elysiumstealer | b2b39d32315cb31d5799c2aa038fdbd3f973eac21ae210ad2bee07af130e7a81

Target

Setup3310.exe
Size

381KB
MD5

9b6051646052a21c4002dcd1bb973134
SHA1

a671b61746a7e6032f253008106d1b84cebca943
SHA256

b2b39d32315cb31d5799c2aa038fdbd3f973eac21ae210ad2bee07af130e7a81
SHA512

59995b1a08324362444469b0cc4f8cb87e2a83ccf189c9c7fb3574576d55fa10d4ef72c3459bce38d427c7450a825cfa682b7f524aaa71dcd7343948ae306440

Score

10^/10

elysiumstealer vidar discovery evasion persistence redline spyware stealer trojan upx vmprotect

Malware Config

Signatures

ElysiumStealer
ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.
stealer elysiumstealer
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

redline 2 IoCs

redline_Stealer.

redline stealer

resource	yara_rule
behavioral2/files/0x000100000001ab9d-321.dat	Redline_stealer
behavioral2/files/0x000100000001ab9d-322.dat	Redline_stealer

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ysAGEL.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	alpATCHInO.exe

Executes dropped EXE 46 IoCs

pid	Process
2172	Setup3310.tmp
3420	Setup.exe
2096	hjjgaa.exe
3880	RunWW.exe
3788	jg7_7wjg.exe
3844	guihuali-game.exe
2300	Three.exe
1852	LabPicV3.exe
2324	lylal220.exe
3224	JoSetp.exe
2204	sskiper.exe
1536	BarSetpFile.exe
3024	LabPicV3.tmp
3732	Adsbrowser.exe
4124	lylal220.tmp
4336	jfiag3g_gg.exe
4764	335474.exe
4808	6289888.exe
4136	1463914.exe
3032	ysAGEL.exe
4376	alpATCHInO.exe
4648	Windows Host.exe
4788	127068103.exe
2220	jfiag3g_gg.exe
1052	1691508089.exe
4300	prolab.exe
4584	jgjg_note8876.exe
4504	Hudocebibo.exe
964	Fuholycolae.exe
484	irecord.exe
3676	Hitemodoro.exe
4848	irecord.tmp
4904	Vaequjadypu.exe
4608	i-record.exe
2416	jgjg_note8876.exe
4584	jgjg_note8876.exe
1184	1691508089.exe
4820	google-game.exe
5816	askinstall31.exe
5116	askinstall31.exe
2696	94B5.exe
5888	toolspab1.exe
6140	toolspab1.exe
6012	toolspab1.exe
6256	1463914.exe
1184	1691508089.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000001ab5c-206.dat	upx
behavioral2/files/0x000100000001ab5c-205.dat	upx
behavioral2/files/0x000100000001aba1-325.dat	upx
behavioral2/files/0x000100000001aba1-324.dat	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000100000001ab38-144.dat	vmprotect
behavioral2/files/0x000100000001ab38-145.dat	vmprotect
behavioral2/memory/2096-159-0x00000000012A0000-0x00000000018F6000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Adsbrowser.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Adsbrowser.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Hitemodoro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	Hudocebibo.exe

Loads dropped DLL 18 IoCs

pid	Process
2172	Setup3310.tmp
2172	Setup3310.tmp
3024	LabPicV3.tmp
4124	lylal220.tmp
4740	timeout.exe
3880	RunWW.exe
3880	RunWW.exe
4608	i-record.exe
4608	i-record.exe
4608	i-record.exe
4608	i-record.exe
4608	i-record.exe
4608	i-record.exe
4608	i-record.exe
4608	i-record.exe
4764	rundll32.exe
6076	rundll32.exe
6140	toolspab1.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Host = "C:\\ProgramData\\Windows Host\\Windows Host.exe"	6289888.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Portable Devices\\Tazhopexupae.exe\""	alpATCHInO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Hyvulucofu.exe\""	ysAGEL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jgjg_note8876.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Adsbrowser.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jgjg_note8876.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ipinfo.io
22	ip-api.com
9	ipinfo.io

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\YBJC1RFZ.cookie	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\YBJC1RFZ.cookie	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3732	Adsbrowser.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 3276 set thread context of 1740	3276	svchost.exe	101
PID 4788 set thread context of 1628	4788	127068103.exe	106
PID 2696 set thread context of 6140	2696	94B5.exe	158
PID 5888 set thread context of 6012	5888	toolspab1.exe	159
PID 4136 set thread context of 6256	4136	1463914.exe	165
PID 1052 set thread context of 1184	1052	1691508089.exe	166

