90c72f3e02ae7a7811e1c73e1694ab2a89df2a960d858acc4230c025d2e63010

Resubmissions

21/04/2023, 18:03

230421-wnchfshb99 10

15/04/2023, 20:14

230415-yzz41ahb5z 10

Analysis

max time kernel
504s
max time network
508s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Build 29.exe
Size

1000KB
MD5

5e2555aafd40aa3759356ba7d0d4bf94
SHA1

7a0efbc6eced21266b4dde7917b56786bbff4d72
SHA256

90c72f3e02ae7a7811e1c73e1694ab2a89df2a960d858acc4230c025d2e63010
SHA512

806e44614c0277ea069024243a2e3f17a66236ad9c6764c632689027d406f844c8d4c06a764e03bd4e65d77de595894e8e4df4f8ed9edcc8017629ade701f85e
SSDEEP

24576:pLllLl7CEtNeO/zwj6WM1ZfBelVVqCC1iMs16AQ:BllLtg8nWKG0CCb0XQ

Score

10^/10

evasion ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Build 29.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\assets\\wallpaper.jpg"	wscript.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\winnt32\Payloads\controller.vbs	wscript.exe
File created	C:\Windows\winnt32\Payloads\files\keyboard.vbs	wscript.exe
File created	C:\Windows\winnt32\winnt32.exe	wscript.exe
File created	C:\Windows\winnt32\disabletaskmgr.vbs	wscript.exe
File created	C:\Windows\winnt32\main.cmd	wscript.exe
File opened for modification	C:\Windows\winnt32\create.vbs	wscript.exe
File created	C:\Windows\winnt32\NOTIFY.vbs	wscript.exe
File created	C:\Windows\winnt32\Payloads\files\web.vbs	wscript.exe
File created	C:\Windows\winnt32\run.cmd	wscript.exe
File created	C:\Windows\winnt32\run.exe	wscript.exe
File created	C:\Windows\winnt32\create.vbs	wscript.exe
File created	C:\Windows\winnt32\noexecution.vbs	wscript.exe
File created	C:\Windows\winnt32\Payloads\files\mouse.vbs	wscript.exe
File created	C:\Windows\winnt32\disableregedit.vbs	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4144	schtasks.exe
4960	schtasks.exe
3932	schtasks.exe

Kills process with taskkill 49 IoCs

evasion

pid	Process
6824	taskkill.exe
6248	taskkill.exe
4992	taskkill.exe
5932	taskkill.exe
5300	taskkill.exe
5212	taskkill.exe
4676	taskkill.exe
4300	taskkill.exe
1996	taskkill.exe
1600	taskkill.exe
4012	taskkill.exe
5812	taskkill.exe
6112	taskkill.exe
60	taskkill.exe
1116	taskkill.exe
1188	taskkill.exe
5576	taskkill.exe
6120	taskkill.exe
6628	taskkill.exe
3020	taskkill.exe
6684	taskkill.exe
1320	taskkill.exe
3964	taskkill.exe
2616	taskkill.exe
4628	taskkill.exe
5632	taskkill.exe
6388	taskkill.exe
7096	taskkill.exe
6788	taskkill.exe
5480	taskkill.exe
5604	taskkill.exe
4856	taskkill.exe
1408	taskkill.exe
6068	taskkill.exe
836	taskkill.exe
800	taskkill.exe
6732	taskkill.exe
1000	taskkill.exe
4672	taskkill.exe
3776	taskkill.exe
5916	taskkill.exe
404	taskkill.exe
412	taskkill.exe
2044	taskkill.exe
6504	taskkill.exe
468	taskkill.exe
5560	taskkill.exe
5656	taskkill.exe
1416	taskkill.exe

Modifies Control Panel 33 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonShadow = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Menu = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\MenuBar = "255 0 0"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\InfoText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\WindowText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ActiveBorder = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\GradientActiveTitle = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Hilight = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\InactiveTitleText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonFace = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\GradientInactiveTitle = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\MenuHilight = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\WindowFrame = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\GrayText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\HilightText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Window = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\AppWorkspace = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonAlternateFace = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\InactiveTitle = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\TitleText = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\HotTrackingColor = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\InactiveBorder = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\InfoWindow = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\MenuText = "255 0 0"	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Background = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonDkShadow = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonHilight = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ActiveTitle = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\ButtonLight = "255 0 0"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Colors\Scrollbar = "255 0 0"	wscript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	Build 29.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1980	reg.exe

