rhadamanthys | hxxps://vdeokompany[.]com/Installer[.]exe

Analysis

max time kernel
719s
max time network
769s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
02-07-2024 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vdeokompany.com/Installer.exe

Score

10^/10

rhadamanthys execution stealer

Malware Config

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

Processes:

BitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exe

description	pid	process	target process
PID 2668 created 2572	2668	BitLockerToGo.exe	sihost.exe
PID 4264 created 2572	4264	BitLockerToGo.exe	sihost.exe
PID 2180 created 2572	2180	BitLockerToGo.exe	sihost.exe
PID 3660 created 2572	3660	BitLockerToGo.exe	sihost.exe
PID 4384 created 2572	4384	BitLockerToGo.exe	sihost.exe
PID 3156 created 2572	3156	BitLockerToGo.exe	sihost.exe
PID 1604 created 2572	1604	BitLockerToGo.exe	sihost.exe
PID 2668 created 2572	2668	BitLockerToGo.exe	sihost.exe
PID 2256 created 2572	2256	BitLockerToGo.exe	sihost.exe
PID 3716 created 2572	3716	BitLockerToGo.exe	sihost.exe
PID 4372 created 2572	4372	BitLockerToGo.exe	sihost.exe
PID 4264 created 2572	4264	BitLockerToGo.exe	sihost.exe
PID 5060 created 2572	5060	BitLockerToGo.exe	sihost.exe
PID 4360 created 2572	4360	BitLockerToGo.exe	sihost.exe
PID 2460 created 2572	2460	BitLockerToGo.exe	sihost.exe
PID 3532 created 2572	3532	BitLockerToGo.exe	sihost.exe
PID 3940 created 2572	3940	BitLockerToGo.exe	sihost.exe
PID 4764 created 2572	4764	BitLockerToGo.exe	sihost.exe
PID 4344 created 2572	4344	BitLockerToGo.exe	sihost.exe
PID 1340 created 2572	1340	BitLockerToGo.exe	sihost.exe
PID 4656 created 2572	4656	BitLockerToGo.exe	sihost.exe
PID 744 created 2572	744	BitLockerToGo.exe	sihost.exe
PID 4544 created 2572	4544	BitLockerToGo.exe	sihost.exe
PID 4736 created 2572	4736	BitLockerToGo.exe	sihost.exe
PID 2700 created 2572	2700	BitLockerToGo.exe	sihost.exe
PID 820 created 2572	820	BitLockerToGo.exe	sihost.exe
PID 2148 created 2572	2148	BitLockerToGo.exe	sihost.exe
PID 5096 created 2572	5096	BitLockerToGo.exe	sihost.exe
PID 2384 created 2572	2384	BitLockerToGo.exe	sihost.exe
PID 1120 created 2572	1120	BitLockerToGo.exe	sihost.exe
PID 1908 created 2572	1908	BitLockerToGo.exe	sihost.exe
PID 4564 created 2572	4564	BitLockerToGo.exe	sihost.exe
PID 2792 created 2572	2792	BitLockerToGo.exe	sihost.exe
PID 3156 created 2572	3156	BitLockerToGo.exe	sihost.exe
PID 1988 created 2572	1988	BitLockerToGo.exe	sihost.exe
PID 2952 created 2572	2952	BitLockerToGo.exe	sihost.exe
PID 3144 created 2572	3144	BitLockerToGo.exe	sihost.exe
PID 4444 created 2572	4444	BitLockerToGo.exe	sihost.exe
PID 4164 created 2572	4164	BitLockerToGo.exe	sihost.exe
PID 3656 created 2572	3656	BitLockerToGo.exe	sihost.exe
PID 900 created 2572	900	BitLockerToGo.exe	sihost.exe
PID 4448 created 2572	4448	BitLockerToGo.exe	sihost.exe
PID 3268 created 2572	3268	BitLockerToGo.exe	sihost.exe
PID 4836 created 2572	4836	BitLockerToGo.exe	sihost.exe
PID 4368 created 2572	4368	BitLockerToGo.exe	sihost.exe
PID 2220 created 2572	2220	BitLockerToGo.exe	sihost.exe
PID 3744 created 2572	3744	BitLockerToGo.exe	sihost.exe
PID 3856 created 2572	3856	BitLockerToGo.exe	sihost.exe
PID 4148 created 2572	4148	BitLockerToGo.exe	sihost.exe
PID 1840 created 2572	1840	BitLockerToGo.exe	sihost.exe
PID 1144 created 2572	1144	BitLockerToGo.exe	sihost.exe
PID 3108 created 2572	3108	BitLockerToGo.exe	sihost.exe
PID 4168 created 2572	4168	BitLockerToGo.exe	sihost.exe
PID 1872 created 2572	1872	BitLockerToGo.exe	sihost.exe
PID 5116 created 2572	5116	BitLockerToGo.exe	sihost.exe
PID 1416 created 2572	1416	BitLockerToGo.exe	sihost.exe
PID 400 created 2572	400	BitLockerToGo.exe	sihost.exe
PID 2304 created 2572	2304	BitLockerToGo.exe	sihost.exe
PID 3624 created 2572	3624	BitLockerToGo.exe	sihost.exe
PID 4856 created 2572	4856	BitLockerToGo.exe	sihost.exe
PID 3660 created 2572	3660	BitLockerToGo.exe	sihost.exe
PID 3788 created 2572	3788	BitLockerToGo.exe	sihost.exe
PID 3520 created 2572	3520	BitLockerToGo.exe	sihost.exe
PID 4684 created 2572	4684	BitLockerToGo.exe	sihost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2376 powershell.exe
Downloads MZ/PE file