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\i-record\i-record.exe	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-OLQ31.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-QLV8M.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe	Setup.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Uninstall.ini	Setup.exe
File created	C:\Program Files (x86)\Picture Lab\is-7BCK0.tmp	jgjg_note8876.exe
File created	C:\Program Files (x86)\Picture Lab\is-MFDP0.tmp	jgjg_note8876.exe
File opened for modification	C:\Program Files (x86)\i-record\avcodec-53.dll	irecord.tmp
File created	C:\Program Files\VideoLAN\ZRXQAQZGFM\irecord.exe	ysAGEL.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\Pictures Lab.exe	jgjg_note8876.exe
File created	C:\Program Files (x86)\Picture Lab\is-L4PUG.tmp	jgjg_note8876.exe
File created	C:\Program Files (x86)\Internet Explorer\Hyvulucofu.exe.config	ysAGEL.exe
File opened for modification	C:\Program Files (x86)\i-record\LinqBridge.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\postproc-52.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe	Setup.exe
File created	C:\Program Files\api-ms-win-crt-convert-l1-1-0.dll	guihuali-game.exe
File created	C:\Program Files\Mozilla Firefox\EBZHMZRVWR\prolab.exe.config	alpATCHInO.exe
File created	C:\Program Files (x86)\i-record\is-MVLB3.tmp	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Adsbrowser.exe	Setup.exe
File created	C:\Program Files\dcpr.dll	guihuali-game.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.jfm	Process not Found
File created	C:\Program Files (x86)\Picture Lab\is-D5GLU.tmp	jgjg_note8876.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-8ODDG.tmp	irecord.tmp
File created	C:\Program Files\unins0000.dll	guihuali-game.exe
File created	C:\Program Files\jp2native.dll	guihuali-game.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\tmp.edb	Process not Found
File opened for modification	C:\Program Files (x86)\Picture Lab\SourceGrid2.dll	jgjg_note8876.exe
File created	C:\Program Files (x86)\Picture Lab\is-GCFFU.tmp	jgjg_note8876.exe
File created	C:\Program Files (x86)\Internet Explorer\Hyvulucofu.exe	ysAGEL.exe
File opened for modification	C:\Program Files (x86)\i-record\swscale-2.dll	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-MO7B2.tmp	irecord.tmp
File created	C:\Program Files\api-ms-win-crt-runtime-l1-1-0.dll	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.INTEG.RAW	Process not Found
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Math.dll	jgjg_note8876.exe
File opened for modification	C:\Program Files (x86)\i-record\unins000.dat	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Uninstall.exe	Setup.exe
File created	C:\Program Files (x86)\i-record\is-SDN89.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-I3CNS.tmp	irecord.tmp
File created	C:\Program Files\patch.dat	google-game.exe
File created	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d	Process not Found
File created	C:\Program Files (x86)\Picture Lab\is-D1N1V.tmp	jgjg_note8876.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Tazhopexupae.exe.config	alpATCHInO.exe
File created	C:\Program Files (x86)\i-record\is-87SLS.tmp	irecord.tmp
File opened for modification	C:\Program Files\patch.dat	1691508089.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe	Setup.exe
File created	C:\Program Files\unins0000.dat	guihuali-game.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\WeifenLuo.WinFormsUI.dll	jgjg_note8876.exe
File created	C:\Program Files (x86)\i-record\is-CKRO2.tmp	irecord.tmp
File created	C:\Program Files (x86)\i-record\is-N6M30.tmp	irecord.tmp
File created	C:\Program Files\api-ms-win-crt-string-l1-1-0.dll	guihuali-game.exe
File created	C:\Program Files (x86)\Picture Lab\is-1STQL.tmp	jgjg_note8876.exe
File opened for modification	C:\Program Files (x86)\i-record\swresample-0.dll	irecord.tmp
File created	C:\Program Files\Mozilla Firefox\EBZHMZRVWR\prolab.exe	alpATCHInO.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\AForge.Imaging.dll	jgjg_note8876.exe
File opened for modification	C:\Program Files (x86)\Picture Lab\DockingToolbar.dll	jgjg_note8876.exe
File opened for modification	C:\Program Files (x86)\i-record\AForge.Video.FFMPEG.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\i-record\avdevice-53.dll	irecord.tmp
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\d.jfm	Process not Found

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RunWW.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RunWW.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4740	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1320	taskkill.exe
5532	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 571af160aa2fd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{74WP1CM3-506M-V62R-WR42-7MQP227Y2YLP}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url1 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 3ab8be5baa2fd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = 1d24df8b702cd701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c7ec545caa2fd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20EP1MI0-142C-L17D-YD26-2GCP283P3KMT}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45AC2TN3-666M-M32E-TO40-1MIP137D5TOZ}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1f294261aa2fd701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = a2ca8862aa2fd701	MicrosoftEdge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6552	PING.EXE