Runs regedit.exe 1 IoCs

pid	Process
1324	regedit.exe

Suspicious behavior: AddClipboardFormatListener 38 IoCs

pid	Process
3312	vlc.exe
4736	vlc.exe
464	vlc.exe
1384	vlc.exe
3732	vlc.exe
4672	vlc.exe
4124	vlc.exe
3728	vlc.exe
1988	vlc.exe
2912	vlc.exe
3868	vlc.exe
4420	vlc.exe
4016	vlc.exe
956	vlc.exe
1648	vlc.exe
4600	vlc.exe
2148	vlc.exe
4728	vlc.exe
4284	vlc.exe
3416	vlc.exe
2356	vlc.exe
5196	vlc.exe
5148	vlc.exe
5172	vlc.exe
5324	vlc.exe
5336	vlc.exe
5160	vlc.exe
5548	vlc.exe
5748	vlc.exe
5908	vlc.exe
6032	vlc.exe
4408	vlc.exe
6476	vlc.exe
6616	vlc.exe
6644	vlc.exe
6596	vlc.exe
6912	vlc.exe
7016	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3312	vlc.exe
4736	vlc.exe
464	vlc.exe
2528	wscript.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	1416	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	60	Conhost.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	404	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	2044	taskkill.exe
Token: SeDebugPrivilege	4856	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	5212	taskkill.exe
Token: SeDebugPrivilege	1996	Conhost.exe
Token: SeDebugPrivilege	6068	taskkill.exe
Token: SeDebugPrivilege	5576	taskkill.exe
Token: SeDebugPrivilege	5916	taskkill.exe
Token: SeDebugPrivilege	6120	taskkill.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	6388	taskkill.exe
Token: SeDebugPrivilege	6824	taskkill.exe
Token: SeDebugPrivilege	6628	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	6684	taskkill.exe
Token: SeDebugPrivilege	6248	taskkill.exe
Token: SeDebugPrivilege	6788	taskkill.exe
Token: SeDebugPrivilege	468	taskkill.exe
Token: SeDebugPrivilege	7096	taskkill.exe
Token: SeDebugPrivilege	6504	taskkill.exe
Token: SeDebugPrivilege	5560	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	5480	taskkill.exe
Token: SeDebugPrivilege	5604	taskkill.exe
Token: SeDebugPrivilege	5656	taskkill.exe
Token: SeDebugPrivilege	5932	taskkill.exe
Token: SeDebugPrivilege	5812	taskkill.exe
Token: SeDebugPrivilege	5632	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	6732	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	6112	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3312	vlc.exe
3312	vlc.exe
4736	vlc.exe
4736	vlc.exe
4736	vlc.exe
464	vlc.exe
464	vlc.exe
464	vlc.exe
1384	vlc.exe
1384	vlc.exe
3732	vlc.exe
3732	vlc.exe
4284	vlc.exe
4284	vlc.exe
4728	vlc.exe
4728	vlc.exe
2148	vlc.exe
2148	vlc.exe
1988	vlc.exe
4672	vlc.exe
1988	vlc.exe
4672	vlc.exe
3416	vlc.exe
3416	vlc.exe
1648	vlc.exe
4600	vlc.exe
1648	vlc.exe
4600	vlc.exe
3868	vlc.exe
3868	vlc.exe
4016	vlc.exe
4016	vlc.exe
4124	vlc.exe
4124	vlc.exe
4420	vlc.exe
2912	vlc.exe
4420	vlc.exe
2912	vlc.exe
3728	vlc.exe
956	vlc.exe
3728	vlc.exe
956	vlc.exe
2356	vlc.exe
2356	vlc.exe
5160	vlc.exe
5160	vlc.exe
5148	vlc.exe
5148	vlc.exe
5324	vlc.exe
5324	vlc.exe
5172	vlc.exe
5172	vlc.exe
5196	vlc.exe
5196	vlc.exe
5548	vlc.exe
5336	vlc.exe
5548	vlc.exe
5336	vlc.exe
5748	vlc.exe
5748	vlc.exe
5908	vlc.exe
5908	vlc.exe
6032	vlc.exe
6032	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3312	vlc.exe
3312	vlc.exe
4736	vlc.exe
4736	vlc.exe
464	vlc.exe
464	vlc.exe
1384	vlc.exe
1384	vlc.exe
3732	vlc.exe
3732	vlc.exe
4284	vlc.exe
4284	vlc.exe
4728	vlc.exe
4728	vlc.exe
2148	vlc.exe
2148	vlc.exe
1988	vlc.exe
4672	vlc.exe
1988	vlc.exe
4672	vlc.exe
3416	vlc.exe
3416	vlc.exe
1648	vlc.exe
4600	vlc.exe
1648	vlc.exe
4600	vlc.exe
3868	vlc.exe
3868	vlc.exe
4016	vlc.exe
4016	vlc.exe
4124	vlc.exe
4124	vlc.exe
4420	vlc.exe
2912	vlc.exe
4420	vlc.exe
2912	vlc.exe
3728	vlc.exe
956	vlc.exe
3728	vlc.exe
956	vlc.exe
2356	vlc.exe
2356	vlc.exe
5160	vlc.exe
5160	vlc.exe
5148	vlc.exe
5148	vlc.exe
5324	vlc.exe
5324	vlc.exe
5172	vlc.exe
5172	vlc.exe
5196	vlc.exe
5196	vlc.exe
5548	vlc.exe
5548	vlc.exe
5336	vlc.exe
5336	vlc.exe
5748	vlc.exe
5748	vlc.exe
5908	vlc.exe
5908	vlc.exe
6032	vlc.exe
6032	vlc.exe
6644	vlc.exe
6644	vlc.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
3312	vlc.exe
4736	vlc.exe
464	vlc.exe
1384	vlc.exe
3732	vlc.exe
4672	vlc.exe
4124	vlc.exe
3728	vlc.exe
1988	vlc.exe
2912	vlc.exe
3868	vlc.exe
4420	vlc.exe
4016	vlc.exe
956	vlc.exe
1648	vlc.exe
4600	vlc.exe
4728	vlc.exe
4284	vlc.exe
3416	vlc.exe
2148	vlc.exe
2356	vlc.exe
5196	vlc.exe
5148	vlc.exe
5172	vlc.exe
5324	vlc.exe
5336	vlc.exe
5160	vlc.exe
5548	vlc.exe
5748	vlc.exe
5908	vlc.exe
6032	vlc.exe
4408	vlc.exe
6476	vlc.exe
6616	vlc.exe
6644	vlc.exe
6596	vlc.exe
6912	vlc.exe
7016	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1336	2148	Build 29.exe	84
PID 2148 wrote to memory of 1336	2148	Build 29.exe	84
PID 2148 wrote to memory of 1336	2148	Build 29.exe	84
PID 1336 wrote to memory of 3748	1336	WScript.exe	92
PID 1336 wrote to memory of 3748	1336	WScript.exe	92
PID 1336 wrote to memory of 3748	1336	WScript.exe	92
PID 1336 wrote to memory of 2884	1336	WScript.exe	94
PID 1336 wrote to memory of 2884	1336	WScript.exe	94
PID 1336 wrote to memory of 2884	1336	WScript.exe	94
PID 2884 wrote to memory of 880	2884	wscript.exe	95
PID 2884 wrote to memory of 880	2884	wscript.exe	95
PID 2884 wrote to memory of 880	2884	wscript.exe	95
PID 1336 wrote to memory of 1528	1336	WScript.exe	97
PID 1336 wrote to memory of 1528	1336	WScript.exe	97
PID 1336 wrote to memory of 1528	1336	WScript.exe	97
PID 1336 wrote to memory of 1800	1336	WScript.exe	99
PID 1336 wrote to memory of 1800	1336	WScript.exe	99
PID 1336 wrote to memory of 1800	1336	WScript.exe	99
PID 1336 wrote to memory of 1128	1336	WScript.exe	101
PID 1336 wrote to memory of 1128	1336	WScript.exe	101
PID 1336 wrote to memory of 1128	1336	WScript.exe	101
PID 1336 wrote to memory of 2556	1336	WScript.exe	104
PID 1336 wrote to memory of 2556	1336	WScript.exe	104
PID 1336 wrote to memory of 2556	1336	WScript.exe	104
PID 880 wrote to memory of 4728	880	cmd.exe	103
PID 880 wrote to memory of 4728	880	cmd.exe	103
PID 880 wrote to memory of 4728	880	cmd.exe	103
PID 1336 wrote to memory of 3556	1336	WScript.exe	105
PID 1336 wrote to memory of 3556	1336	WScript.exe	105
PID 1336 wrote to memory of 3556	1336	WScript.exe	105
PID 1336 wrote to memory of 1672	1336	WScript.exe	107
PID 1336 wrote to memory of 1672	1336	WScript.exe	107
PID 1336 wrote to memory of 1672	1336	WScript.exe	107
PID 1336 wrote to memory of 412	1336	WScript.exe	110
PID 1336 wrote to memory of 412	1336	WScript.exe	110
PID 1336 wrote to memory of 412	1336	WScript.exe	110
PID 1336 wrote to memory of 2756	1336	WScript.exe	112
PID 1336 wrote to memory of 2756	1336	WScript.exe	112
PID 1336 wrote to memory of 2756	1336	WScript.exe	112
PID 1128 wrote to memory of 5016	1128	cmd.exe	115
PID 1128 wrote to memory of 5016	1128	cmd.exe	115
PID 1128 wrote to memory of 5016	1128	cmd.exe	115
PID 1528 wrote to memory of 4560	1528	cmd.exe	114
PID 1528 wrote to memory of 4560	1528	cmd.exe	114
PID 1528 wrote to memory of 4560	1528	cmd.exe	114
PID 1800 wrote to memory of 2892	1800	cmd.exe	116
PID 1800 wrote to memory of 2892	1800	cmd.exe	116
PID 1800 wrote to memory of 2892	1800	cmd.exe	116
PID 4728 wrote to memory of 3932	4728	WScript.exe	117
PID 4728 wrote to memory of 3932	4728	WScript.exe	117
PID 4728 wrote to memory of 3932	4728	WScript.exe	117
PID 2556 wrote to memory of 3192	2556	Process not Found	119
PID 2556 wrote to memory of 3192	2556	Process not Found	119
PID 2556 wrote to memory of 3192	2556	Process not Found	119
PID 3556 wrote to memory of 2132	3556	cmd.exe	153
PID 3556 wrote to memory of 2132	3556	cmd.exe	153
PID 3556 wrote to memory of 2132	3556	cmd.exe	153
PID 2892 wrote to memory of 3312	2892	wscript.exe	121
PID 2892 wrote to memory of 3312	2892	wscript.exe	121
PID 2892 wrote to memory of 3312	2892	wscript.exe	121
PID 4560 wrote to memory of 3752	4560	wscript.exe	122
PID 4560 wrote to memory of 3752	4560	wscript.exe	122
PID 4560 wrote to memory of 3752	4560	wscript.exe	122
PID 1672 wrote to memory of 2528	1672	cmd.exe	123

