73cb3d7601ea224b083d2348a3c1e69de9d9105e85ac501565108a88bd663ecd

Analysis

max time kernel
149s
max time network
132s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WeBuff.exe
Size

142.1MB
MD5

8565a8a9de8c300a4a7b0f8eb196565e
SHA1

51cc2e86ccf55460f6f70e17414eda71846f343e
SHA256

88c4955b3f1ec5dd74160b77fa1e318352d6abe78516c6e36828085bfe6ff343
SHA512

92f9c84c66aa72f8eb2ec1d9f8c6420ac38ae06a29c8bfbe968b1ce815b898e02fc9b4003937f7f084d26fa8bef8a4054945d17d197f7f2e352f009e90d0350b
SSDEEP

1572864:OWngZjY37M7WblAypLUB3zuUJGVmAooiYQbmf+L:OIzwWbAJOqmY

Score

7^/10

discovery execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	WeBuff.exe

Executes dropped EXE 3 IoCs

pid	Process
2500	WeBuffCore.exe
848	WeBuffHK.exe
2692	WeBuffHelper.exe

Loads dropped DLL 1 IoCs

pid	Process
2380	WeBuff.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1700	powershell.exe
2576	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeBuffCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeBuffHK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeBuffCore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeBuffHK.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2720	ping.exe
620	ping.exe
2316	ping.exe
568	ping.exe
2036	ping.exe
344	ping.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WeBuff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	WeBuff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	WeBuff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	WeBuff.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	WeBuff.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
620	ping.exe
2316	ping.exe
568	ping.exe
2036	ping.exe
344	ping.exe
2720	ping.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
600	WeBuffCore.exe
600	WeBuffCore.exe
1700	powershell.exe
2500	WeBuffCore.exe
2500	WeBuffCore.exe
2576	powershell.exe
2500	WeBuffCore.exe
2500	WeBuffCore.exe
2500	WeBuffCore.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2380	WeBuff.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2256	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe
Token: SeShutdownPrivilege	2380	WeBuff.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2256	WeBuff.exe
2256	WeBuff.exe
2256	WeBuff.exe
2256	WeBuff.exe
2380	WeBuff.exe
2380	WeBuff.exe
2380	WeBuff.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2256	WeBuff.exe
2256	WeBuff.exe
2256	WeBuff.exe
2256	WeBuff.exe
2380	WeBuff.exe
2380	WeBuff.exe
2380	WeBuff.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 1280	2256	WeBuff.exe	30
PID 2256 wrote to memory of 2864	2256	WeBuff.exe	31
PID 2256 wrote to memory of 2864	2256	WeBuff.exe	31
PID 2256 wrote to memory of 2864	2256	WeBuff.exe	31
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32
PID 2256 wrote to memory of 2604	2256	WeBuff.exe	32