Script User-Agent 8 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	11	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	21	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	74	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4740	timeout.exe
4740	timeout.exe
3276	svchost.exe
3276	svchost.exe
3880	RunWW.exe
3880	RunWW.exe
3880	RunWW.exe
3880	RunWW.exe
3880	RunWW.exe
3880	RunWW.exe
3880	RunWW.exe
3880	RunWW.exe
2220	jfiag3g_gg.exe
2220	jfiag3g_gg.exe
4584	jgjg_note8876.exe
4584	jgjg_note8876.exe
4764	rundll32.exe
4764	rundll32.exe
4848	irecord.tmp
4848	irecord.tmp
4764	rundll32.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe
4904	Vaequjadypu.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
5536	MicrosoftEdgeCP.exe
5536	MicrosoftEdgeCP.exe
6140	toolspab1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	Three.exe
Token: SeDebugPrivilege	3224	JoSetp.exe
Token: SeDebugPrivilege	1536	BarSetpFile.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeTcbPrivilege	3276	svchost.exe
Token: SeDebugPrivilege	4136	1463914.exe
Token: SeDebugPrivilege	4764	335474.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeDebugPrivilege	4740	timeout.exe
Token: SeManageVolumePrivilege	3788	Process not Found
Token: SeDebugPrivilege	4788	127068103.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe
Token: SeRestorePrivilege	2708	svchost.exe
Token: SeShutdownPrivilege	2708	svchost.exe
Token: SeSystemEnvironmentPrivilege	2708	svchost.exe
Token: SeUndockPrivilege	2708	svchost.exe
Token: SeManageVolumePrivilege	2708	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2708	svchost.exe
Token: SeIncreaseQuotaPrivilege	2708	svchost.exe
Token: SeSecurityPrivilege	2708	svchost.exe
Token: SeTakeOwnershipPrivilege	2708	svchost.exe
Token: SeLoadDriverPrivilege	2708	svchost.exe
Token: SeSystemtimePrivilege	2708	svchost.exe
Token: SeBackupPrivilege	2708	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2172	Setup3310.tmp
4584	jgjg_note8876.exe
4848	irecord.tmp

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4588	MicrosoftEdge.exe
5536	MicrosoftEdgeCP.exe
5536	MicrosoftEdgeCP.exe
4820	google-game.exe
4820	google-game.exe
1184	1691508089.exe
1184	1691508089.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2172	2544	Setup3310.exe	75
PID 2544 wrote to memory of 2172	2544	Setup3310.exe	75
PID 2544 wrote to memory of 2172	2544	Setup3310.exe	75
PID 2172 wrote to memory of 3420	2172	Setup3310.tmp	78
PID 2172 wrote to memory of 3420	2172	Setup3310.tmp	78
PID 2172 wrote to memory of 3420	2172	Setup3310.tmp	78
PID 3420 wrote to memory of 2096	3420	Setup.exe	80
PID 3420 wrote to memory of 2096	3420	Setup.exe	80
PID 3420 wrote to memory of 2096	3420	Setup.exe	80
PID 3420 wrote to memory of 3880	3420	Setup.exe	81
PID 3420 wrote to memory of 3880	3420	Setup.exe	81
PID 3420 wrote to memory of 3880	3420	Setup.exe	81
PID 3420 wrote to memory of 3788	3420	Setup.exe	82
PID 3420 wrote to memory of 3788	3420	Setup.exe	82
PID 3420 wrote to memory of 3788	3420	Setup.exe	82
PID 3420 wrote to memory of 3844	3420	Setup.exe	83
PID 3420 wrote to memory of 3844	3420	Setup.exe	83
PID 3420 wrote to memory of 3844	3420	Setup.exe	83
PID 3420 wrote to memory of 2300	3420	Setup.exe	86
PID 3420 wrote to memory of 2300	3420	Setup.exe	86
PID 3420 wrote to memory of 1852	3420	Setup.exe	84
PID 3420 wrote to memory of 1852	3420	Setup.exe	84
PID 3420 wrote to memory of 1852	3420	Setup.exe	84
PID 3420 wrote to memory of 2324	3420	Setup.exe	85
PID 3420 wrote to memory of 2324	3420	Setup.exe	85
PID 3420 wrote to memory of 2324	3420	Setup.exe	85
PID 3420 wrote to memory of 3224	3420	Setup.exe	94
PID 3420 wrote to memory of 3224	3420	Setup.exe	94
PID 3420 wrote to memory of 2204	3420	Setup.exe	93
PID 3420 wrote to memory of 2204	3420	Setup.exe	93
PID 3420 wrote to memory of 2204	3420	Setup.exe	93
PID 3420 wrote to memory of 1536	3420	Setup.exe	87
PID 3420 wrote to memory of 1536	3420	Setup.exe	87
PID 1852 wrote to memory of 3024	1852	LabPicV3.exe	92
PID 1852 wrote to memory of 3024	1852	LabPicV3.exe	92
PID 1852 wrote to memory of 3024	1852	LabPicV3.exe	92
PID 3420 wrote to memory of 3732	3420	Setup.exe	88
PID 3420 wrote to memory of 3732	3420	Setup.exe	88
PID 3420 wrote to memory of 3732	3420	Setup.exe	88
PID 3844 wrote to memory of 4100	3844	guihuali-game.exe	91
PID 3844 wrote to memory of 4100	3844	guihuali-game.exe	91
PID 3844 wrote to memory of 4100	3844	guihuali-game.exe	91
PID 2324 wrote to memory of 4124	2324	lylal220.exe	89
PID 2324 wrote to memory of 4124	2324	lylal220.exe	89
PID 2324 wrote to memory of 4124	2324	lylal220.exe	89
PID 2096 wrote to memory of 4336	2096	hjjgaa.exe	90
PID 2096 wrote to memory of 4336	2096	hjjgaa.exe	90
PID 2096 wrote to memory of 4336	2096	hjjgaa.exe	90
PID 4100 wrote to memory of 4740	4100	WScript.exe	111
PID 4100 wrote to memory of 4740	4100	WScript.exe	111
PID 4100 wrote to memory of 4740	4100	WScript.exe	111
PID 3224 wrote to memory of 4764	3224	JoSetp.exe	97
PID 3224 wrote to memory of 4764	3224	JoSetp.exe	97
PID 3224 wrote to memory of 4764	3224	JoSetp.exe	97
PID 3224 wrote to memory of 4808	3224	JoSetp.exe	98
PID 3224 wrote to memory of 4808	3224	JoSetp.exe	98
PID 3224 wrote to memory of 4808	3224	JoSetp.exe	98
PID 3224 wrote to memory of 4136	3224	JoSetp.exe	99
PID 3224 wrote to memory of 4136	3224	JoSetp.exe	99
PID 3224 wrote to memory of 4136	3224	JoSetp.exe	99
PID 4124 wrote to memory of 3032	4124	lylal220.tmp	100
PID 4124 wrote to memory of 3032	4124	lylal220.tmp	100
PID 4740 wrote to memory of 3276	4740	timeout.exe	68
PID 3024 wrote to memory of 4376	3024	LabPicV3.tmp	102