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	wscript.exe

C:\Users\Admin\AppData\Local\Temp\Build 29.exe
"C:\Users\Admin\AppData\Local\Temp\Build 29.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\move.vbs"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\winnt32\create.vbs
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Windows\winnt32\create.vbs"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4728
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "Windows Security Service (WSS)" /sc onlogon /ru Admin /rl highest /tr "wscript.exe C:\Windows\winnt32\run.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3932
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/accent.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/accent.vbs
      4⤵
      Checks computer location settings
      Modifies Control Panel
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/wallpaper.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/wallpaper.vbs
      4⤵
      Checks computer location settings
      Sets desktop wallpaper using registry
      Modifies Control Panel
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" user32.dll,UpdatePerUserSystemParameters
        5⤵
        
        PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/disabletaskmgr.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1128
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/disabletaskmgr.vbs
      4⤵
      Checks computer location settings
      PID:5016
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\SysWOW64\Taskmgr.exe
        
        "C:\Windows\System32\Taskmgr.exe"
        5⤵
        
        PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/disableregedit.vbs
    3⤵
    PID:2556
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/disableregedit.vbs
      4⤵
      Checks computer location settings
      PID:3192
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im regedit.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\SysWOW64\regedit.exe
        
        "C:\Windows\System32\regedit.exe"
        5⤵
        Runs regedit.exe
        
        PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/filespam.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/filespam.vbs
      4⤵
      PID:2132
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/noexecution.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/noexecution.vbs
      4⤵
      Checks computer location settings
      Suspicious behavior: GetForegroundWindowSpam
      PID:2528
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im reg.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:1340
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im schtasks.exe
        5⤵
        Kills process with taskkill
        
        PID:60
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im regedit.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Taskmgr.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:2132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im RuntimeBroker.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4508
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im SIHClient.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im RuntimeBroker.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:2712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4404
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4704
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        
        PID:1996
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4140
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5212
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5392
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5576
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5712
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5996
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6068
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:3772
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6120
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5888
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6096
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4380
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6512
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6628
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6752
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6824
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5236
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:2124
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6684
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6848
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7096
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:1716
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6248
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5516
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6504
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6788
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6948
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6284
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4556
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5560
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4540
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6768
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:7100
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5604
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4692
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5656
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:3812
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5932
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:4648
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5812
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:2580
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5632
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6132
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6040
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6732
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5232
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5300
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:1500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im vlc.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6112
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:5052
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im MoUsoCoreWorker.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:3128
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im RuntimeBroker.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\system32\wscript.exe" C:\Windows\winnt32\NOTIFY.vbs
        5⤵
        