pid	process
2376	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

Installer.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exe

pid	process
1104	Installer.exe
4488	update1404.exe
4560	update1404.exe
4204	update1404.exe
3732	update1404.exe
4176	update1404.exe
4696	update1404.exe
4364	update1404.exe
4836	update1404.exe
3532	update1404.exe
5068	update1404.exe
4580	update1404.exe
4760	update1404.exe
1404	update1404.exe
4508	update1404.exe
1884	update1404.exe
4152	update1404.exe
4768	update1404.exe
1056	update1404.exe
4760	update1404.exe
4572	update1404.exe
344	update1404.exe
1548	update1404.exe
4636	update1404.exe
2796	update1404.exe
2356	update1404.exe
2216	update1404.exe
2956	update1404.exe
4748	update1404.exe
4464	update1404.exe
2608	update1404.exe
2904	update1404.exe
532	update1404.exe
3048	update1404.exe
1080	update1404.exe
4004	update1404.exe
4160	update1404.exe
2008	update1404.exe
4036	update1404.exe
4792	update1404.exe
3732	update1404.exe
3940	update1404.exe
2812	update1404.exe
1980	update1404.exe
4024	update1404.exe
2272	update1404.exe
4632	update1404.exe
3528	update1404.exe
4576	update1404.exe
1052	update1404.exe
4564	update1404.exe
4372	update1404.exe
4292	update1404.exe
724	update1404.exe
4524	update1404.exe
2248	update1404.exe
3768	update1404.exe
440	update1404.exe
4560	update1404.exe
2804	update1404.exe
4696	update1404.exe
2556	update1404.exe
2472	update1404.exe
4076	update1404.exe

Loads dropped DLL 3 IoCs

Processes:

Installer.exe

pid process

1104 Installer.exe
1104 Installer.exe
1104 Installer.exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

update1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exeupdate1404.exe

description	pid	process	target process
PID 4560 set thread context of 2668	4560	update1404.exe	BitLockerToGo.exe
PID 4488 set thread context of 4264	4488	update1404.exe	WerFault.exe
PID 4204 set thread context of 2180	4204	update1404.exe	WerFault.exe
PID 3732 set thread context of 3660	3732	update1404.exe	BitLockerToGo.exe
PID 4176 set thread context of 4384	4176	update1404.exe	BitLockerToGo.exe
PID 4696 set thread context of 3156	4696	update1404.exe	BitLockerToGo.exe
PID 4364 set thread context of 1604	4364	update1404.exe	BitLockerToGo.exe
PID 4836 set thread context of 2668	4836	update1404.exe	BitLockerToGo.exe
PID 3532 set thread context of 2256	3532	update1404.exe	BitLockerToGo.exe
PID 5068 set thread context of 3716	5068	update1404.exe	WerFault.exe
PID 4580 set thread context of 4372	4580	update1404.exe	update1404.exe
PID 1404 set thread context of 4264	1404	update1404.exe	WerFault.exe
PID 4760 set thread context of 5060	4760	update1404.exe	BitLockerToGo.exe
PID 4508 set thread context of 4360	4508	update1404.exe	BitLockerToGo.exe
PID 1884 set thread context of 2460	1884	update1404.exe	BitLockerToGo.exe
PID 4152 set thread context of 3532	4152	update1404.exe	openwith.exe
PID 4768 set thread context of 3940	4768	update1404.exe	update1404.exe
PID 1056 set thread context of 4764	1056	update1404.exe	BitLockerToGo.exe
PID 4760 set thread context of 4344	4760	update1404.exe	BitLockerToGo.exe
PID 4572 set thread context of 1340	4572	update1404.exe	BitLockerToGo.exe
PID 344 set thread context of 4656	344	update1404.exe	WerFault.exe
PID 1548 set thread context of 744	1548	update1404.exe	BitLockerToGo.exe
PID 4636 set thread context of 4880	4636	update1404.exe	WerFault.exe
PID 2796 set thread context of 4544	2796	update1404.exe	BitLockerToGo.exe
PID 2356 set thread context of 4736	2356	update1404.exe	BitLockerToGo.exe
PID 2956 set thread context of 2700	2956	update1404.exe	WerFault.exe
PID 2216 set thread context of 820	2216	update1404.exe	BitLockerToGo.exe
PID 4464 set thread context of 2148	4464	update1404.exe	openwith.exe
PID 4748 set thread context of 3004	4748	update1404.exe	BitLockerToGo.exe
PID 2608 set thread context of 5096	2608	update1404.exe	BitLockerToGo.exe
PID 532 set thread context of 2384	532	update1404.exe	WerFault.exe
PID 2904 set thread context of 3744	2904	update1404.exe	BitLockerToGo.exe
PID 3048 set thread context of 1120	3048	update1404.exe	BitLockerToGo.exe
PID 1080 set thread context of 1908	1080	update1404.exe	BitLockerToGo.exe
PID 4004 set thread context of 4564	4004	update1404.exe	update1404.exe
PID 4160 set thread context of 2792	4160	update1404.exe	BitLockerToGo.exe
PID 2008 set thread context of 2700	2008	update1404.exe	WerFault.exe
PID 4036 set thread context of 3156	4036	update1404.exe	BitLockerToGo.exe
PID 4792 set thread context of 1988	4792	update1404.exe	openwith.exe
PID 3940 set thread context of 2952	3940	update1404.exe	openwith.exe
PID 3732 set thread context of 3144	3732	update1404.exe	BitLockerToGo.exe
PID 2812 set thread context of 4444	2812	update1404.exe	BitLockerToGo.exe
PID 1980 set thread context of 4164	1980	update1404.exe	BitLockerToGo.exe
PID 4024 set thread context of 4188	4024	update1404.exe	BitLockerToGo.exe
PID 2272 set thread context of 3656	2272	update1404.exe	BitLockerToGo.exe
PID 4632 set thread context of 900	4632	update1404.exe	BitLockerToGo.exe
PID 3528 set thread context of 4448	3528	update1404.exe	BitLockerToGo.exe
PID 4576 set thread context of 3268	4576	update1404.exe	BitLockerToGo.exe
PID 1052 set thread context of 4836	1052	update1404.exe	BitLockerToGo.exe
PID 4292 set thread context of 4368	4292	update1404.exe	BitLockerToGo.exe
PID 4564 set thread context of 2220	4564	update1404.exe	BitLockerToGo.exe
PID 4372 set thread context of 3744	4372	update1404.exe	BitLockerToGo.exe
PID 724 set thread context of 3856	724	update1404.exe	WerFault.exe
PID 4524 set thread context of 4148	4524	update1404.exe	openwith.exe
PID 2248 set thread context of 1840	2248	update1404.exe	BitLockerToGo.exe
PID 3768 set thread context of 1144	3768	update1404.exe	update1404.exe
PID 440 set thread context of 3108	440	update1404.exe	BitLockerToGo.exe
PID 4560 set thread context of 4168	4560	update1404.exe	BitLockerToGo.exe
PID 2804 set thread context of 1928	2804	update1404.exe	WerFault.exe
PID 4696 set thread context of 1872	4696	update1404.exe	BitLockerToGo.exe
PID 2556 set thread context of 5116	2556	update1404.exe	BitLockerToGo.exe
PID 2472 set thread context of 1416	2472	update1404.exe	BitLockerToGo.exe
PID 4076 set thread context of 400	4076	update1404.exe	update1404.exe
PID 472 set thread context of 2304	472	update1404.exe	BitLockerToGo.exe

Drops file in Program Files directory 3 IoCs

Processes:

Installer.exe

description	ioc	process
File created	C:\Program Files\launcher289\update1404.zip	Installer.exe
File created	C:\Program Files\launcher289\update1404.exe	Installer.exe
File opened for modification	C:\Program Files\launcher289\update1404.exe	Installer.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1108	2668	WerFault.exe	BitLockerToGo.exe
208	2668	WerFault.exe	BitLockerToGo.exe
1388	4264	WerFault.exe	BitLockerToGo.exe
2964	4264	WerFault.exe	BitLockerToGo.exe
2376	2180	WerFault.exe	BitLockerToGo.exe
4708	2180	WerFault.exe	BitLockerToGo.exe
2224	3660	WerFault.exe	BitLockerToGo.exe
4484	3660	WerFault.exe	BitLockerToGo.exe
876	4384	WerFault.exe	BitLockerToGo.exe
4672	4384	WerFault.exe	BitLockerToGo.exe
2180	3156	WerFault.exe	BitLockerToGo.exe
1772	3156	WerFault.exe	BitLockerToGo.exe
4160	1604	WerFault.exe	BitLockerToGo.exe
4708	1604	WerFault.exe	BitLockerToGo.exe
4464	2668	WerFault.exe	BitLockerToGo.exe
2384	2668	WerFault.exe	BitLockerToGo.exe
3536	2256	WerFault.exe	BitLockerToGo.exe
680	3716	WerFault.exe	BitLockerToGo.exe
344	2256	WerFault.exe	BitLockerToGo.exe
2272	3716	WerFault.exe	BitLockerToGo.exe
4876	4372	WerFault.exe	BitLockerToGo.exe
2460	4372	WerFault.exe	BitLockerToGo.exe
3540	4264	WerFault.exe	BitLockerToGo.exe
344	4264	WerFault.exe	BitLockerToGo.exe
1020	5060	WerFault.exe	BitLockerToGo.exe
3788	5060	WerFault.exe	BitLockerToGo.exe
5096	4360	WerFault.exe	BitLockerToGo.exe
2964	4360	WerFault.exe	BitLockerToGo.exe
4880	2460	WerFault.exe	BitLockerToGo.exe
3696	2460	WerFault.exe	BitLockerToGo.exe
4888	3532	WerFault.exe	BitLockerToGo.exe
3916	3532	WerFault.exe	BitLockerToGo.exe
1796	3940	WerFault.exe	BitLockerToGo.exe
2964	3940	WerFault.exe	BitLockerToGo.exe
3088	4764	WerFault.exe	BitLockerToGo.exe
852	4764	WerFault.exe	BitLockerToGo.exe
4328	4344	WerFault.exe	BitLockerToGo.exe
1148	4344	WerFault.exe	BitLockerToGo.exe
3380	1340	WerFault.exe	BitLockerToGo.exe
3428	1340	WerFault.exe	BitLockerToGo.exe
2964	4656	WerFault.exe	BitLockerToGo.exe
4484	4656	WerFault.exe	BitLockerToGo.exe
4560	744	WerFault.exe	BitLockerToGo.exe
2268	744	WerFault.exe	BitLockerToGo.exe
4836	4880	WerFault.exe	BitLockerToGo.exe
4912	4880	WerFault.exe	BitLockerToGo.exe
1444	4544	WerFault.exe	BitLockerToGo.exe
4028	4544	WerFault.exe	BitLockerToGo.exe
3604	4736	WerFault.exe	BitLockerToGo.exe
2364	4736	WerFault.exe	BitLockerToGo.exe
2792	2700	WerFault.exe	BitLockerToGo.exe
4188	2700	WerFault.exe	BitLockerToGo.exe
4880	820	WerFault.exe	BitLockerToGo.exe
724	820	WerFault.exe	BitLockerToGo.exe
3500	2148	WerFault.exe	BitLockerToGo.exe
3576	2148	WerFault.exe	BitLockerToGo.exe
3544	3004	WerFault.exe	BitLockerToGo.exe
4564	3004	WerFault.exe	BitLockerToGo.exe
272	5096	WerFault.exe	BitLockerToGo.exe
2196	5096	WerFault.exe	BitLockerToGo.exe
4068	2384	WerFault.exe	BitLockerToGo.exe
3532	2384	WerFault.exe	BitLockerToGo.exe
2076	3744	WerFault.exe	BitLockerToGo.exe
3696	1120	WerFault.exe	BitLockerToGo.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133644029552547342"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exepowershell.exeInstaller.exeBitLockerToGo.exeopenwith.exeBitLockerToGo.exeopenwith.exeBitLockerToGo.exeopenwith.exeBitLockerToGo.exeopenwith.exeBitLockerToGo.exeopenwith.exeBitLockerToGo.exeopenwith.exeBitLockerToGo.exeopenwith.exe

pid	process
5084	chrome.exe
5084	chrome.exe
2376	powershell.exe
2376	powershell.exe
2376	powershell.exe
1104	Installer.exe
1104	Installer.exe
1104	Installer.exe
1104	Installer.exe
5084	chrome.exe
5084	chrome.exe
1104	Installer.exe
1104	Installer.exe
1104	Installer.exe
2668	BitLockerToGo.exe
2668	BitLockerToGo.exe
640	openwith.exe
640	openwith.exe
640	openwith.exe
640	openwith.exe
1104	Installer.exe
4264	BitLockerToGo.exe
4264	BitLockerToGo.exe
1548	openwith.exe
1548	openwith.exe
1548	openwith.exe
1548	openwith.exe
1104	Installer.exe
1104	Installer.exe
2180	BitLockerToGo.exe
2180	BitLockerToGo.exe
1772	openwith.exe
1772	openwith.exe
1772	openwith.exe
1772	openwith.exe
1104	Installer.exe
3660	BitLockerToGo.exe
3660	BitLockerToGo.exe
4444	openwith.exe
4444	openwith.exe
4444	openwith.exe
4444	openwith.exe
1104	Installer.exe
4384	BitLockerToGo.exe
4384	BitLockerToGo.exe
1840	openwith.exe
1840	openwith.exe
1840	openwith.exe
1840	openwith.exe
3156	BitLockerToGo.exe
3156	BitLockerToGo.exe
1104	Installer.exe
4708	openwith.exe
4708	openwith.exe
4708	openwith.exe
4708	openwith.exe
1104	Installer.exe
1104	Installer.exe
1104	Installer.exe
1604	BitLockerToGo.exe
1604	BitLockerToGo.exe
3284	openwith.exe
3284	openwith.exe
3284	openwith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5084 chrome.exe
5084 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeInstaller.exe

description	pid	process
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeDebugPrivilege	1104	Installer.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe
Token: SeCreatePagefilePrivilege	5084	chrome.exe
Token: SeShutdownPrivilege	5084	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe
5084	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Installer.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exeBitLockerToGo.exe

pid	process
1104	Installer.exe
2668	BitLockerToGo.exe
4264	BitLockerToGo.exe
2180	BitLockerToGo.exe
3660	BitLockerToGo.exe
4384	BitLockerToGo.exe
3156	BitLockerToGo.exe
1604	BitLockerToGo.exe
2668	BitLockerToGo.exe
2256	BitLockerToGo.exe
3716	BitLockerToGo.exe
4372	BitLockerToGo.exe
4264	BitLockerToGo.exe
5060	BitLockerToGo.exe
4360	BitLockerToGo.exe
2460	BitLockerToGo.exe
3532	BitLockerToGo.exe
3940	BitLockerToGo.exe
4764	BitLockerToGo.exe
4344	BitLockerToGo.exe
1340	BitLockerToGo.exe
4656	BitLockerToGo.exe
744	BitLockerToGo.exe
4880	BitLockerToGo.exe
4544	BitLockerToGo.exe
4736	BitLockerToGo.exe
2700	BitLockerToGo.exe
820	BitLockerToGo.exe
2148	BitLockerToGo.exe
3004	BitLockerToGo.exe
5096	BitLockerToGo.exe
2384	BitLockerToGo.exe
3744	BitLockerToGo.exe
1120	BitLockerToGo.exe
1908	BitLockerToGo.exe
4564	BitLockerToGo.exe
2792	BitLockerToGo.exe
2700	BitLockerToGo.exe
3156	BitLockerToGo.exe
1988	BitLockerToGo.exe
2952	BitLockerToGo.exe
3144	BitLockerToGo.exe
4444	BitLockerToGo.exe
4164	BitLockerToGo.exe
4188	BitLockerToGo.exe
3656	BitLockerToGo.exe
900	BitLockerToGo.exe
4448	BitLockerToGo.exe
3268	BitLockerToGo.exe
4836	BitLockerToGo.exe
4368	BitLockerToGo.exe
2220	BitLockerToGo.exe
3744	BitLockerToGo.exe
3856	BitLockerToGo.exe
4148	BitLockerToGo.exe
1840	BitLockerToGo.exe
1144	BitLockerToGo.exe
3108	BitLockerToGo.exe
4168	BitLockerToGo.exe
1928	BitLockerToGo.exe
1872	BitLockerToGo.exe
5116	BitLockerToGo.exe
1416	BitLockerToGo.exe
400	BitLockerToGo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5084 wrote to memory of 4040	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 4040	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 96	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 164	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 164	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe
PID 5084 wrote to memory of 248	5084	chrome.exe	chrome.exe

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2572

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:640

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3520

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:220

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4852

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1056

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4564

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3156

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2792

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2364

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1408

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2996

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:380

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3624

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2296

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2876

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3428

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4372

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4912

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4012

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2172

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2220

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1460

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4888

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1884

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2288

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1116

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5056

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3520

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4448

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:440

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3080

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2148

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4168

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2236

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3616

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1444

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3532

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4956

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5040

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1988

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2952

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:216

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4028

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4148

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4648

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3628

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4672

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4312

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1772

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3096

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3152

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2952

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5040

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3080

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3520

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4660

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4656

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3816

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3016

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1912

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2268

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4264

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3564

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3168

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3296

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:572

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1840

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4580

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1432

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:448

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4472

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3744

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3696

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3080

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5108

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:744

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5364

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5488

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5840

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6060

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4148

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5556

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5748

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5936

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2456

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5472

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5776

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5896

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6092

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5756

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5456

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5548

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5852

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5684

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6072

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4188

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6100

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5984

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5708

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4460

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5200

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5716

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5440

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3660

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5228

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6104

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6004

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4164

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5452

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1964

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5780

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5452

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5756

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5316

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5844

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6080

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5912

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5600

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6076

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5708

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5212

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4580

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5364

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2456

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5660

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5872

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5556

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1108

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4056

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:220

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:1644

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6112

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5500

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5500

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5472

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5260

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4356

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:824

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5736

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5944

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3016

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5404

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5588

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4464

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5536

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3084

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2236

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:2952

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5564

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5692

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4660

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4136

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6104

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5512

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4700

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3912

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5304

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5468

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5532

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:6116

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5772

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3584

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4796

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3912

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:3604

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5340

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:5604

C:\Windows\SysWOW64\openwith.exe
"C:\Windows\system32\openwith.exe"
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://vdeokompany.com/Installer.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa0b0a9758,0x7ffa0b0a9768,0x7ffa0b0a9778
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1528 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:2
2⤵
PID:96

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1752 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:1
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:1
2⤵
PID:4840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5116 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:4748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5176 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:2384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:3288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5436 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:3640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:4552

C:\Users\Admin\Downloads\Installer.exe
"C:\Users\Admin\Downloads\Installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:/'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4488

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 568
5⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 516
5⤵
- Program crash
PID:2964

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4560

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 548
5⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 528
5⤵
- Program crash
PID:208

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4204

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 524
5⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 548
5⤵
- Program crash
PID:4708

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3732

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 540
5⤵
- Program crash
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 524
5⤵
- Program crash
PID:4484

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4176

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 540
5⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 524
5⤵
- Program crash
PID:4672

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4696

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 540
5⤵
- Program crash
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 480
5⤵
- Program crash
PID:1772

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4364

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 540
5⤵
- Program crash
PID:4160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 524
5⤵
- Program crash
PID:4708

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4836

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 540
5⤵
- Program crash
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 524
5⤵
- Program crash
PID:2384

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3532

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 540
5⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 492
5⤵
- Program crash
PID:344

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5068

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 540
5⤵
- Program crash
PID:680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 524
5⤵
- Program crash
PID:2272

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4580

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 540
5⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 492
5⤵
- Program crash
PID:2460

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4760

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 540
5⤵
- Program crash
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 524
5⤵
- Program crash
PID:3788

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1404

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 540
5⤵
- Program crash
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 564
5⤵
- Program crash
PID:344

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4508

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 548
5⤵
- Program crash
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 532
5⤵
- Program crash
PID:2964

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1884

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 540
5⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 524
5⤵
- Program crash
PID:3696

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4152

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 540
5⤵
- Program crash
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3532 -s 564
5⤵
- Program crash
PID:3916

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4768

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 540
5⤵
- Program crash
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 492
5⤵
- Program crash
PID:2964

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1056

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 540
5⤵
- Program crash
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 216
5⤵
- Program crash
PID:852

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4760

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 540
5⤵
- Program crash
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 524
5⤵
- Program crash
PID:1148

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4572

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 540
5⤵
- Program crash
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 524
5⤵
- Program crash
PID:3428

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:344

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 540
5⤵
- Program crash
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 524
5⤵
- Program crash
PID:4484

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1548

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 540
5⤵
- Program crash
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 524
5⤵
- Program crash
PID:2268

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4636

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 508
5⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 500
5⤵
- Program crash
PID:4912

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2796

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 540
5⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 524
5⤵
- Program crash
PID:4028

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2356

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 540
5⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 564
5⤵
- Program crash
PID:2364

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2216

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 540
5⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 524
5⤵
- Program crash
PID:724

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2956

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 540
5⤵
- Program crash
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 560
5⤵
- Program crash
PID:4188

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4748

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 508
5⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 500
5⤵
- Program crash
PID:4564

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4464

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 540
5⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 524
5⤵
- Program crash
PID:3576

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2608

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 540
5⤵
- Program crash
PID:272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 524
5⤵
- Program crash
PID:2196

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2904

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 480
5⤵
- Program crash
PID:2076

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:532

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 564
5⤵
- Program crash
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 556
5⤵
- Program crash
PID:3532

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3048

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 540
5⤵
- Program crash
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 524
5⤵
PID:2376

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1080

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 540
5⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 524
5⤵
PID:3108

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4004

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 540
5⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 524
5⤵
PID:640

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4160

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 540
5⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 524
5⤵
PID:4908

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2008

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 504
5⤵
PID:3168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 496
5⤵
PID:2220

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4036

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 540
5⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 220
5⤵
PID:4264

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4792

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 540
5⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 524
5⤵
PID:1968

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3732

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 540
5⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 524
5⤵
PID:60

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3940

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 540
5⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 524
5⤵
PID:1964

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2812

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 564
5⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 584
5⤵
PID:2220

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1980

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 540
5⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 524
5⤵
PID:1020

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4024

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 504
5⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 520
5⤵
PID:4672

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2272

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 544
5⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 528
5⤵
PID:2364

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4632

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 544
5⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 528
5⤵
PID:2220

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3528

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 512
5⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 528
5⤵
PID:2296

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4576

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 540
5⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 524
5⤵
PID:2768

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1052

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 544
5⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 528
5⤵
PID:1560

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4564

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 540
5⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 524
5⤵
PID:3976

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4372

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 540
5⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 524
5⤵
PID:4012

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4292

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 544
5⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 528
5⤵
PID:3716

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:724

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 540
5⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 560
5⤵
PID:4628

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4524

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 540
5⤵
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 524
5⤵
PID:3052

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2248

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 540
5⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 524
5⤵
PID:272

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3768

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 540
5⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 524
5⤵
PID:3892

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:440

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 540
5⤵
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 524
5⤵
PID:1048

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4560

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 564
5⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 556
5⤵
PID:3856

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2804

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of SetWindowsHookEx
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 508
5⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 500
5⤵
PID:3628

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4696

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 540
5⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 524
5⤵
PID:216

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2556

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 540
5⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 496
5⤵
PID:3692

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2472

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 540
5⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 564
5⤵
PID:4028

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4076

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 540
5⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 560
5⤵
PID:4476

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
- Suspicious use of SetThreadContext
PID:472

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 540
5⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 524
5⤵
PID:2800

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3616

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 540
5⤵
PID:2152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 524
5⤵
PID:4880

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:876

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 540
5⤵
PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 524
5⤵
PID:3412

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2036

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 504
5⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 496
5⤵
PID:2172

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4860

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 540
5⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 524
5⤵
PID:4724

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2076

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 544
5⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 528
5⤵
PID:816

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4136

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 540
5⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 524
5⤵
PID:3696

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2720

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 540
5⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4684 -s 524
5⤵
PID:4056

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:60

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 504
5⤵
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 496
5⤵
PID:1644

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2596

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 540
5⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 524
5⤵
PID:2148

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4476

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 504
5⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 496
5⤵
PID:1756

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1144

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 540
5⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 564
5⤵
PID:4648

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2280

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 544
5⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 528
5⤵
PID:1764

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1120

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 540
5⤵
PID:4712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 492
5⤵
PID:3744

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5056

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 544
5⤵
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 528
5⤵
PID:3744

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:412

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 540
5⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 524
5⤵
PID:4068

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2244

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 548
5⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 532
5⤵
PID:468

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2296

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 528
5⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 548
5⤵
PID:3660

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:400

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 540
5⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 220 -s 524
5⤵
PID:2440

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4544

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 504
5⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 496
5⤵
PID:4484

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1720

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 564
5⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 556
5⤵
PID:1644

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4176

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 548
5⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4700 -s 532
5⤵
PID:4484

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4764

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 540
5⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 524
5⤵
PID:3276

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3408

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 540
5⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 524
5⤵
PID:4724

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3624

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 540
5⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 524
5⤵
PID:4360

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4784

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 540
5⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 524
5⤵
PID:2768

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1448

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 540
5⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 524
5⤵
PID:1432

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2832

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 540
5⤵
PID:468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 524
5⤵
PID:4740

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4344

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 564
5⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 556
5⤵
PID:464

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4672

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 540
5⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 524
5⤵
PID:4028

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4264

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 504
5⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 496
5⤵
PID:1644

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1340

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 540
5⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 524
5⤵
PID:4732

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3736

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 504
5⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 520
5⤵
PID:4164

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4888

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 540
5⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 524
5⤵
PID:3016

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3740

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 540
5⤵
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 524
5⤵
PID:5136

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:572

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 540
5⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5304 -s 560
5⤵
PID:5536

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3152

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 544
5⤵
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5268 -s 492
5⤵
PID:5420

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1772

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 544
5⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 492
5⤵
PID:5896

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2148

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 504
5⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 496
5⤵
PID:5964

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3080

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 540
5⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 560
5⤵
PID:6108

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4916

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 540
5⤵
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 564
5⤵
PID:5348

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1912

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 544
5⤵
PID:5316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 528
5⤵
PID:5588

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3720

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 540
5⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 492
5⤵
PID:5832

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5208

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 540
5⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 500
5⤵
PID:5696

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5580

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 540
5⤵
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 216
5⤵
PID:1928

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5720

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 540
5⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 564
5⤵
PID:3096

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5980

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 556
5⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 572
5⤵
PID:5848

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5144

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 564
5⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 556
5⤵
PID:2680

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5264

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 540
5⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 524
5⤵
PID:5604

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5420

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 540
5⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5224 -s 560
5⤵
PID:5560

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5656

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 540
5⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 496
5⤵
PID:5788

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5904

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 540
5⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 524
5⤵
PID:4188

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6056

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 540
5⤵
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 524
5⤵
PID:5168

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5148

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 504
5⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 476
5⤵
PID:5364

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4148

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 540
5⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 564
5⤵
PID:5452

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5380

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 540
5⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5764 -s 564
5⤵
PID:1108

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5480

C:\Windows\Boot\PCAT\memtest.exe
C:\Windows\Boot\PCAT\memtest.exe
4⤵
PID:5748

C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe
C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B744CAF070E41400\15.7.20033\AcroRd32.exe
4⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 728
5⤵
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 752
5⤵
PID:5544

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4472

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 540
5⤵
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 564
5⤵
PID:1092

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5696

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 540
5⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 560
5⤵
PID:5364

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5612

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 540
5⤵
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5528 -s 524
5⤵
PID:1092

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5128

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 540
5⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 560
5⤵
PID:5832

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5356

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 540
5⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 560
5⤵
PID:3744

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5464

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 556
5⤵
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5972 -s 548
5⤵
PID:1928

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5180

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 540
5⤵
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5568 -s 524
5⤵
PID:5484

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4412

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 504
5⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 496
5⤵
PID:5344

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3816

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 540
5⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 524
5⤵
PID:5584

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5388

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 540
5⤵
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 524
5⤵
PID:5804

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3412

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 504
5⤵
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5160 -s 496
5⤵
PID:5344

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6084

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 540
5⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 524
5⤵
PID:5336

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5252

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 548
5⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 528
5⤵
PID:5988

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4188

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 504
5⤵
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 524
5⤵
PID:5344

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5360

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 564
5⤵
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 556
5⤵
PID:1964

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5496

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 544
5⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 528
5⤵
PID:5336

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5588

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 540
5⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 524
5⤵
PID:4628

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6008

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 504
5⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 496
5⤵
PID:5236

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5124

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 540
5⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 524
5⤵
PID:6004

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5828

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 540
5⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5168 -s 524
5⤵
PID:5212

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5936

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 564
5⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 556
5⤵
PID:3564

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6124

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 540
5⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 524
5⤵
PID:5560

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4648

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 516
5⤵
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 564
5⤵
PID:5200

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4380

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 540
5⤵
PID:5296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5312 -s 524
5⤵
PID:5788

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5984

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 504
5⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 496
5⤵
PID:5140

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5260

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 540
5⤵
PID:5532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 492
5⤵
PID:5616

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5868

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 540
5⤵
PID:6088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 524
5⤵
PID:5140

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5584

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 508
5⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 480
5⤵
PID:1432

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5652

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 572
5⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 580
5⤵
PID:468

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5924

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 540
5⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 564
5⤵
PID:1288

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4628

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 532
5⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5592 -s 500
5⤵
PID:6016

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5412

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 540
5⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 524
5⤵
PID:5756

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6096

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 540
5⤵
PID:5940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 560
5⤵
PID:5372

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5328

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 544
5⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 528
5⤵
PID:5348

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6060

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 540
5⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 524
5⤵
PID:5164

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5900

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 544
5⤵
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5664 -s 528
5⤵
PID:1300

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5136

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 544
5⤵
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 528
5⤵
PID:220

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5780

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 544
5⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 528
5⤵
PID:3044

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5472

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 540
5⤵
PID:5268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5448 -s 492
5⤵
PID:5820

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5504

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 548
5⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 532
5⤵
PID:1444

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5908

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 540
5⤵
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 524
5⤵
PID:5812

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2220

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 544
5⤵
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 528
5⤵
PID:5368

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5384

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 532
5⤵
PID:5680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 520
5⤵
PID:5276

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5960

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 504
5⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 496
5⤵
PID:5748

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3716

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 540
5⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 524
5⤵
PID:5168

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5896

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 544
5⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5196 -s 568
5⤵
PID:1092

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5164

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 540
5⤵
PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 524
5⤵
PID:5984

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1648

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 540
5⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 524
5⤵
PID:4344

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6104

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 504
5⤵
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4648 -s 476
5⤵
PID:3940

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5796

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 564
5⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 556
5⤵
PID:60

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5596

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 504
5⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 476
5⤵
PID:1404

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2224

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 564
5⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4192 -s 556
5⤵
PID:4488

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5912

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 540
5⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 524
5⤵
PID:3892

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5168

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 540
5⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 524
5⤵
PID:5544

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5244

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 540
5⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 524
5⤵
PID:5684

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2556

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 540
5⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 524
5⤵
PID:5880

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:6056

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 540
5⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 524
5⤵
PID:2248

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:412

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 540
5⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5552 -s 524
5⤵
PID:5384

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4180

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 544
5⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 528
5⤵
PID:2684

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2096

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 564
5⤵
PID:1624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5600 -s 556
5⤵
PID:4452

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4836

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 540
5⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5580 -s 560
5⤵
PID:4204

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1560

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 540
5⤵
PID:3532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 492
5⤵
PID:2204

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3168

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 540
5⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 524
5⤵
PID:816

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1756

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 504
5⤵
PID:5724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 496
5⤵
PID:4360

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1288

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 540
5⤵
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 524
5⤵
PID:5680

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2800

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 540
5⤵
PID:5864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 524
5⤵
PID:4560

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1300

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 548
5⤵
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4036 -s 532
5⤵
PID:4768

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5124

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 544
5⤵
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5508 -s 528
5⤵
PID:2220

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5284

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 540
5⤵
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 524
5⤵
PID:2456

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5684

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 540
5⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 564
5⤵
PID:820

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5556

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 548
5⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 532
5⤵
PID:1896

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4632

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 540
5⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 560
5⤵
PID:5236

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2256

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 540
5⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 524
5⤵
PID:2700

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2296

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:6000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 544
5⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6000 -s 528
5⤵
PID:5276

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2684

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 540
5⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 524
5⤵
PID:5844

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:380

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 540
5⤵
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 564
5⤵
PID:4264

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1452

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 504
5⤵
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 524
5⤵
PID:2280

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5892

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 540
5⤵
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 524
5⤵
PID:6140

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5708

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 540
5⤵
PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 560
5⤵
PID:4152

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5324

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 540
5⤵
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 524
5⤵
PID:4024

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:3256

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 540
5⤵
PID:5784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 564
5⤵
PID:5368

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5108

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 540
5⤵
PID:5636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 492
5⤵
PID:5740

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2384

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 504
5⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 496
5⤵
PID:5516

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:2148

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 540
5⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 184
5⤵
PID:5676

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:4868

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
4⤵
PID:4888

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:1144

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5916

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5572

C:\Program Files\launcher289\update1404.exe
"C:\Program Files\launcher289\update1404.exe"
3⤵
PID:5648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:4776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:1648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:8
2⤵
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5328 --field-trial-handle=1868,i,3307613756573226076,9725157868803421408,131072 /prefetch:2
2⤵
PID:4792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\launcher289\update1404.exe
Filesize
29.7MB

MD5
aefc6e3e7690eb8da28d2ff2e7906616

SHA1
d7e4b8dd612bf191728b496ddd734a774bbf5f5a

SHA256
71dd1d74f8a4371f911adb5070ae88a4bd9a8eab00338147f021d97d40da784e

SHA512
be92d61950287f8d89ee1176d8f04a638ad207ecb0aceb44fa85d01f057c65d0365006770abf0200398969d9026d7969617fbd6c95c4fcff53ca77e81b72c0c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\5c6c5c02-638d-492b-b69f-2328336268e4.tmp
Filesize
150KB

MD5
0a6e82192afececd95366e8ba330cca9

SHA1
6b3f01d897d90bc45f53af2e28d6534057d8a0c8

SHA256
44b2eae064f583d1af62735e62333e21dd015d28736aacc15f6e3d0401cddc1a

SHA512
0f682ae881e399c77615096fc446f9f32ed2dcf8473376e274128947e2eee931275ee899eb6ea3830b1b2d1df432f4198db7e3b1bd3c1ce8bad68ac187223bf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
873B

MD5
1a875ae7ac0cf6001f0aea0dc78962e8

SHA1
dee4e924614a4dde1ea4f5b02b9112bdaab59cc4

SHA256
1d55ce5557f0d7f9ebc1ba83b7e6617e44b4bfc6747bfe61af3b638c645c7acc

SHA512
2a93303a1b5050d1a5172c040bd06bcafd615b71f3ed26e767f3c7e730daa85d46d1a1bf6ae74ab577c356fe7a952a39e67bbe6d9d100d2ba523947e1b1135af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
98f7eb59750b3da94a3449a4d1e675d5

SHA1
7c227ad74152898b07318063cf0c34beb5f0bb5a

SHA256
5d0935da8a1d51fa38a08956dead235d6eb18b446bf6ff26754cdb3f5d414a22

SHA512
9241e295806e96905f8479e426a7036903274285508c9f678602d581c7ca685389625e802581e25cdc0911f22aacc794ee8b30f24e24c811cc891dd8302a7c31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
062e9f317cb3faa469718ed56f75f7c3

SHA1
08f2db7d0673276a9055d9a5d0b28888a9ef2c98

SHA256
389a5b6dc733904826a79ede33501d5e08d19ba387c183fa355cd680032ee80f

SHA512
96e8e979e3e9e543e67743c9b154eeb29f35aa1ea0c34abe5413b6f6e3d41a8d5159f6f92ac36b1e62f6355820f8b302af20806a0c7f4c1a8c5e315e21147284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
c471255f32941071e1eb69f8e18947bc

SHA1
33115963bf711b6ec542df0ad22b518bf408952f

SHA256
bbeeb82323faabde0c7f5e83eef25f989fc2b56566706341db95dc3bc067e82f

SHA512
a19a85858c370f106411d2f16384ce96532af33a1817805cd688be47fd0d9a0b7a2500d53d7bc67ba86131ec1256fb9a63d2eaa1ea9523dbee38180682e17db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
167KB

MD5
48e0994e797755e795ae4e66d6b39521

SHA1
40d28663d0e55de66a1f34d9c636014102601606

SHA256
6292626dffa367b948bff91a03564d88ea4ca57f8d7462c5c114bbf30edb41b2

SHA512
b4e1525de457dde4bd21f0b3d3c0665ecca69a30809f559fc6c6d12f39d22a35b506195dde3667badd8714a943fd6f6b088d7b2b2535402e06c3f21111d0b54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
150KB

MD5
9f25618bb726648bea5b33cc16cf8cb0

SHA1
fd574d19f72c5fc5d494fc475e7eacbf0d3edb9a

SHA256
0401678544a2d7238e4790daf91806eb44cce4688856cd9f16124acb68d76a9b

SHA512
743f306df0bdeb8057d8529003f2a966dadb164a500644c3a5e67e52e818f57a6513e51178cc9f8ee1e7c8d9b7aa4636614b225f890b73bd1e0f93e46c64dc10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
150KB

MD5
2593daaae2aa3d171c7d9560f7ca13d0

SHA1
772c89ece8125036f63a9d45501d220de07f19e8

SHA256
ccca8ee954d2cf784df379c9835d53a48cd9128559efa2207f5c155e3b6f20de

SHA512
9321c2316c5b40a2fba1f2b39a691b73b4c0b5f09dfb612510da8dd6cf84ac90de693ec5bac6f5f13d47ce64a35f1d684ba48bd45034097f35db2d3ef8fa2ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
f2538250e79459111c13d0d6c618a7f3

SHA1
504d8b8ef6636e9ccd916b9d6b0a580d68f661e8

SHA256
2f51d3f05d0654e20349c849996f2888bd3f6f63e2cd7dd66bdf27b1c8329de8

SHA512
3380a59aba55bb78dd8f5dae69f5df6197a5f9be9400787153a50c85a9990dccbc2ece875e96ee32473198d17e05106edb3c2d9e5a5d00e0793138709e4a785b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58773e.TMP
Filesize
100KB

MD5
bca862c04b30d658c91454a9c6987166

SHA1
6c522ffc058b7df474537cc0db4a30b4b750f5f6

SHA256
6ce970402c22fc4738ddf45378e0cbf4446c877e6195629412ed97815d15172d

SHA512
588e6edc25efd7a86f079b7eece49c1a9501497648d09a9b9d11371e995ea66c902de2023fb4bf848f93df98bdb021ea6437bed528dafdbb87756d6a0ceb4004

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_woydlqtj.hyi.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\??\pipe\crashpad_5084_YZDWACZRENDNPPCZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Installer\kNT1bN68GPHErJoZ5BO4atslRG9JT48=\D3DCompiler_47_cor3.dll
Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Installer\kNT1bN68GPHErJoZ5BO4atslRG9JT48=\PresentationNative_cor3.dll
Filesize
1.2MB

MD5
e67dff697095b778ab6b76229c005811

SHA1
88a54a3e3ff2bf83a76bbf5df8a0e50bdb36bcdc

SHA256
e92b997f6f3a10b43d3fdc7743307228aa3b0a43430af60ccb06efa154d37e6a

SHA512
6f2a2bbbfa0464537fccb53d40239a294dca8fd477e79d70cd9f74079da48525a300675d3b0daae292432adbb9dd099fd4dc95b6fe2794f4c5f3a7e56e15ef51

Download Submit
\Users\Admin\AppData\Local\Temp\.net\Installer\kNT1bN68GPHErJoZ5BO4atslRG9JT48=\wpfgfx_cor3.dll
Filesize
1.9MB

MD5
a71862451605c3fd136c4fa209791815

SHA1
8dd7f71f7d657d24e0d2649a79b9901b8fe99bc1

SHA256
e793bb093c52726090f3590d2abe142e8bc4bdf19796984aef82751ba4b1be6a

SHA512
dbecec9bae98e3d5fe68f9c9a71e3f11322fa3b6b2f9665a377f825ba13c1245d003f484aae62e27c014f4728eaa90d7f24c5ef7ab8baf6e85c7d394c85fae53

Download Submit
memory/1104-117-0x000001AE01B90000-0x000001AE01BA0000-memory.dmp

Filesize
64KB

Download
memory/1104-83-0x000001AE00680000-0x000001AE00AA0000-memory.dmp

Filesize
4.1MB

Download
memory/1104-130-0x000001AE03850000-0x000001AE03BA0000-memory.dmp

Filesize
3.3MB

Download
memory/1104-138-0x000001AE03C30000-0x000001AE03C40000-memory.dmp

Filesize
64KB

Download
memory/1104-134-0x000001AE03BF0000-0x000001AE03C30000-memory.dmp

Filesize
256KB

Download
memory/1104-126-0x000001AE034D0000-0x000001AE034F0000-memory.dmp

Filesize
128KB

Download
memory/1104-122-0x000001AE03480000-0x000001AE034A0000-memory.dmp

Filesize
128KB

Download
memory/1104-146-0x000001AE03C70000-0x000001AE03C80000-memory.dmp

Filesize
64KB

Download
memory/1104-142-0x000001AE03C50000-0x000001AE03C60000-memory.dmp

Filesize
64KB

Download
memory/1104-86-0x000001AE05B00000-0x000001AE0AB50000-memory.dmp

Filesize
80.3MB

Download
memory/1104-98-0x000001AE01260000-0x000001AE01820000-memory.dmp

Filesize
5.8MB

Download
memory/1104-94-0x000001AE001C0000-0x000001AE00200000-memory.dmp

Filesize
256KB

Download
memory/1104-150-0x000001AE03C40000-0x000001AE03C50000-memory.dmp

Filesize
64KB

Download
memory/1104-101-0x000001AE01930000-0x000001AE01A40000-memory.dmp

Filesize
1.1MB

Download
memory/1104-113-0x000001AE01B70000-0x000001AE01B90000-memory.dmp

Filesize
128KB

Download
memory/1104-109-0x000001AE01AE0000-0x000001AE01B70000-memory.dmp

Filesize
576KB

Download
memory/1104-105-0x000001AE00170000-0x000001AE00180000-memory.dmp

Filesize
64KB

Download
memory/2376-359-0x000001A938690000-0x000001A938706000-memory.dmp

Filesize
472KB

Download
memory/2376-355-0x000001A937BA0000-0x000001A937BC2000-memory.dmp

Filesize
136KB

Download