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2764

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1820

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1232

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1056

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:788

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\Setup3310.exe
"C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\is-0GM9O.tmp\Setup3310.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0GM9O.tmp\Setup3310.tmp" /SL5="$6005E,138429,56832,C:\Users\Admin\AppData\Local\Temp\Setup3310.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\is-G0VTP.tmp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\is-G0VTP.tmp\Setup.exe" /Verysilent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:4336
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2220
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im RunWW.exe /f & timeout /t 6 & del /f /q "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\RunWW.exe" & del C:\ProgramData\*.dll & exit
        5⤵
        
        PID:4812
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im RunWW.exe /f
        6⤵
        Kills process with taskkill
        
        PID:1320
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Loads dropped DLL
        Delays execution with timeout.exe
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\jg7_7wjg.exe"
      4⤵
      Executes dropped EXE
      PID:3788
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\guihuali-game.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Program Files\unins.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\unins0000.dll",install
        6⤵
        
        PID:4740
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\is-GA1VK.tmp\LabPicV3.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GA1VK.tmp\LabPicV3.tmp" /SL5="$10256,136934,53248,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\LabPicV3.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\is-QNBQD.tmp\alpATCHInO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-QNBQD.tmp\alpATCHInO.exe" /S /UID=lab214
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4376
        
        C:\Program Files\Mozilla Firefox\EBZHMZRVWR\prolab.exe
        
        "C:\Program Files\Mozilla Firefox\EBZHMZRVWR\prolab.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\is-NLESA.tmp\prolab.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-NLESA.tmp\prolab.tmp" /SL5="$1026C,575243,216576,C:\Program Files\Mozilla Firefox\EBZHMZRVWR\prolab.exe" /VERYSILENT
        8⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\5f-a3a5a-66b-443b4-ae4d711636897\Hudocebibo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5f-a3a5a-66b-443b4-ae4d711636897\Hudocebibo.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\e9-7f65e-d97-8af95-1db138437d37f\Fuholycolae.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e9-7f65e-d97-8af95-1db138437d37f\Fuholycolae.exe"
        7⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\yvpqbi0k.kzf\gaooo.exe & exit
        8⤵
        
        PID:5160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cfoibonu.fuj\jgjg_note8876.exe & exit
        8⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\cfoibonu.fuj\jgjg_note8876.exe
        