        PID:6104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c assets/lock.hta
    3⤵
    PID:412
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wscript assets/lua.vbs
    3⤵
    PID:2756
  - - C:\Windows\SysWOW64\wscript.exe
      wscript assets/lua.vbs
      4⤵
      Checks computer location settings
      PID:3860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Query /FO CSV /NH /TN "lua.vbs"
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\wscript.exe
        
        "C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\lua.vbs" /CreateTask
        5⤵
        UAC bypass
        Checks computer location settings
        Checks whether UAC is enabled
        System policy modification
        
        PID:2164
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC ONCE /TN "lua.vbs" /TR "wscript.exe \"C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\lua.vbs\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:4144
      - C:\Windows\SysWOW64\reg.exe
        
        "C:\Windows\System32\reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        Modifies registry key
        
        PID:1980
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /tn "Windows Security Service (WSS)" /sc onlogon /ru Admin /rl highest /tr "wscript.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\run.vbs"
        6⤵
        Creates scheduled task(s)
        
        PID:4960

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConfirmMove.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\JoinReset.m4a"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4736

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:464

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1384

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3868

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1648

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:956

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3416

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4728

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2356

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5196

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5336

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5324

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5172

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5160

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5148

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5548

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5748

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5908

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6032

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6476

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6616

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6596

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6644

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6912

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:7016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\accent.vbs

Filesize
2KB

MD5
6f63cb040631eaf11379f48c84db0c45

SHA1
f13f2cf56b726e5f16205505f7be09f5b5f0abe4

SHA256
eababbf9764a02c82fed6fb02279ed501caa82334480e1a3e515def5ab183076

SHA512
cf2cb6430b1b103fa09328f22603806744f0b2adb406addcff39d2ee9f388129c3fa6b19cfb40c3b851734fb828a7250c9bdb2efd952ca12433cc59f27f9f119

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\disableregedit.vbs

Filesize
557B

MD5
13e14305c9e6147fb03cc617cf7c21de

SHA1
a139b45d72dfb0806d2131a4bca3c64c0d032902

SHA256
72cd09c057c3e8f4502679ac58c477f9177089384409f93af723a6bb5cf3e4b6

SHA512
d62d1a2ae1a484355d1ed210457917b920bd92e674c4732e07d33a44b7e54d2ca7d1b93a4300e362dc5fcdc082edb7e387e77a5b627ff7118617ba6956721d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\disabletaskmgr.vbs

Filesize
551B

MD5
b1f2e196820905ba24ce44687e0622ab

SHA1
d1830d5960a8e6c4c1fe6120e45ee362c6015eb5

SHA256
5f2babe4f208ba37210d370f6bfa301873bf223994f6b75d0c5dd4304411b6e1

SHA512
0d178fe9e8612df36de685872757cffc7a85a728107bb00b5c36489738208a85afc66b48f33d9603141585f1440b28ba37aec638d8ede6f1006781c4b17b6c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\filespam.vbs

Filesize
648B

MD5
11bc6610e214e09e769476b5d1160b06

SHA1
05212577332d4166fe7d74f9be35ef95d13cd8ab

SHA256
032519e1b086e57a3131acae26fe336e4931eb344a8b640dbb18907c06785877

SHA512
f5448e28f3a92cfc2308fcaa8c8c41ba9b0eabe72f1e9ac8e52c0a49a4e076439f03c5218261ad84cc55dee550d25f23daee9c3cadf5e4c341163b8a14ed0c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\lua.vbs

Filesize
1KB

MD5
bfd5d34c9e0150abe035e0ffe97bf230

SHA1
294bd7a91a93f864803254c5a3b561786d3ea049

SHA256
31d30db3872d7f86ac7fae2e882eac5100ae0404fadba0846ffe0de95ff4a98c

SHA512
d6355bc4b6ea4542a56c70610ea56ec13dac5ca7242f44bcb16b6233b9666dc016ba1ba9f01c32e44e2c726e29189d55f8c4f338ef392d02312a072a43fc6049

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\move.vbs

Filesize
683B

MD5
b28595dd263d3588daa7b0af48bc54a7

SHA1
9b99e62edff53d4d1598e8e1d554f1f45b789dac

SHA256
040ad46ed6f9d38babffcb99a70291307dda79605f2e66de19935be6dea5fa78

SHA512
93536fb265bd8961e9794c3a82cc8545e7704432432d6a8596a3ee1cee7c4203a430aa581b16b2a47383dd3aa3fd3232e10e654e48f91d7291eb7d4ba1f359ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\noexecution.vbs

Filesize
1KB

MD5
646c51d14238c5b0bc834ae6fa892082

SHA1
80270799f10caa3b4eea579ac394ebd12858b9b2

SHA256
ed30559835994deb69050712342a71d2268f0bc3796b172be2ed1276eb1d3a11

SHA512
e41d6b2626ad88fdbe92755bf673029be7c1d1d407d8e828c0ed7284374bace261a24fd3fa5dfd0ddcee7bc15613040da4eda4b33749ffaaef8878148e75525d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\run.vbs

Filesize
13B

MD5
b0e7ecf4de2a4f52cd7d7467f4303980

SHA1
f3d9eabf8d75bf40970b012a6d1a55333ef82cfa

SHA256
879b81335ae8b36a68c8630095717f3b937bd02e3f46e2ad1d8129d6f74190a0

SHA512
5eb49e4099a153865751baeda7ed0064f21541d75e94b02ab493984e8c7cf909aa32ea953aa6e79b2b3785257cfec93c628f13d354ef103838d47c9669f6d7f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\wallpaper.vbs

Filesize
314B

MD5
e68c1c77515b1cd293edff0c6464894b

SHA1
c810e79433d0b5ea9068e2c8cb89df373aac05d0

SHA256
e33dcddef15590c301a35d73840857bfb48e82c7bf1a84d14f8d9dd289facff4

SHA512
d50e81dfea22d8d3e72cfe35f93518274138310aa6b58bf2ee6b9a3d8231173e4fdfd92e6b6902e258f16f60cd53cbd97634e28da763765e444143f19862a4fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\NOTIFY.vbs