C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
"C:\Users\Admin\AppData\Local\Temp\WeBuff.exe"
1⤵
- Checks computer location settings
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
  "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 --field-trial-handle=1160,i,8016055283139005272,10270637715366580102,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
  "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --mojo-platform-channel-handle=1576 --field-trial-handle=1160,i,8016055283139005272,10270637715366580102,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
  "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1552 --field-trial-handle=1160,i,8016055283139005272,10270637715366580102,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2604
- C:\Windows\system32\ping.exe
  C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 tmall.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffCore.exe
  C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffCore.exe -pid:2256 -uid:b691-057c-44cb-6c
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:600
- C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHK.exe
  C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHK.exe -pid:2256 -uid:b691-057c-44cb-6c
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHelper.exe
  C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHelper.exe -pid:2256 -uid:b691-057c-44cb-6c
  2⤵
  PID:1896
- C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
  "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1872 --field-trial-handle=1160,i,8016055283139005272,10270637715366580102,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --frame-name=main-renderer /prefetch:1
  2⤵
  - Checks computer location settings
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
  "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2492 --field-trial-handle=1160,i,8016055283139005272,10270637715366580102,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --frame-name=main-renderer /prefetch:1
  2⤵
  - Checks computer location settings
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe "Set-MpPreference -ExclusionPath D:\product\test-electron"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
  "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2560 --field-trial-handle=1160,i,8016055283139005272,10270637715366580102,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --frame-name=payment-renderer /prefetch:1
  2⤵
  - Checks computer location settings
  PID:568
- C:\Windows\system32\ping.exe
  C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 baidu.com
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:344
- C:\Users\Admin\AppData\Local\Temp\resources\updater\WeBuffUpdater.exe
  C:\Users\Admin\AppData\Local\Temp\resources\updater\WeBuffUpdater.exe C:\Users\Admin\AppData\Local\WeBuff\updater-node.zip C:\Users\Admin\AppData\Local\Temp\resources C:\Users\Admin\AppData\Local\Temp\WeBuff.exe C:\Users\Admin\AppData\Local\Temp\resources\extends C:\Users\Admin\AppData\Local\Temp\resources\app.asar
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
    "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" /c
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
      "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1132,i,8559224518243297765,10650084770518026955,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:620
  - - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
      "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --ignore-certificate-errors --ignore-certificate-errors --host-rules="MAP js.stripe.com 47.57.140.107, MAP m.stripe.network 47.57.140.107, MAP r.stripe.com 47.57.140.107, MAP api.stripe.com 47.57.140.107, MAP merchant-ui-api.stripe.com 47.57.140.107, MAP b.stripecdn.com 47.57.140.107, MAP hooks.stripe.com 47.57.140.107, MAP cn1.hcaptcha.com 47.57.140.107, MAP m.stripe.com 47.57.140.107" --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --mojo-platform-channel-handle=1588 --field-trial-handle=1132,i,8559224518243297765,10650084770518026955,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
      4⤵
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
      "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1100 --field-trial-handle=1132,i,8559224518243297765,10650084770518026955,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      4⤵
      PID:1288
  - - C:\Windows\system32\ping.exe
      C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 tmall.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffCore.exe
      C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffCore.exe -pid:2380 -uid:b691-057c-44cb-6c -uri:aHR0cHM6Ly93ZWIud2VidWZmLmFwcC8=
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2500
  - - C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHK.exe
      C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHK.exe -pid:2380 -uid:b691-057c-44cb-6c -uri:aHR0cHM6Ly93ZWIud2VidWZmLmFwcC8=
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:848
  - - C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHelper.exe
      C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHelper.exe -pid:2380 -uid:b691-057c-44cb-6c -uri:aHR0cHM6Ly93ZWIud2VidWZmLmFwcC8=
      4⤵
      Executes dropped EXE
      PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
      "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1880 --field-trial-handle=1132,i,8559224518243297765,10650084770518026955,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --frame-name=main-renderer /prefetch:1
      4⤵
      Checks computer location settings
      PID:1572
  - - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
      "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1132,i,8559224518243297765,10650084770518026955,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --frame-name=main-renderer /prefetch:1
      4⤵
      Checks computer location settings
      PID:2152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe "Set-MpPreference -ExclusionPath D:\product\test-electron"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\WeBuff.exe
      "C:\Users\Admin\AppData\Local\Temp\WeBuff.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\WeBuff" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2620 --field-trial-handle=1132,i,8559224518243297765,10650084770518026955,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --frame-name=payment-renderer /prefetch:1
      4⤵
      Checks computer location settings
      PID:2208
  - - C:\Windows\system32\ping.exe
      C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 baidu.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:620
  - - C:\Windows\system32\ping.exe
      C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 qq.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2316
  - - C:\Windows\system32\ping.exe
      C:\Windows/system32/ping.exe -4 -w 5000 -n 1 -l 32 taobao.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5213a1a6ffd72df732c8b3894ec959f4

SHA1
4285abae813ff6794f4a1c2b3df2cd35f3d3222e

SHA256
71573afbdb2268399a9dbf75c1b2c3dcb05a65366ef253d3763ebd0359459f33

SHA512
fb06e254662d05f3c2a1d808024b2601b5a93256910b31d9bdafa06e8dffea3f026e24289c65bdfcba6f9392b18761f306d8dced873f93f1e579b4555aba7961

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f8990ae-5af5-44ea-b819-80501d5aaa85.tmp.ico

Filesize
201KB

MD5
f99d5b9421f2bcd2cea8aca008d6c33e

SHA1
c6a5661f2ed4adfd23745d6f7fac3aacfc5c6080

SHA256
175ff4491b6eb79a01e05a2d78ffd7d1ac2c04ad78d29a4e02107fe47b0ff4d3

SHA512
fd534ccc693ba29fd585241ac9fd30e600edb84f1acf71165ce2e56eeb82616ae7ed6eae775018e927675f4b3f8890cfb4aeb637f13d4afd322076d6d5d429b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDA1B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB18.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\resources\app.asar

Filesize
6.4MB

MD5
3a3906650ea8958da244f9eb2381c01d

SHA1
e79917a6a5a73d7a496dde819a901a4650f7e586

SHA256
9b147dfb1e12c37e5262d730d3fb5c74f318e55579163512e308a78210b1a251

SHA512
090a57947762d8907adb3c44be8ed7887bfa0ad64fb00ca09890ee6f52d3afb28485fd05206e8d8733e830b92592c9a576f130bb9ef4f3475eea579ec46a7315

Download Submit
C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffCore.exe

Filesize
2.5MB

MD5
498dc473d870d976596da8322724af83

SHA1
9eba62b37a2fd54bdd19f9999819cb3e58991445

SHA256
192d6b1d8fd0f4e31fe17754ce0a39cf3ada2250ab9621e10f498916ea781923

SHA512
1d5c02622f38a66edeaee55f9f378abd586824ee9d73b08fbac27115c61faee8c25e66ab11cfcf4c5d41d18a0436bc755d25902c674dd486978f931a0c76b4b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHK.exe

Filesize
465KB

MD5
49b67a2c062ff38ca1653c529ccf30df

SHA1
e95b46b844a6d4e42ddc9ba55afa44f4896521b9

SHA256
a5b8b9037c41a267b38a1b7d1f5cbc5c744f381f0b6f1f92ccbd3c3140f8ebdd

SHA512
516fde15995776be01aac1d1d5c08bb9bfb961fd79ed266a5cf3762c4d0d7c365060cbb64e546fcc343ff833b40421a0103a20a469426e606a945d59fd8125bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\resources\extends\WeBuffHelper.exe

Filesize
1.2MB

MD5
2127965db95e6472ae500e6caef22954

SHA1
5345a04f92270f2b2c35dbb3e358814b7d17b56d

SHA256
3ddac86c2d7f5c2b938b7c16822121cbebc5304ebba4880a3c27e5a635864214

SHA512
b9aade3b7e6871055a30737b108ec1c4d8aee69180861872dc6d3907099244cb11d2fe8c0b0b6a0e56053d9d4ee9abe663f191652b02c437f0e5d4dff6adcb55

Download Submit
C:\Users\Admin\AppData\Local\WeBuff\updater-node.zip

Filesize
4.1MB

MD5
de85258ee96ed4cd84b1a4086e818b81

SHA1
7842c7d90056c2c4a16c69cd7b5db5b7d2132a4e

SHA256
6dec09036c52070b10da9cb49b6a114a70e3ffcf91b1f8a6108a0f2f6cd77de3

SHA512
77f0dfdbb611c75d799733cde6d93d5dc21f0cb56d2d65b14974fb6edb4855f3370ac22d47cec8a9e20ac9b667d0ec37ce1fc24699183ec4bcf6e291f41807df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a17d43897512d57924d7a19aee3330f3

SHA1
bf445dd023cdfb488293d0267ca2310c4256c82f

SHA256
7f4de65e05cdb3467cae82414d9a50479c371f92e4e6af245890dae2e5903fb5

SHA512
24e9dc84ae29c7485217a8df020f0d6637be32686ccf5c3b8b1b3b5bddf30cb6a4ebdb3b154586b813fe829d8c50a69edc32a8ba7d44558fd543e21825e08298

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\data_0

Filesize
44KB

MD5
1fd4f69bb5a5ef05fe4f462c0911bffe

SHA1
d8d5833105ba7c274eafa0b3bddcb3d8c57afcd4

SHA256
4ccb020a04c4b545b7d1c8804b99e27046e0180a90814fb6986d4ace9157c2ed

SHA512
1d49e5407179f536bd664424f2c76e3f04d92faf875909725508aec6a921aa5cce03caf626c65c813fd0f678bd18d029312315d824d0e3c8910bee34b3876298

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\data_1

Filesize
264KB

MD5
7e9143f12f267cd855b3622000e5b2a5

SHA1
9d73fda005746f556f89e6f7cec16a1dd1ccbb0b

SHA256
d52acc9919cfa162d2eb29a641213b570af78b543220b0fa03f4fb7b99d78a7d

SHA512
b45256db7b60d0e14cdecdaeb7d6bdf63d298003e12a034be8c5eda19b03d53581c0f0f0ae784bd1b4aeff29c92a71ffaac481494617699990bc6597064cf8db

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
677448c275dac36c380e0a87161ab53c

SHA1
7590f09bd13802bef377a9e0bfc06264a9e01c61

SHA256
88a56e19c36ad3bedaa34164e9ca7424453800570d5abf7523ae466183eea0a0

SHA512
4eeae6edf774dc91205f828a6d773377d480b2051611289e4b3cc47b2ada2bf97fa893b0ef66a1251d73bfc65fe809f6ba489ebb96574ce6fe68cce3314ffb7c

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
5c4769425e0d23347d4a064914bb8754

SHA1
631c9538b54bcae7a6f11ce2d79d12b7ffb3e535

SHA256
5181d341d2d238458aec4889e58d8405585f2aca6c0110ca95487a00434d7a34

SHA512
8f0246d8e71c4a7efb9faadc2008fd0b1b95652955438a8e7cab1b401ed008ed8f485fe5f841b1aa6061b0a3a3fbd4af31d9abec40c1e1055ff3cff03298bfbc

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\f_000005

Filesize
43KB

MD5
84b67a763f5df4f48134d1cb6cd29e7c

SHA1
16e6e75c499a8bf833b83b372f4ab5d0bcdf8604

SHA256
4f60284aa67a8759b72981e7fe267c6470e17b37d3106658b80ff74636838375

SHA512
f9c9ba3fb24537b7cccdf30ff17d00fbc6dbc6a216590b9697b4eed0ef651fa08da20f395c8c1bc3967b73733574288c081276c50880a6e4a875cc23e2fbdbae

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\f_000008

Filesize
155KB

MD5
4fb592f1bb85d935fbc51b95429dfe94

SHA1
84ab552c45e58758b563d32ca09486886978bda7

SHA256
a29b487bf0e340e210a8d8a2acfaeb9a61dd3e99fda934cd4e17171894694ecb

SHA512
4f67a7cccce020d3f96a9bf863f88e3dc417ef2713c145862967ea8e3abd1afb7ecf0d3cbba072a0444114736dd29e90d3d6b47fb3517779a5adc161da75edd0

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Cache\Cache_Data\index

Filesize
256KB

MD5
2bc83721ccdf9f902b7b6699663d7fa4

SHA1
90b478d11496f586b1ffe86d56f19988623a7ea8

SHA256
a4384b091552378d40b315c40d8cc606ecce65a93060a03879b0f02ef548a42d

SHA512
ef60d8a9852240930944ac7054b9d03284bd12818611fdd045fd41134af3ecff4c24ed699295acdadcbea830463543557837f93e280d4faaf1f09b4a63c585ea

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\1cf3555897113af5_0

Filesize
198B

MD5
82df26fa71a03cda96939257bfc9bfa5

SHA1
dc6375e7491cc9bac47b451edb0109f16137e4a5

SHA256
861d46ae17990ebadc4be888e066555b0c5444345faa99d1945954d0effffa82

SHA512
9ff9698d831cc63809a9b9e585c4eb4263f33a7c571c261f527cb6a68ae45c18a1666a3cc0a4abd8d5d913f164137a2fe56c618a4b2c2ee47c9c305a217520e3

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\2d52406fe2d4b746_0

Filesize
198B

MD5
00cf8db6b1afb41bd9ab9d84a823b1f1

SHA1
8f83ff865f487b65d8b6e1dca72fb80f8487fcb8

SHA256
88a4783af35bd22318e6dfc92b422f6e83b4a9aeea70c81b091fc41fe10b702b

SHA512
11d236a5e828b2ad42df69e846f791724e89e05608619ba7bf6ddf685c77f349f716fc7540bf952ceba95b5ab2ba41e49b11f84fb7e7f17b0c8f17baffac05f0

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\58c45d03d5bd45c0_0

Filesize
198B

MD5
27f3ff53b37c39df2ad8e83b5ab3ecef

SHA1
d3a1e34e861e6516788b62d33269f04ea000f264

SHA256
039f3552990a75090fdbbcc0e61b422586400161cf4d0b56c5f84eafafc065bb

SHA512
40dda89dd7dd757a20410ef7e00668f4369749a1abaaf45aea555ac06fb57b06d0664cf4197001e94bb1693b32cdfe0921e67c7a45a1f3c488073a1f0954b9c4

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\8544af5d4150c29c_0

Filesize
190B

MD5
4245f995b70d4737cb090c219bc80f85

SHA1
22a07f2c6f1265c7a274a3df901c0d6b432a9fe0

SHA256
0998f730d442cc676634cdde8e5dff6c1eacbee81f22e5f9f5abe646e61e2336

SHA512
93a6e0ccbea88c2bd16f98b11a34d5cdd46c30d18e5fbad1fc58734e7fb3106bd766404250467bf7a83da05d5a62fefb9556b5032de44ca1a3845fc3dbfeec59

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\a78bcbf60b54d6a8_0

Filesize
197B

MD5
d15143b8ada83ce07ec31fa427e7183e

SHA1
43eec531073bd9124e506c5ec48e03691043b951

SHA256
e7d8d1b56dcc8e600e19889063c95f0dd3a85b59e68c31bc08ad992373c3593a

SHA512
0b9b66e545c3fe82eb73744c6e24e32013a6b2cfc1277b47874ace8fa010b7ce03a6bb650f7cf3e1d3bfc4fdb15a3ccef3e69e364727cd9f7af2bb293b6656de

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\afd3c0514ed48a57_0

Filesize
198B

MD5
f05ff3f26f1ea11046429c9508a143f8

SHA1
6b9a420e61ab7f28fbfd945d8933eff48b0753f2

SHA256
1f9b46077a6746a887a796cc087b0f53517571a7a07c854bf98b4e6f837e262f

SHA512
06be5525518ed56c560bb61eda4a3718dd7d45626bf1729f04e27f294c624c653eb7561d9e1c0a8a1f939647804246778fef29190e38c62f8f7b30e709762823

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\eaa048502dea5f17_0

Filesize
200B

MD5
d6d63abf378133f88e154c989816efda

SHA1
f426265d0a95b4189cb9079995a22938ea7a61a2

SHA256
5f00763d77dbb178a7400bcfb9ba185a4b04df589723a52b41f80917be9ab079

SHA512
08f590c1716a125f0500fa1c41610f022376a5456e0d8012a0b145bb6042b96a273a2d6405e3dece2ac8e8d68c7609f9a9edc6d385c620308f03afa0fd8f0b82

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\eb339e2f45264916_0

Filesize
163B

MD5
27bbdac77dec1aaffc354a17422205c1

SHA1
3aa8ab3efbe856a3debb3f7ef9b606c511642c13

SHA256
623d2e3b7a9663f343e4cfe05060ee0b7314d4b50062b39f272298de813f3880

SHA512
d3a803e4a34c1226bc22c72b2361f807766f9cba7fb205a6c1e81c7af30adea583d3a553dbdeffcf53e458476b7f816805892b55964a7eee5ae28b64896b6931

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
d54ac162db1f0017b5488bd01932c5f9

SHA1
a08b8c07fd2c739b235db6423d9a1fb792c318fd

SHA256
6572b200035bc2b96f582d73d848ecfcb4d5da76b108be156f70de29d6d8c6b8

SHA512
8f6db2579235dd1f32099d89b39934db78d893e8bb1e790c380f2e52d474cc68249f4bbcc8889373c3588d95f2d8f525d63e7154fe18edf410564fd97216ace5

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
0ed0a3f7b5b8e6c87fb30ba6045475ac

SHA1
25bf71347dc5d4e91fa5bdba9c17fa756632ff14

SHA256
b46e1c5d29e431ea8594d0ea4667ea1a94832c07d5b8b43fcafe04f040276d24

SHA512
ab9973fa8ce2f39dc0cfb24bc8289f02c2d31f138543aecab21196c81e947fbb29aac66cde779fc50ac977434f674d9242aca1b3654d12fd6e0b5cabc41ef439

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Dictionaries\en-US-10-1.bdic

Filesize
441KB

MD5
4604e676a0a7d18770853919e24ec465

SHA1
415ef3b2ca0851e00ebaf0d6c9f6213c561ac98f

SHA256
a075b01d9b015c616511a9e87da77da3d9881621db32f584e4606ddabf1c1100

SHA512
3d89c21f20772a8bebdb70b29c42fca2f6bffcda49dff9d5644f3f3910b7c710a5c20154a7af5134c9c7a8624a1251b5e56ced9351d87463f31bed8188eb0774

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\FontLookupTableCache\font_unique_name_table.pb

Filesize
125KB

MD5
7bf4a3afd481e17c36d6f2bc35796421

SHA1
f816d40b69445fc4f294d94db5139b7671ed0828

SHA256
165249734f710f122209b3f491efec4e680dc4df9b257ec9a02924746432188c

SHA512
196664a07fa9cfa94e5237578637933210234e81514cccae1a41ff6abf9a8fa1e22f587a31ce3a799f22b7bec37ab7f502b12152bdff549c8c908de4e406feaa

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\GPUCache\index

Filesize
256KB

MD5
341853e3f47682517b1263fb93e06c05

SHA1
c27aacdcdf62d0a1fe4194a0e58da18ca2627a31

SHA256
80ee66a18069507cd446e8c943cd7211d4cac67123ded87d25553bc018231218

SHA512
74bfe82207d2f3b83e9c96a19a888e6e8d5d02c799be094a2677c04b43770d05370a11c6f17908083148dd2b4af8479207368e798eb9928ae7c4ff0a0c51e6ad

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Local State

Filesize
389B

MD5
9443c2a609bbb2808627ad9f33de4b00

SHA1
16ff9aa9052c6dad1a5e7f0327e0abc35e5d4f02

SHA256
24bcf91f101d2b85db19c1a71247592658c911d47f470141e1df57efb0bb7d92

SHA512
9fbbb7d146a7789cddc715f0c25a8ebc6736d909df7cac28e09c7fdf42eff2e60503b10bb053ae9178d197c38a4242701e6a6988452ffddf5a04a73990a5e9bc

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Local Storage\leveldb\000003.log

Filesize
97B

MD5
f8d86349f6fc8eb0da623d200da4293b

SHA1
53a10dd7d3825d9e9308285fadf224649b014bf9

SHA256
90bb3455f63e4c1dce8c5b4bf164e4ed90661ff614bc2b7e46202f88d5fab7b3

SHA512
ce1fdc1b1cb60e5a41596615c2e142532ce12654579ab78fb7067a0484b84414a0d249c1ae4917dbce8c6928bb62cb37288ec649d76e405cc64ac40448548598

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Local Storage\leveldb\CURRENT~RFf76d3f2.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Local Storage\leveldb\LOG

Filesize
167B

MD5
07adab4646acb47dea46449569dd1942

SHA1
891efd1c0117ec2ad7ec200a34d8bb1e53d97d48

SHA256
f75d9bfe126f66e991e68f375386c1e7695fcdcdcccf0c0a60810bc823ece971

SHA512
e829dd8b29cce03a0970780780a68f717e6bdff2bf0a97f40cdc5d5260620ab154a0ece8962be64d3667f273caf750f3024f8d730e033e10f3128eb077f3de84

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Local Storage\leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Network\Cookies

Filesize
20KB

MD5
639ffac0e7a88e40f19c04e010a788dc

SHA1
927969362ee40ae64e54e7d2cbec85ac532d7e87

SHA256
90e0d57519fb642b1ec44fd70182f0fb4856484bd8300f76be02d77222f7f08d

SHA512
0f54ddb961b2bc6093a42b2f1dc2dd41b2713f46a323ebe5c0cc07c118eb4ad5b2eaa1087984c9e360d323fb5e79367a93e07b0e0239aa6f97efe0c88cbdd7bc

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Network\Network Persistent State

Filesize
1KB

MD5
0b84b72c92a864cb9bc642157a571c0e

SHA1
59588e2c5868a3521d13faa304902d4050eae37c

SHA256
d5003ce4307aea0de451fdb2579e8d31cbfc89fed13d550a898aaba06e233f71

SHA512
4db2b0b3e348415eb03ea980e46e729eac9525193435266d3081bb20371748dbdf6a2f94e621c73a084ee3614172f97a3738d9184587096df59069698eb55d5b

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Network\TransportSecurity

Filesize
1KB

MD5
64ddc84694139db8be54ddb1661415db

SHA1
21d565ca96fe4a9b4dfd3f56d61875b0b51e99cd

SHA256
e1262642b821c91e9ce9af4ab5d57e6679d5075e7fe5c17df86649a18241e954

SHA512
b3e28e2c199279dc338e2beb59000471711a21dbfca7f14e8f2a847828797b1578bb926f417e5de740741392fa0498524a295c6c370fd0b9d16816548b659219

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Session Storage\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Session Storage\000003.log

Filesize
934B

MD5
642bda38bdaa91e4da4e1b2c93077cfe

SHA1
5ca11b135543de1a8e68d9fb00c99754511e819a

SHA256
1a8804701cdab32e8919fcf458c365edccccbf61759d0359e04addcc91fbeb58

SHA512
85dd951a9528589c481f1efa9dce2359443b040a22f0fcec185383cd0e431629f31ad59c95bdd28da1f5e8e6edcc641c5b22648ea952b5fab3e027b8ea3f4b5d

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Session Storage\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\Session Storage\LOG

Filesize
161B

MD5
3700844ef99bf324397a8f1c5a3096e3

SHA1
f7d9cd1a77991d17ea8bb02c2f99bf2951a68f8f

SHA256
1a8848627fa4fb1559a07a85136682a2d470ddd55af4336efdfdd7f8da11ddc8

SHA512
dff4e2d855475bd39dd5cfc4c08dd86c7e8bdb1bb2c621c14fecb9b9a8bcb42ddcd4f25764f447c0fd6a38ebcf80b6fee13c30b0268681c3645bf8c95ec76ea0

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\config.ini

Filesize
81B

MD5
49ddf584bd694318aea36447c3d2fe93

SHA1
625be0ea2b85482c11b53c2d1ac6700ad88e9494

SHA256
3edb1612122991ef2123d8fb824c8421e96caf048806dba652b8c2653f00307b

SHA512
35349413796be1686b389609b2c8b1d9823325df598b8438db10fdb9ba18e49b50f34f8797b4a2ef87426ebc62214ecab29bedfb66759a8dcb370d2eb3151d12

Download Submit
C:\Users\Admin\AppData\Roaming\WeBuff\logs\client.log._2024-08-19

Filesize
147KB

MD5
7727d65c8c704c5f2ce2698ad5822ad3

SHA1
27439efb2e8392cd6afb4095c4ff549a5d82398c

SHA256
ee4aab2a0515fa20b25d36fc645415c0e0a23af24f24fadd1dd342c666b7355d

SHA512
cc0973f6b038a18d16c01494a2c051ce834fb4fd2c5f53ad4555b9a5e8d20fd05d2034ee6fe1a786a066dd1631066a0cc034c61780cbfc7232913f27fcc13722

Download Submit
C:\Users\Admin\AppData\Roaming\Webuff\Logs\WeBuffCore_2024-08-19.log

Filesize
329B

MD5
2ccc7bbfbb0123da420d3ee5af097f6a

SHA1
f8583b91ca494665482d69837add980fc0a21aef

SHA256
44e38306233818eb4129ad0c80600dfda0a630123f344c6af769e2ab8db13e3a

SHA512
7432709ab57bf7fac09f0733612d148d36f00c377360925b91200d1e78af367a7b291a9a50519ac696bf135e1b89a75eaf2d4e49d07f9c3b0244bcfe04c3f992

Download Submit
C:\Users\Admin\AppData\Roaming\Webuff\config.ini

Filesize
79B

MD5
ffec23faae39401594795b37c3417268

SHA1
b72483934e47beaaff85e72688ea3b820febb65e

SHA256
8ee58d651120ee99cb7a6a6ca2847c960f334a047b77226fda72973f2a543cb1

SHA512
c0df84de897d9d4e9503cea4e6d441668d75df35873112b8daadce1fc1ebd21be262ad410fe74121071bb1898f2c78675555bc737dbcef6cde67229e330a3d00

Download Submit
memory/620-375-0x0000000076D20000-0x0000000076D21000-memory.dmp

Filesize
4KB

Download
memory/1280-33-0x0000000076D20000-0x0000000076D21000-memory.dmp

Filesize
4KB

Download
memory/1280-3-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1700-126-0x000000001B4B0000-0x000000001B792000-memory.dmp

Filesize
2.9MB

Download
memory/1700-127-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2576-466-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2576-464-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download