        C:\Users\Admin\AppData\Local\Temp\cfoibonu.fuj\jgjg_note8876.exe
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m4i3uq3b.gg2\google-game.exe & exit
        8⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\m4i3uq3b.gg2\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\m4i3uq3b.gg2\google-game.exe
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch
        10⤵
        Loads dropped DLL
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\i2mqwsy0.yi0\askinstall31.exe & exit
        8⤵
        
        PID:6124
        
        C:\Users\Admin\AppData\Local\Temp\i2mqwsy0.yi0\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\i2mqwsy0.yi0\askinstall31.exe
        9⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\5bblgwdn.ruh\toolspab1.exe & exit
        8⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\5bblgwdn.ruh\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\5bblgwdn.ruh\toolspab1.exe
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\5bblgwdn.ruh\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\5bblgwdn.ruh\toolspab1.exe
        10⤵
        Executes dropped EXE
        
        PID:6012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\xjg0nwqj.rej\setup_10.2_mix.exe & exit
        8⤵
        
        PID:5640
        
        C:\Users\Admin\AppData\Local\Temp\xjg0nwqj.rej\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\xjg0nwqj.rej\setup_10.2_mix.exe
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
        10⤵
        
        PID:5932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\uthixc3a.g5t\a1207b55.exe & exit
        8⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\uthixc3a.g5t\a1207b55.exe
        
        C:\Users\Admin\AppData\Local\Temp\uthixc3a.g5t\a1207b55.exe
        9⤵
        
        PID:6048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mhrpxkx0.vrq\app.exe /8-2222 & exit
        8⤵
        
        PID:6868
        
        C:\Users\Admin\AppData\Local\Temp\mhrpxkx0.vrq\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\mhrpxkx0.vrq\app.exe /8-2222
        9⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Local\Temp\mhrpxkx0.vrq\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\mhrpxkx0.vrq\app.exe" /8-2222
        10⤵
        
        PID:6092
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\is-S52AJ.tmp\lylal220.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S52AJ.tmp\lylal220.tmp" /SL5="$1025A,298214,214528,C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\lylal220.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4124
      - C:\Users\Admin\AppData\Local\Temp\is-L10H1.tmp\ysAGEL.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-L10H1.tmp\ysAGEL.exe" /S /UID=lylal220
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3032
        
        C:\Program Files\VideoLAN\ZRXQAQZGFM\irecord.exe
        
        "C:\Program Files\VideoLAN\ZRXQAQZGFM\irecord.exe" /VERYSILENT
        7⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\is-V01EC.tmp\irecord.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V01EC.tmp\irecord.tmp" /SL5="$102BE,5922518,66560,C:\Program Files\VideoLAN\ZRXQAQZGFM\irecord.exe" /VERYSILENT
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:4848
        
        C:\Program Files (x86)\i-record\i-record.exe
        
        "C:\Program Files (x86)\i-record\i-record.exe" -silent -desktopShortcut -programMenu
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\37-b06a3-ea4-acc95-38ffb8b10124b\Hitemodoro.exe
        
        "C:\Users\Admin\AppData\Local\Temp\37-b06a3-ea4-acc95-38ffb8b10124b\Hitemodoro.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\da-52d3d-588-2b99c-a8b8c6f2229c5\Vaequjadypu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\da-52d3d-588-2b99c-a8b8c6f2229c5\Vaequjadypu.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jsladhcs.qls\gaooo.exe & exit
        8⤵
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lwaw2rlu.tyj\jgjg_note8876.exe & exit
        8⤵
        
        PID:5908
        
        C:\Users\Admin\AppData\Local\Temp\lwaw2rlu.tyj\jgjg_note8876.exe
        
        C:\Users\Admin\AppData\Local\Temp\lwaw2rlu.tyj\jgjg_note8876.exe
        9⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kecsqw02.f2t\google-game.exe & exit
        8⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\kecsqw02.f2t\google-game.exe
        
        C:\Users\Admin\AppData\Local\Temp\kecsqw02.f2t\google-game.exe
        9⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4820
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" "C:\Program Files\patch.dll",patch
        10⤵
        Loads dropped DLL
        
        PID:6076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jyv1cblh.4fr\askinstall31.exe & exit
        8⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\jyv1cblh.4fr\askinstall31.exe
        
        C:\Users\Admin\AppData\Local\Temp\jyv1cblh.4fr\askinstall31.exe
        9⤵
        Executes dropped EXE
        
        PID:5816
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        10⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        11⤵
        Kills process with taskkill
        
        PID:5532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hc2ekgnv.vgf\toolspab1.exe & exit
        8⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\hc2ekgnv.vgf\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\hc2ekgnv.vgf\toolspab1.exe
        9⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\hc2ekgnv.vgf\toolspab1.exe
        