Filesize
278B

MD5
63f9c18195cff5a156f72474002dced3

SHA1
562a55b912d32dd4c06d36bcbed8846bed3e6d50

SHA256
7e8c9eda7ff726f1c9c79eed3272ad9479aa4711731e0c6a14a90765c3d85fce

SHA512
f8cd16c91006c878239393e05acb9dc56f0025cac7184761a70a35575178d2fc53132967504466c9fc8af7afd78964ad704cc165a804be95cac5f2bfe0bb27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\Payloads\controller.vbs

Filesize
301B

MD5
ebadb2ab66b840df5e357a4d90d045f6

SHA1
17814aa6695eaf3873334bf13159a47114f496a0

SHA256
6737f36eb79f40a3f09e21cfae7ff470a3bad6ee4113ca4260f6305ed0c0a3b7

SHA512
0b6ccbca86873d8f2ead7d0d609d1c355316e580dfc1d7505d87ffd288ab16c90682866f1460ebb3a3b6969d7719edc0d787170ef48b970d42c528c23d85cb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\Payloads\files\keyboard.vbs

Filesize
324B

MD5
74bc797c1f089c14b9123ec32db15f55

SHA1
682447fa35f18d3cc8b48db35c51491f8eb1524b

SHA256
25d003af891ed63661240c4026970d95ced83f16f93852009aab82cd60b85766

SHA512
61cda93ab244ab8f47506efff413cb1a3d36b465f89fba70995bd5c432e3112c644d3141710d65aa6fb088cfc0d6c376509eef23c41cffe4c9d17d5e0a76ac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\Payloads\files\mouse.vbs

Filesize
1012B

MD5
bdb6f1ee08752fd52954246980540592

SHA1
342ab530ad7145ab87d6ecde1e51a42d78169baa

SHA256
f3e1f52c1448289fe671d24c7fb43c88185f8810803cd2a3a65cece18d473ca3

SHA512
1ebd63311d1535dffc2491e65984d6171226946cf353627448fa8804f75f153b6ad6521a7a9b36bc5b117e5370de39aee7cea0856d7a4efc4f452830c2dbda7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\Payloads\files\web.vbs

Filesize
2KB

MD5
c030b1380446596e199e5c1c9f3676b1

SHA1
17c1ede8a396d901308e37856980fcc256ac2b37

SHA256
fb77ae51f0cc65c8369999a34b79faf6d0842d77728e6a07a0aa63d97b9c8a9c

SHA512
cb9dc956ec464307d092ec5a1479ea46f68140e2a121ea242974e19374780443d40ecb49d66b087a8dc1babc678cd9b175922a68bc9db4c89e082fc6737bb71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\create.vbs

Filesize
364B

MD5
113bf1c19ca6794d8abe806f68a6c027

SHA1
ef087a17b8cbb4701a487c99e15696db3541c9ae

SHA256
564d5a92467424f9779dcbbf16a534e8f0b980dacc2bed352e65d3fed9cae6d2

SHA512
08985811849b3f8dbf9c7b1fd3a13541ce974de9c0e7570acaf00d5a768e30cd496ca6a5ada243a97bca426fff8a4914f4e199b4fbc6ba9c7b4c9c1201a2f792

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\disableregedit.vbs

Filesize
557B

MD5
13e14305c9e6147fb03cc617cf7c21de

SHA1
a139b45d72dfb0806d2131a4bca3c64c0d032902

SHA256
72cd09c057c3e8f4502679ac58c477f9177089384409f93af723a6bb5cf3e4b6

SHA512
d62d1a2ae1a484355d1ed210457917b920bd92e674c4732e07d33a44b7e54d2ca7d1b93a4300e362dc5fcdc082edb7e387e77a5b627ff7118617ba6956721d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\disabletaskmgr.vbs

Filesize
551B

MD5
b1f2e196820905ba24ce44687e0622ab

SHA1
d1830d5960a8e6c4c1fe6120e45ee362c6015eb5

SHA256
5f2babe4f208ba37210d370f6bfa301873bf223994f6b75d0c5dd4304411b6e1

SHA512
0d178fe9e8612df36de685872757cffc7a85a728107bb00b5c36489738208a85afc66b48f33d9603141585f1440b28ba37aec638d8ede6f1006781c4b17b6c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\main.cmd

Filesize
7B

MD5
cac0393ea755cef2c9c4a1de4ae2b7c9

SHA1
b76f1621fee955de910d2cc4d2ca4bcd4d7fa90d

SHA256
fdcfa4303a6d42883dcb9df611c4fb2da7053c7e28308be43fae800a73e4452f

SHA512
76bc553f851eada32556d64066094f03f26a735587f65d9cceb2b2197082b3a56d75e244b152a276c07d0abeef8102888b1934b4aed6b2769e579d690012c439

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\noexecution.vbs

Filesize
1KB

MD5
646c51d14238c5b0bc834ae6fa892082

SHA1
80270799f10caa3b4eea579ac394ebd12858b9b2

SHA256
ed30559835994deb69050712342a71d2268f0bc3796b172be2ed1276eb1d3a11

SHA512
e41d6b2626ad88fdbe92755bf673029be7c1d1d407d8e828c0ed7284374bace261a24fd3fa5dfd0ddcee7bc15613040da4eda4b33749ffaaef8878148e75525d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\run.cmd

Filesize
161B

MD5
359a01b70694d3ddc901d62321354f27

SHA1
20b872b35c68c0459c538e688ff015143b742ea9

SHA256
51bd209535ceabfc24e40a26ffad0b2b88cc0ace16640103f7cdf12dc4ebec19

SHA512
ac7db786908ef5e747b082fc29b5e30b40d059266002626f878e6e9f5a2861055a87f92a9b5c30b698178be52698b1067cf7ff5c7e8e323e78a16a7304e77752

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\run.exe

Filesize
184KB

MD5
c6dc3b3fded8cca8e6c7fb64861ab49b

SHA1
f411274067e521d274c5bdc3101deccc5aff944f

SHA256
e7389ceaeb6b3c4d5b3c39c0d02f170385b6f38642fde3d77dc0e0cbb90d632b

SHA512
19ba46e322206cadce46ac43a012bb10ffe3f45ce1fdced2647ee72a0f58e4beb57612aa03c93b8b33b6a18730b2accceb74ea910eafc7f19ef458990942c521

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\assets\winnt32\winnt32.exe

Filesize
184KB

MD5
9dbfbe925f2ef2a0999a5b2f1270648c

SHA1
3376886ec775ff5d2e7544a9108b4797d12756fb

SHA256
b97c4ae27e846835d88f355ca36a1cae597477dee89674512cf34b5bac5bbea8

SHA512
36dbb1fd6ec5234d15e2c2f46659e2836752cb26e8b4fe91d3dc3388b93df401f318dd5aaed331a4d0ab4990facf866c06341b5e381f97c7477cbc9f785d35e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.vbs

Filesize
1KB

MD5
c02b3bcd28445f5c3b9ed9b25dc31404

SHA1
d3a931edd156a47c0aa5bf39165fb5619717851b

SHA256
275ffd16d84887cf4cb684a11afc3f7366ea10187040758f40f2081a85d4a2c8

SHA512
182e42275cf42f1f372989c4eb6e29bd21fc7889d112075a1762930bf4e735ca32596870bd2a03860b147e0b84b51801478c36988fbea69ef1eb41a43858e7a3

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
54B

MD5
9b297b565a3ee63477c10be962cb4942

SHA1
2232a9e15d9672ba9a45f95a8d3a0721296678c6

SHA256
05c2aaf1643ee035ae5fdef7cdeb86e5dadb99d5661584d4c201e441294a5013

SHA512
eb1783029f5767b880231c27b53b8b2bafe7501b03a99471ba3c3ec2858430acb9b4df61906fd557ce9ec60f93a1a0ee9093bd7356492c01f5d332ebde7e89fe

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.Hp2148

Filesize
54B

MD5
9b297b565a3ee63477c10be962cb4942

SHA1
2232a9e15d9672ba9a45f95a8d3a0721296678c6

SHA256
05c2aaf1643ee035ae5fdef7cdeb86e5dadb99d5661584d4c201e441294a5013

SHA512
eb1783029f5767b880231c27b53b8b2bafe7501b03a99471ba3c3ec2858430acb9b4df61906fd557ce9ec60f93a1a0ee9093bd7356492c01f5d332ebde7e89fe

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
17B

MD5
b34ba4fd4a1d18bcb0cb454f3b8ec20e

SHA1
8af759dcddd4246bd6fc3ba0fc03fbba57977e9a

SHA256
febac83b607dce00b2b0361cf12f87b17e12bc62322b2e2cf42107e62385fffe

SHA512
cee25d25ca3cfd8e09ccee0305feb3029314d36b4f523fbe18435d1c372d6a78478c77b41d2abfaa7e63eebb8157851badc1ed62a4fdae605f0052747c5bd36d

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
16f0723b4c7351a8e9e21775909f99ef

SHA1
e23ab2c28aeeced0ef82e44adfb998570247446c

SHA256
13494e30e448249a4d241f9e340e583b56a10afad2ba51cc63738339591d6bae

SHA512
5725b60c221a1b8a565238d741e02e7330000f0ff77e1583d1c7a61da5fa6719701dee3f999e37459942da689011063e6a19bbd2469a64380b8bfb38fae7af4e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.lock

Filesize
18B

MD5
a46165028a957e5bb5aa44fd43df92b4

SHA1
68406a0be3ce085fcd8ba1ac2f833e5bd0c630e9

SHA256
5486900fd7dd91bb77ff4c70f30094aff474f75b584368948580b2710242b7e7

SHA512
b1309d96fde01d99431706f02680839e514904e2ca2db18f794e86874d3be3d23d8b7739ae8fbde7541a2d204ed4e767c59a6cbaf27b19aae3da84316af69798

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
93KB

MD5
478a4a09f4f74e97335cd4d5e9da7ab5

SHA1
3c4f1dc52a293f079095d0b0370428ec8e8f9315

SHA256
884b59950669842f3c45e6da3480cd9a553538b951fb155b435b48ff38683974

SHA512
e96719663cd264132a8e1ea8c3f8a148c778a0c68caa2468ba47629393605b197dd9e00efad91f389de9fcc77b04981a0cf87f785f3c645cdc9e4ebd98060ca1

Download Submit
C:\Users\Admin\Desktop\BCIDANROVCERLJDSYNCTKMMFICPEYC

Filesize
81B

MD5
669b102010a3bf4f4993c9adf20623ba

SHA1
72ba13c8e54d541998aed83158e098adea8a6c1c

SHA256
e9df24c12aef74cfbb8550aab603a1fbebb83755a4420bc425f2192c46a92352

SHA512
2f2e86be4654d904bb6405054bc245da81e733907a7a1732a97d5bb98014567d66d64dfcb99fa91dfb6fa26e546f4e2d08ae91c1cc132a56e46eb387630b6e3b

Download Submit
C:\Windows\winnt32\NOTIFY.vbs

Filesize
278B

MD5
63f9c18195cff5a156f72474002dced3

SHA1
562a55b912d32dd4c06d36bcbed8846bed3e6d50

SHA256
7e8c9eda7ff726f1c9c79eed3272ad9479aa4711731e0c6a14a90765c3d85fce

SHA512
f8cd16c91006c878239393e05acb9dc56f0025cac7184761a70a35575178d2fc53132967504466c9fc8af7afd78964ad704cc165a804be95cac5f2bfe0bb27bb

Download Submit
C:\Windows\winnt32\Payloads\controller.vbs

Filesize
301B

MD5
ebadb2ab66b840df5e357a4d90d045f6

SHA1
17814aa6695eaf3873334bf13159a47114f496a0

SHA256
6737f36eb79f40a3f09e21cfae7ff470a3bad6ee4113ca4260f6305ed0c0a3b7

SHA512
0b6ccbca86873d8f2ead7d0d609d1c355316e580dfc1d7505d87ffd288ab16c90682866f1460ebb3a3b6969d7719edc0d787170ef48b970d42c528c23d85cb3f

Download Submit
C:\Windows\winnt32\Payloads\files\keyboard.vbs

Filesize
324B

MD5
74bc797c1f089c14b9123ec32db15f55

SHA1
682447fa35f18d3cc8b48db35c51491f8eb1524b

SHA256
25d003af891ed63661240c4026970d95ced83f16f93852009aab82cd60b85766

SHA512
61cda93ab244ab8f47506efff413cb1a3d36b465f89fba70995bd5c432e3112c644d3141710d65aa6fb088cfc0d6c376509eef23c41cffe4c9d17d5e0a76ac97

Download Submit
C:\Windows\winnt32\Payloads\files\mouse.vbs

Filesize
1012B

MD5
bdb6f1ee08752fd52954246980540592

SHA1
342ab530ad7145ab87d6ecde1e51a42d78169baa

SHA256
f3e1f52c1448289fe671d24c7fb43c88185f8810803cd2a3a65cece18d473ca3

SHA512
1ebd63311d1535dffc2491e65984d6171226946cf353627448fa8804f75f153b6ad6521a7a9b36bc5b117e5370de39aee7cea0856d7a4efc4f452830c2dbda7e

Download Submit
C:\Windows\winnt32\Payloads\files\web.vbs

Filesize
2KB

MD5
c030b1380446596e199e5c1c9f3676b1

SHA1
17c1ede8a396d901308e37856980fcc256ac2b37

SHA256
fb77ae51f0cc65c8369999a34b79faf6d0842d77728e6a07a0aa63d97b9c8a9c

SHA512
cb9dc956ec464307d092ec5a1479ea46f68140e2a121ea242974e19374780443d40ecb49d66b087a8dc1babc678cd9b175922a68bc9db4c89e082fc6737bb71f

Download Submit
C:\Windows\winnt32\create.vbs

Filesize
364B

MD5
113bf1c19ca6794d8abe806f68a6c027

SHA1
ef087a17b8cbb4701a487c99e15696db3541c9ae

SHA256
564d5a92467424f9779dcbbf16a534e8f0b980dacc2bed352e65d3fed9cae6d2

SHA512
08985811849b3f8dbf9c7b1fd3a13541ce974de9c0e7570acaf00d5a768e30cd496ca6a5ada243a97bca426fff8a4914f4e199b4fbc6ba9c7b4c9c1201a2f792

Download Submit
C:\Windows\winnt32\disableregedit.vbs

Filesize
557B

MD5
13e14305c9e6147fb03cc617cf7c21de

SHA1
a139b45d72dfb0806d2131a4bca3c64c0d032902

SHA256
72cd09c057c3e8f4502679ac58c477f9177089384409f93af723a6bb5cf3e4b6

SHA512
d62d1a2ae1a484355d1ed210457917b920bd92e674c4732e07d33a44b7e54d2ca7d1b93a4300e362dc5fcdc082edb7e387e77a5b627ff7118617ba6956721d16

Download Submit
C:\Windows\winnt32\disabletaskmgr.vbs

Filesize
551B

MD5
b1f2e196820905ba24ce44687e0622ab

SHA1
d1830d5960a8e6c4c1fe6120e45ee362c6015eb5

SHA256
5f2babe4f208ba37210d370f6bfa301873bf223994f6b75d0c5dd4304411b6e1

SHA512
0d178fe9e8612df36de685872757cffc7a85a728107bb00b5c36489738208a85afc66b48f33d9603141585f1440b28ba37aec638d8ede6f1006781c4b17b6c02

Download Submit
C:\Windows\winnt32\noexecution.vbs

Filesize
1KB

MD5
646c51d14238c5b0bc834ae6fa892082

SHA1
80270799f10caa3b4eea579ac394ebd12858b9b2

SHA256
ed30559835994deb69050712342a71d2268f0bc3796b172be2ed1276eb1d3a11

SHA512
e41d6b2626ad88fdbe92755bf673029be7c1d1d407d8e828c0ed7284374bace261a24fd3fa5dfd0ddcee7bc15613040da4eda4b33749ffaaef8878148e75525d

Download Submit
memory/3312-751-0x00007FFEDAE10000-0x00007FFEDAE2B000-memory.dmp

Filesize
108KB

Download
memory/3312-770-0x00007FFED6610000-0x00007FFED67C2000-memory.dmp

Filesize
1.7MB

Download
memory/3312-741-0x00007FFEDAF40000-0x00007FFEDAF5D000-memory.dmp

Filesize
116KB

Download
memory/3312-742-0x00007FFEDAF20000-0x00007FFEDAF31000-memory.dmp

Filesize
68KB

Download
memory/3312-743-0x00007FFED6BF0000-0x00007FFED7C9B000-memory.dmp

Filesize
16.7MB

Download
memory/3312-744-0x00007FFED69F0000-0x00007FFED6BF0000-memory.dmp

Filesize
2.0MB

Download
memory/3312-746-0x00007FFEDAEB0000-0x00007FFEDAED1000-memory.dmp

Filesize
132KB

Download
memory/3312-745-0x00007FFEDAEE0000-0x00007FFEDAF1F000-memory.dmp

Filesize
252KB

Download
memory/3312-747-0x00007FFEDAE90000-0x00007FFEDAEA8000-memory.dmp

Filesize
96KB

Download
memory/3312-748-0x00007FFEDAE70000-0x00007FFEDAE81000-memory.dmp

Filesize
68KB

Download
memory/3312-749-0x00007FFEDAE50000-0x00007FFEDAE61000-memory.dmp

Filesize
68KB

Download
memory/3312-739-0x00007FFEDB530000-0x00007FFEDB547000-memory.dmp

Filesize
92KB

Download
memory/3312-750-0x00007FFEDAE30000-0x00007FFEDAE41000-memory.dmp

Filesize
68KB

Download
memory/3312-752-0x00007FFEDADF0000-0x00007FFEDAE01000-memory.dmp

Filesize
68KB

Download
memory/3312-754-0x00007FFEDACC0000-0x00007FFEDACF0000-memory.dmp

Filesize
192KB

Download
memory/3312-755-0x00007FFED7E00000-0x00007FFED7E67000-memory.dmp

Filesize
412KB

Download
memory/3312-753-0x00007FFEDACF0000-0x00007FFEDAD08000-memory.dmp

Filesize
96KB

Download
memory/3312-756-0x00007FFED7D90000-0x00007FFED7DFF000-memory.dmp

Filesize
444KB

Download
memory/3312-757-0x00007FFEDA900000-0x00007FFEDA911000-memory.dmp

Filesize
68KB

Download
memory/3312-758-0x00007FFED9D10000-0x00007FFED9D66000-memory.dmp

Filesize
344KB

Download
memory/3312-759-0x00007FFED7D60000-0x00007FFED7D88000-memory.dmp

Filesize
160KB

Download
memory/3312-760-0x00007FFED7D30000-0x00007FFED7D54000-memory.dmp

Filesize
144KB

Download
memory/3312-761-0x00007FFED7D10000-0x00007FFED7D27000-memory.dmp

Filesize
92KB

Download
memory/3312-762-0x00007FFED7CE0000-0x00007FFED7D03000-memory.dmp

Filesize
140KB

Download
memory/3312-763-0x00007FFED69D0000-0x00007FFED69E1000-memory.dmp

Filesize
68KB

Download
memory/3312-764-0x00007FFED69B0000-0x00007FFED69C2000-memory.dmp

Filesize
72KB

Download
memory/3312-765-0x00007FFED6980000-0x00007FFED69A1000-memory.dmp

Filesize
132KB

Download
memory/3312-766-0x00007FFED6960000-0x00007FFED6973000-memory.dmp

Filesize
76KB

Download
memory/3312-767-0x00007FFED6940000-0x00007FFED6952000-memory.dmp

Filesize
72KB

Download
memory/3312-768-0x00007FFED6800000-0x00007FFED693B000-memory.dmp

Filesize
1.2MB

Download
memory/3312-769-0x00007FFED67D0000-0x00007FFED67FC000-memory.dmp

Filesize
176KB

Download
memory/3312-740-0x00007FFEDAF60000-0x00007FFEDAF71000-memory.dmp

Filesize
68KB

Download
memory/3312-771-0x00007FFED65B0000-0x00007FFED660C000-memory.dmp

Filesize
368KB

Download
memory/3312-772-0x00007FFED6590000-0x00007FFED65A1000-memory.dmp

Filesize
68KB

Download
memory/3312-773-0x00007FFED64F0000-0x00007FFED6587000-memory.dmp

Filesize
604KB

Download
memory/3312-774-0x00007FFED64D0000-0x00007FFED64E2000-memory.dmp

Filesize
72KB

Download
memory/3312-775-0x00007FFED6290000-0x00007FFED64C1000-memory.dmp

Filesize
2.2MB

Download
memory/3312-776-0x00007FFED6170000-0x00007FFED6282000-memory.dmp

Filesize
1.1MB

Download
memory/3312-777-0x00007FFED6130000-0x00007FFED6165000-memory.dmp

Filesize
212KB

Download
memory/3312-779-0x00007FFED60E0000-0x00007FFED60F1000-memory.dmp

Filesize
68KB

Download
memory/3312-778-0x00007FFED6100000-0x00007FFED6125000-memory.dmp

Filesize
148KB

Download
memory/3312-780-0x00007FFED6070000-0x00007FFED60D1000-memory.dmp

Filesize
388KB

Download
memory/3312-781-0x00007FFED6050000-0x00007FFED6061000-memory.dmp

Filesize
68KB

Download
memory/3312-782-0x00007FFED6030000-0x00007FFED6042000-memory.dmp

Filesize
72KB

Download
memory/3312-783-0x00007FFED6010000-0x00007FFED6023000-memory.dmp

Filesize
76KB

Download
memory/3312-784-0x00007FFED5F70000-0x00007FFED600F000-memory.dmp

Filesize
636KB

Download
memory/3312-785-0x00007FFED5F50000-0x00007FFED5F61000-memory.dmp

Filesize
68KB

Download
memory/3312-786-0x00007FFED5E40000-0x00007FFED5F42000-memory.dmp

Filesize
1.0MB

Download
memory/3312-787-0x00007FFED5E20000-0x00007FFED5E31000-memory.dmp

Filesize
68KB

Download
memory/3312-788-0x00007FFED5E00000-0x00007FFED5E11000-memory.dmp

Filesize
68KB

Download
memory/3312-789-0x00007FFED5DE0000-0x00007FFED5DF1000-memory.dmp

Filesize
68KB

Download
memory/3312-790-0x00007FFED5DC0000-0x00007FFED5DD2000-memory.dmp

Filesize
72KB

Download
memory/3312-791-0x00007FFED5DA0000-0x00007FFED5DB8000-memory.dmp

Filesize
96KB

Download
memory/3312-792-0x00007FFED5D80000-0x00007FFED5D96000-memory.dmp

Filesize
88KB

Download
memory/3312-793-0x00007FFED5D50000-0x00007FFED5D79000-memory.dmp

Filesize
164KB

Download
memory/3312-795-0x00007FFED5D10000-0x00007FFED5D21000-memory.dmp

Filesize
68KB

Download
memory/3312-794-0x00007FFED5D30000-0x00007FFED5D42000-memory.dmp

Filesize
72KB

Download
memory/3312-796-0x00007FFED5CF0000-0x00007FFED5D01000-memory.dmp

Filesize
68KB

Download
memory/3312-738-0x00007FFEDB550000-0x00007FFEDB561000-memory.dmp

Filesize
68KB

Download
memory/3312-737-0x00007FFEE13C0000-0x00007FFEE13D7000-memory.dmp

Filesize
92KB

Download
memory/3312-736-0x00007FFEEA4E0000-0x00007FFEEA4F8000-memory.dmp

Filesize
96KB

Download
memory/3312-735-0x00007FFED85D0000-0x00007FFED8884000-memory.dmp

Filesize
2.7MB

Download
memory/3312-734-0x00007FFEDB650000-0x00007FFEDB684000-memory.dmp

Filesize
208KB

Download
memory/3312-733-0x00007FF6C3F50000-0x00007FF6C4048000-memory.dmp

Filesize
992KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads