400d0ea1bd8b9bb1d4124a2d2e8eacc5

                                                  SHA256

                                                  9a885da4ce822320434e0ffe19adc73ac97e77e6cfb92e0c442e9e7c7aeed6e5

                                                  SHA512

                                                  97aeafe8c06508d0b50ae613b11b2ebbb9e324192318f49141aa1cb0b2edf7b3f528410f23fde74179328414c407f924be00909b000c284ba29ce97d386b9c8c

                                                • C:\Users\Admin\AppData\Local\Programs\iWin-Games-Notifier\iWin Games Notifier.exe

                                                  Filesize

                                                  16.7MB

                                                  MD5

                                                  fc54f715afe3e34bac66901e0f0f1cda

                                                  SHA1

                                                  f2d2de191d87ffbc3504facfd431b7b27a615568

                                                  SHA256

                                                  6084b9b3c5fea844450a787a4e251347515a156a139de155c7ab27f46dc019f5

                                                  SHA512

                                                  103571f3424295756d9edde3fa894303dd6c9a8e397bfd595fa1c588ad11bb57af0474a25f3d59aeffb708bf2fe2f55c7e1dbcbfed19dcf3066d11f4f08ff07a

                                                • C:\Users\Admin\AppData\Local\Temp\GMInstaller\GamesManagerInstaller.exe

                                                  Filesize

                                                  3.8MB

                                                  MD5

                                                  2c51123cbc6a8e69ade0947ad18ac9b7

                                                  SHA1

                                                  0d3d08a50e289fd78cd6bd4dee8899d3fa7c3b4d

                                                  SHA256

                                                  36b785a39704b784222120b38a2d5ea74a70b88319515417886049f1de9f3ddc

                                                  SHA512

                                                  917e3f6dd6c83768486d92ad794bd1a974e5065dc531bcb174ce7e55a1cfce0394edd7e6b3240c3ebfd1d96ff341c995655a3d14cbc48eaa1c9e11239e2d51a3

                                                • C:\Users\Admin\AppData\Local\Temp\GMInstaller\GamesManagerInstaller.exe

                                                  Filesize

                                                  4.4MB

                                                  MD5

                                                  f5df157313688c47bad4518b02fa8a08

                                                  SHA1

                                                  be446b9721244fc7bbb21736f4da850ecc37e52c

                                                  SHA256

                                                  0a6183d57a0c132a0841180ff66231c80097e83a2cff616861a269dfef492f54

                                                  SHA512

                                                  a422cbafc538355686eab988d833f736c113146055a2ba716636bda3edf491fefa95d018da4ff53797af8cd1d882548bfee8422cd4962c21760fc2c2c5775a97

                                                • C:\Users\Admin\AppData\Local\Temp\nsbF4E3.tmp\System.dll

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  bf712f32249029466fa86756f5546950

                                                  SHA1

                                                  75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

                                                  SHA256

                                                  7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

                                                  SHA512

                                                  13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

                                                • C:\Users\Admin\AppData\Local\Temp\nsbF4E3.tmp\nsProcess.dll

                                                  Filesize

                                                  4KB

                                                  MD5

                                                  f0438a894f3a7e01a4aae8d1b5dd0289

                                                  SHA1

                                                  b058e3fcfb7b550041da16bf10d8837024c38bf6

                                                  SHA256

                                                  30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

                                                  SHA512

                                                  f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

                                                • C:\Users\Admin\AppData\Local\Temp\nsnD3EC.tmp\INetC.dll

                                                  Filesize

                                                  25KB

                                                  MD5

                                                  e7ebd034dacf96fcc0c7a35c62477d21

                                                  SHA1

                                                  cd372d0607d94b48ac84a1738ed434df4d882f22

                                                  SHA256

                                                  dc84aa66f398781fe76eecf90fc6613f729076552d4b268269228b754bfd70d2

                                                  SHA512

                                                  df367b39c7c62ba2df1d50cbe3dbc97a7a2719fae7684330b4df971f0742c3447f0beb2d295a206522bbce6fbd0053d188d159f7236b6953d35cbf51aecc1bf3

                                                • C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\GamesManagerInstaller.exe

                                                  Filesize

                                                  3.9MB

                                                  MD5

                                                  dfed3529d35bc5a159708ab5b86e1703

                                                  SHA1

                                                  f80f4c2b9ae6ff94afa74e274d72e3343fbcde28

                                                  SHA256

                                                  9407d6d1005e52f4ab9e0f587cd1b167b6f946b0d2f4173c56d71b96e09fbb69

                                                  SHA512

                                                  32fda69071c0d28cfda83e0e84c6d296f833d69b180621ed98765274ed2500b1d455ac4aa50e00b2e4b09703a99178216d399c8161fac4f608b16ba061fe3258

                                                • C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\GamesManagerInstaller.exe

                                                  Filesize

                                                  3.6MB

                                                  MD5

                                                  58edd8be4b509b11589e37ac4b1f8daa

                                                  SHA1

                                                  c6e055033cc922fce58a4b789febc9c0cc13a685

                                                  SHA256

                                                  09cd920f961ebea7a0e282d17fc69632a84b34167434f6dac7a5213808f77eb0

                                                  SHA512

                                                  74a28da6f0228720028f87f3cdc7bd8a010a0afd217120c91cea412ebd3b5629340b86fd1394392b4692c4b841a5e8864b8a6237afa037a998f13be2cf810cdd

                                                • C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\GamesManagerInstaller.exe

                                                  Filesize

                                                  2.8MB

                                                  MD5

                                                  10f0dcc4ba977b6a080d710d3d343e57

                                                  SHA1

                                                  cf15965161a7974a8b09754d450153ced41ca6e3

                                                  SHA256

                                                  6ae499724a02b1126cc4144099e5d7f7ced231c0bbe4130d3459d3b403d026e7

                                                  SHA512

                                                  881a9172b1dfa293460117c844e8bd6a3845b78d2f12b200edcae3ef0fcdb0e30326ff8f7afdb081cbd8564d2ba9f07542e85e2732bfc1a231336135b25caf98

                                                • C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\NSISdl.dll

                                                  Filesize

                                                  14KB

                                                  MD5

                                                  a5f8399a743ab7f9c88c645c35b1ebb5

                                                  SHA1

                                                  168f3c158913b0367bf79fa413357fbe97018191

                                                  SHA256

                                                  dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

                                                  SHA512

                                                  824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

                                                • C:\Users\Admin\AppData\Local\Temp\nsq2101.tmp\System.dll

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  c17103ae9072a06da581dec998343fc1

                                                  SHA1

                                                  b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

                                                  SHA256

                                                  dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

                                                  SHA512

                                                  d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

                                                • C:\Users\Admin\AppData\Local\Temp\nsq7397.tmp\StdUtils.dll

                                                  Filesize

                                                  101KB

                                                  MD5

                                                  33b4e69e7835e18b9437623367dd1787

                                                  SHA1

                                                  53afa03edaf931abdc2d828e5a2c89ad573d926c

                                                  SHA256

                                                  72d38ef115e71fc73dc5978987c583fc8c6b50ff12e4a5d30649a4d164a8b6ae

                                                  SHA512

                                                  ca890e785d1a0a7e0b4a748416fba417826ae66b46e600f407d4e795b444612a8b830f579f2cf5b6e051bea800604f34f8801cc3daf05c8d29ad05bcda454a77

                                                • C:\Users\Admin\AppData\Local\Temp\nsq7397.tmp\System.dll

                                                  Filesize

                                                  11KB

                                                  MD5

                                                  17ed1c86bd67e78ade4712be48a7d2bd

                                                  SHA1

                                                  1cc9fe86d6d6030b4dae45ecddce5907991c01a0

                                                  SHA256

                                                  bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

                                                  SHA512

                                                  0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

                                                • C:\Users\Admin\AppData\Local\Temp\nsq7397.tmp\WinShell.dll

                                                  Filesize

                                                  3KB

                                                  MD5

                                                  1cc7c37b7e0c8cd8bf04b6cc283e1e56

                                                  SHA1

                                                  0b9519763be6625bd5abce175dcc59c96d100d4c

                                                  SHA256

                                                  9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

                                                  SHA512

                                                  7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

                                                • C:\Users\Admin\AppData\Local\Temp\nsq7397.tmp\nsis7z.dll

                                                  Filesize

                                                  391KB

                                                  MD5

                                                  c6a070b3e68b292bb0efc9b26e85e9cc

                                                  SHA1

                                                  5a922b96eda6595a68fd0a9051236162ff2e2ada

                                                  SHA256

                                                  66ac8bd1f273a73e17a3f31d6add739d3cb0330a6417faeda11a9cae00b62d8b

                                                  SHA512

                                                  8eff8fc16f5bb574bd9483e3b217b67a8986e31497368c06fdaa3a1e93a40aee94a5b31729d01905157b0ae1e556a402f43cd29a4d30a0587e1ec334458a44e8

                                                • C:\Users\Admin\AppData\Roaming\iWin Games Notifier\installer.exe

                                                  Filesize

                                                  5.9MB

                                                  MD5

                                                  3c0ae3e39b71f3344260a2bcff80c3fe

                                                  SHA1

                                                  f4789620d095c72830e0fe2c941845320954b514

                                                  SHA256

                                                  5f3752e63360a15fc3f2206d06711b5b6d90e2221269b50c40104be5b67ca84b

                                                  SHA512

                                                  7b7a2789da4548df471711ac3213fb82c87cd75a161bea8e287c5701b1d6467731692a45c036e46ad7d284a6b1841dab0ffccfdfb4777d2282657a66f4e593bf

                                                • C:\Users\Admin\Downloads\Unconfirmed 880023.crdownload

                                                  Filesize

                                                  110KB

                                                  MD5

                                                  26b0faa4a3fa0f8811f7db8b6e520ee3

                                                  SHA1

                                                  27d48f69f819cb2e6e45459f9bf58e41b5eb10d5

                                                  SHA256

                                                  2c5a06e9fb27f421d0a624a52910f77d74fb4de6758934c06481e79025b3d005

                                                  SHA512

                                                  e3342eade8e32e090bfd9c145f40c01adea249578a8020aadc506438bca57ad022b8144fc569a87ff9cbc806095bcb05fd7dc2022ceac02d1f3e3786be272bd6

                                                • \??\pipe\LOCAL\crashpad_4960_OEKZINMCNZQJRBHK

                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                • memory/1468-1213-0x0000000001290000-0x0000000001291000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2320-1613-0x0000024E97D30000-0x0000024E97D31000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/2320-1580-0x0000024E8F640000-0x0000024E8F650000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2320-1596-0x0000024E8F740000-0x0000024E8F750000-memory.dmp

                                                  Filesize

                                                  64KB

                                                • memory/2320-1612-0x0000024E97D00000-0x0000024E97D01000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/3760-1526-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1539-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1540-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1541-0x0000000002B40000-0x0000000002D4C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1543-0x0000000002B40000-0x0000000002D4C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1544-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1538-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1535-0x0000000002B40000-0x0000000002D4C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/3760-1528-0x0000000002B40000-0x0000000002D4C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/4516-1207-0x00000000011A0000-0x00000000011A1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                • memory/5932-1564-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1565-0x0000000002990000-0x0000000002B9C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1569-0x0000000002990000-0x0000000002B9C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1570-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1563-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1562-0x0000000000400000-0x000000000060C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1558-0x0000000002990000-0x0000000002B9C000-memory.dmp

                                                  Filesize

                                                  2.0MB

                                                • memory/5932-1552-0x0000000002990000-0x0000000002B9C000-memory.dmp

                                                  Filesize

                                                  2.0MB