        C:\Users\Admin\AppData\Local\Temp\hc2ekgnv.vgf\toolspab1.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:6140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tt0oixpo.1hh\setup_10.2_mix.exe & exit
        8⤵
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\tt0oixpo.1hh\setup_10.2_mix.exe
        
        C:\Users\Admin\AppData\Local\Temp\tt0oixpo.1hh\setup_10.2_mix.exe
        9⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\App\app.bat" "
        10⤵
        
        PID:5852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\jceuxdqz.m1w\a1207b55.exe & exit
        8⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\jceuxdqz.m1w\a1207b55.exe
        
        C:\Users\Admin\AppData\Local\Temp\jceuxdqz.m1w\a1207b55.exe
        9⤵
        
        PID:6500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hf4nek2o.ddv\app.exe /8-2222 & exit
        8⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\hf4nek2o.ddv\app.exe
        
        C:\Users\Admin\AppData\Local\Temp\hf4nek2o.ddv\app.exe /8-2222
        9⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\hf4nek2o.ddv\app.exe
        
        "C:\Users\Admin\AppData\Local\Temp\hf4nek2o.ddv\app.exe" /8-2222
        10⤵
        
        PID:4300
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Three.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\L8HY3UBF8H\setups.exe
        
        "C:\Users\Admin\AppData\Local\Temp\L8HY3UBF8H\setups.exe" ll
        5⤵
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\is-IEH9F.tmp\setups.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-IEH9F.tmp\setups.tmp" /SL5="$40242,726852,244736,C:\Users\Admin\AppData\Local\Temp\L8HY3UBF8H\setups.exe" ll
        6⤵
        
        PID:4944
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\BarSetpFile.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Adsbrowser.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\Adsbrowser.exe"
      4⤵
      Executes dropped EXE
      Checks BIOS information in registry
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3732
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe"
      4⤵
      Executes dropped EXE
      PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\127068103.exe
        
        C:\Users\Admin\AppData\Local\Temp\127068103.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        
        PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\1691508089.exe
        
        C:\Users\Admin\AppData\Local\Temp\1691508089.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1052
      - C:\Users\Admin\AppData\Local\Temp\1691508089.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:1184
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\sskiper.exe & exit
        5⤵
        
        PID:5860
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 0
        6⤵
        Runs ping.exe
        
        PID:6552
  - - C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe
      "C:\Program Files (x86)\94c45254-6d52-40cc-93fb-b69707383880\Versium Research\JoSetp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\ProgramData\335474.exe
        
        "C:\ProgramData\335474.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
    - - C:\ProgramData\6289888.exe
        
        "C:\ProgramData\6289888.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4808
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        Executes dropped EXE
        
        PID:4648
    - - C:\ProgramData\1463914.exe
        
        "C:\ProgramData\1463914.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
      - C:\ProgramData\1463914.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        
        PID:6256

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3276
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k SystemNetworkService
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:1740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4720

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\74D3.exe
C:\Users\Admin\AppData\Local\Temp\74D3.exe
1⤵
PID:6392

C:\Users\Admin\AppData\Local\Temp\76C8.exe
C:\Users\Admin\AppData\Local\Temp\76C8.exe
1⤵
PID:6784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:7092

C:\Users\Admin\AppData\Local\Temp\859E.exe
C:\Users\Admin\AppData\Local\Temp\859E.exe
1⤵
PID:3940
- C:\Users\Admin\AppData\Local\Temp\859E.exe
  "{path}"
  2⤵
  PID:2476

C:\Users\Admin\AppData\Local\Temp\8B0D.exe
C:\Users\Admin\AppData\Local\Temp\8B0D.exe
1⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\8F45.exe
C:\Users\Admin\AppData\Local\Temp\8F45.exe
1⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\9205.exe
C:\Users\Admin\AppData\Local\Temp\9205.exe
1⤵
PID:3820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  2⤵
  PID:6288

C:\Users\Admin\AppData\Local\Temp\94B5.exe
C:\Users\Admin\AppData\Local\Temp\94B5.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2696

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4456

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6352

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5096

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6644

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6968

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2356

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6948

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4916

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\B6B1.exe
C:\Users\Admin\AppData\Local\Temp\B6B1.exe
1⤵
PID:5288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\CE7F.exe
C:\Users\Admin\AppData\Local\Temp\CE7F.exe
1⤵
PID:6428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

Software Discovery

T1518

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/484-342-0x0000000000000000-mapping.dmp

Download
memory/788-310-0x0000020AD6A60000-0x0000020AD6AC7000-memory.dmp

Filesize
412KB

Download
memory/964-341-0x0000000000000000-mapping.dmp

Download
memory/1004-275-0x000001FFF5D60000-0x000001FFF5DC7000-memory.dmp

Filesize
412KB

Download
memory/1052-328-0x0000000000000000-mapping.dmp

Download
memory/1056-308-0x00000230BB2D0000-0x00000230BB337000-memory.dmp

Filesize
412KB

Download
memory/1184-356-0x0000000000000000-mapping.dmp

Download
memory/1192-316-0x0000020BD2980000-0x0000020BD29E7000-memory.dmp

Filesize
412KB

Download
memory/1320-332-0x0000000000000000-mapping.dmp

Download
memory/1408-312-0x00000169715D0000-0x0000016971637000-memory.dmp

Filesize
412KB

Download
memory/1536-191-0x0000000001170000-0x0000000001171000-memory.dmp

Filesize
4KB

Download
memory/1536-201-0x000000001B690000-0x000000001B692000-memory.dmp

Filesize
8KB

Download
memory/1536-171-0x0000000000000000-mapping.dmp

Download
memory/1536-198-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/1536-184-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1536-195-0x0000000001180000-0x00000000011A0000-memory.dmp

Filesize
128KB

Download
memory/1628-326-0x00000000004163D2-mapping.dmp

Download
memory/1740-293-0x0000028A0EC50000-0x0000028A0ECB7000-memory.dmp

Filesize
412KB

Download
memory/1740-256-0x00007FF6D3594060-mapping.dmp

Download
memory/1820-314-0x000002C8A8710000-0x000002C8A8777000-memory.dmp

Filesize
412KB

Download
memory/1852-158-0x0000000000000000-mapping.dmp

Download
memory/1852-162-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2096-143-0x0000000000000000-mapping.dmp

Download
memory/2096-159-0x00000000012A0000-0x00000000018F6000-memory.dmp

Filesize
6.3MB

Download
memory/2172-118-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2172-130-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/2172-121-0x0000000003A60000-0x0000000003A9C000-memory.dmp

Filesize
240KB

Download
memory/2172-123-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/2172-122-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2172-125-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2172-124-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/2172-127-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/2172-126-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2172-129-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download
memory/2172-128-0x00000000051A0000-0x00000000051A1000-memory.dmp

Filesize
4KB

Download
memory/2172-131-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/2172-139-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/2172-138-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/2172-136-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/2172-137-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/2172-116-0x0000000000000000-mapping.dmp

Download
memory/2172-135-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/2172-133-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2172-132-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/2172-134-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/2204-169-0x0000000000000000-mapping.dmp

Download
memory/2220-323-0x0000000000000000-mapping.dmp

Download
memory/2300-186-0x0000000002340000-0x0000000002342000-memory.dmp

Filesize
8KB

Download
memory/2300-153-0x0000000000000000-mapping.dmp

Download
memory/2324-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2324-160-0x0000000000000000-mapping.dmp

Download
memory/2416-351-0x0000000000000000-mapping.dmp

Download
memory/2448-289-0x000001B955C80000-0x000001B955CE7000-memory.dmp

Filesize
412KB

Download
memory/2492-282-0x000001A97E140000-0x000001A97E1A7000-memory.dmp

Filesize
412KB

Download
memory/2544-114-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2640-347-0x0000000000000000-mapping.dmp

Download
memory/2696-365-0x0000000000000000-mapping.dmp

Download
memory/2836-263-0x000001FE52570000-0x000001FE525D7000-memory.dmp

Filesize
412KB

Download
memory/3024-173-0x0000000000000000-mapping.dmp

Download
memory/3024-197-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/3032-239-0x0000000000000000-mapping.dmp

Download
memory/3032-251-0x0000000002C80000-0x0000000002C82000-memory.dmp

Filesize
8KB

Download
memory/3224-164-0x0000000000000000-mapping.dmp

Download
memory/3224-199-0x00000000011C0000-0x00000000011C2000-memory.dmp

Filesize
8KB

Download
memory/3224-178-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/3224-196-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/3224-194-0x0000000000EC0000-0x0000000000EDF000-memory.dmp

Filesize
124KB

Download
memory/3224-190-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3276-283-0x0000019F25A10000-0x0000019F25A77000-memory.dmp

Filesize
412KB

Download
memory/3276-246-0x0000019F25950000-0x0000019F25994000-memory.dmp

Filesize
272KB

Download
memory/3420-140-0x0000000000000000-mapping.dmp

Download
memory/3676-343-0x0000000000000000-mapping.dmp

Download
memory/3732-288-0x0000000005224000-0x0000000005226000-memory.dmp

Filesize
8KB

Download
memory/3732-270-0x0000000005DC0000-0x0000000005DC1000-memory.dmp

Filesize
4KB

Download
memory/3732-237-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/3732-214-0x0000000005223000-0x0000000005224000-memory.dmp

Filesize
4KB

Download
memory/3732-212-0x0000000005222000-0x0000000005223000-memory.dmp

Filesize
4KB

Download
memory/3732-211-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3732-177-0x0000000000000000-mapping.dmp

Download
memory/3732-209-0x0000000002FC0000-0x0000000002FE1000-memory.dmp

Filesize
132KB

Download
memory/3732-216-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/3732-202-0x00000000772E0000-0x000000007746E000-memory.dmp

Filesize
1.6MB

Download
memory/3732-213-0x0000000005170000-0x0000000005190000-memory.dmp

Filesize
128KB

Download
memory/3732-245-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/3732-295-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/3732-210-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3788-149-0x0000000000000000-mapping.dmp

Download
memory/3844-152-0x0000000000000000-mapping.dmp

Download
memory/3880-208-0x0000000000400000-0x0000000003DFE000-memory.dmp

Filesize
58.0MB

Download
memory/3880-146-0x0000000000000000-mapping.dmp

Download
memory/3880-200-0x0000000005910000-0x00000000059A4000-memory.dmp

Filesize
592KB

Download
memory/4100-180-0x0000000000000000-mapping.dmp

Download
memory/4124-183-0x0000000000000000-mapping.dmp

Download
memory/4124-203-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4136-284-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/4136-272-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/4136-240-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/4136-231-0x0000000000000000-mapping.dmp

Download
memory/4136-305-0x00000000077F0000-0x00000000077F5000-memory.dmp

Filesize
20KB

Download
memory/4136-303-0x00000000079B0000-0x0000000007A33000-memory.dmp

Filesize
524KB

Download
memory/4136-264-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/4248-363-0x0000000000000000-mapping.dmp

Download
memory/4300-334-0x0000000000000000-mapping.dmp

Download
memory/4336-204-0x0000000000000000-mapping.dmp

Download
memory/4376-276-0x0000000002260000-0x0000000002262000-memory.dmp

Filesize
8KB

Download
memory/4376-243-0x0000000000000000-mapping.dmp

Download
memory/4504-339-0x0000000000000000-mapping.dmp

Download
memory/4584-337-0x0000000000000000-mapping.dmp

Download
memory/4584-352-0x0000000000000000-mapping.dmp

Download
memory/4608-346-0x0000000000000000-mapping.dmp

Download
memory/4648-317-0x0000000000000000-mapping.dmp

Download
memory/4740-238-0x0000000004510000-0x000000000454A000-memory.dmp

Filesize
232KB

Download
memory/4740-215-0x0000000000000000-mapping.dmp

Download
memory/4740-333-0x0000000000000000-mapping.dmp

Download
memory/4740-255-0x00000000045A0000-0x00000000045F6000-memory.dmp

Filesize
344KB

Download
memory/4764-217-0x0000000000000000-mapping.dmp

Download
memory/4764-224-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4764-254-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/4764-228-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4764-358-0x0000000000000000-mapping.dmp

Download
memory/4764-242-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4788-320-0x0000000000000000-mapping.dmp

Download
memory/4808-277-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/4808-281-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4808-230-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/4808-241-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/4808-221-0x0000000000000000-mapping.dmp

Download
memory/4808-265-0x0000000002CC0000-0x0000000002CD3000-memory.dmp

Filesize
76KB

Download
memory/4812-330-0x0000000000000000-mapping.dmp

Download
memory/4820-355-0x0000000000000000-mapping.dmp

Download
memory/4848-344-0x0000000000000000-mapping.dmp

Download
memory/4876-353-0x0000000000000000-mapping.dmp

Download
memory/4904-345-0x0000000000000000-mapping.dmp

Download
memory/4920-350-0x0000000000000000-mapping.dmp

Download
memory/5116-361-0x0000000000000000-mapping.dmp

Download
memory/5160-348-0x0000000000000000-mapping.dmp

Download
memory/5816-362-0x0000000000000000-mapping.dmp

Download
memory/5880-354-0x0000000000000000-mapping.dmp

Download
memory/5888-366-0x0000000000000000-mapping.dmp

Download
memory/5908-349-0x0000000000000000-mapping.dmp

Download
memory/5952-357-0x0000000000000000-mapping.dmp

Download
memory/6012-368-0x0000000000402F68-mapping.dmp

Download
memory/6028-364-0x0000000000000000-mapping.dmp

Download
memory/6076-359-0x0000000000000000-mapping.dmp

Download
memory/6088-369-0x0000000000000000-mapping.dmp

Download
memory/6124-360-0x0000000000000000-mapping.dmp

Download
memory/6140-367-0x0000000000402F68-mapping.dmp

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads