3392133e65749a7f84242e168390084c45b7739b6931921e9d138ccf67dd3678

Analysis

max time kernel
281s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-05-2023 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mGBA-0.10.2-win64-installer.exe
Size

15.3MB
MD5

818f3b5e496c9911e8e1da06a9be6205
SHA1

99d075c78516bbe18c14ae5d9354ec3ace8be5dc
SHA256

3392133e65749a7f84242e168390084c45b7739b6931921e9d138ccf67dd3678
SHA512

d5e5657bcccfae3a726e28f2dfc0c192926adaeca866dcd40af50a6fe933412558cd7b8f7913abf91e59bde8cd9ca0ef78c44b59cbfc7b946c959408aa198244
SSDEEP

393216:tVDNiNedpAm8BUEImw8NMtOymsNMy8E54n0UC2/mIT5:ttNiNed2M0u7Z8mUjDT5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

mGBA-0.10.2-win64-installer.tmpmGBA.exe

pid process

1280 mGBA-0.10.2-win64-installer.tmp
1240 mGBA.exe

pid	process
1280	mGBA-0.10.2-win64-installer.tmp
1240	mGBA.exe

Loads dropped DLL 12 IoCs

Processes:

mGBA-0.10.2-win64-installer.exemGBA-0.10.2-win64-installer.tmp

pid	process
1740	mGBA-0.10.2-win64-installer.exe
1280	mGBA-0.10.2-win64-installer.tmp
1280	mGBA-0.10.2-win64-installer.tmp
1368
1368
1368
1368
1368
1368
1280	mGBA-0.10.2-win64-installer.tmp
1368
1368

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 52 IoCs

Processes:

mGBA-0.10.2-win64-installer.tmp

description	ioc	process
File created	C:\Program Files\mGBA\unins000.dat	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\vignette.shader\is-A8GO9.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\xbr-lv2.shader\is-G90FA.tmp	mGBA-0.10.2-win64-installer.tmp
File opened for modification	C:\Program Files\mGBA\mGBA.exe	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-8D9OO.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\agb001.shader\is-FC3F0.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\scale2x.shader\is-843MV.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\licenses\is-80D9I.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\lcd.shader\is-TCSOE.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\scale4x.shader\is-06L78.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\scanlines.shader\is-OJB57.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\vba_pixelate.shader\is-R3FQO.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\xbr-lv3.shader\is-O98VO.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\licenses\is-DPVKK.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\licenses\is-IVFS3.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-B3M7V.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-T681R.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\fish.shader\is-CNGT9.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\gba-color.shader\is-F9CLL.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\vignette.shader\is-9OQRL.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\wiiu.shader\is-1VFTV.tmp	mGBA-0.10.2-win64-installer.tmp
File opened for modification	C:\Program Files\mGBA\unins000.dat	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\agb001.shader\is-3R4MS.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\ags001.shader\is-P8TKP.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\fish.shader\is-SA8VL.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\lcd.shader\is-L10Q3.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\pixelate.shader\is-423C1.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\licenses\is-MP7VH.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\licenses\is-G3P2B.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-1S8JB.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-8GLUC.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\gba-color.shader\is-AT44M.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\motion_blur.shader\is-7TFGC.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\scale2x.shader\is-O5UP5.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\soften.shader\is-QRL1F.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\xbr-lv2.shader\is-R6NEQ.tmp	mGBA-0.10.2-win64-installer.tmp
File opened for modification	C:\Program Files\mGBA\mgba-sdl.exe	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\motion_blur.shader\is-B2O99.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\soften.shader\is-KNBVI.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\tv-mode.shader\is-8OKQS.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\vba_pixelate.shader\is-OV9KF.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\wiiu.shader\is-FDLTL.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-8GOS4.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\is-D518S.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\ags001.shader\is-F792V.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\ags001.shader\is-8I8F2.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\scale4x.shader\is-CLFPA.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\scanlines.shader\is-1A5O7.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\tv-mode.shader\is-0832B.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\xbr-lv2.shader\is-VV6F0.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\xbr-lv3.shader\is-TTKEM.tmp	mGBA-0.10.2-win64-installer.tmp
File created	C:\Program Files\mGBA\shaders\xbr-lv3.shader\is-4GG1K.tmp	mGBA-0.10.2-win64-installer.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9D4F9DA1-FDA1-11ED-B99D-D28FF4BEF639} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 32 IoCs

Processes:

mGBA-0.10.2-win64-installer.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\shell\open\command	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\shell	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\DefaultIcon	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\shell\open\command	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\DefaultIcon	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\shell\open\command\ = "\"C:\\Program Files\\mGBA\\mGBA.exe\" \"%1\""	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\shell\open\command\ = "\"C:\\Program Files\\mGBA\\mGBA.exe\" \"%1\""	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\ = "Super Game Boy ROM"	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\shell\open\command\ = "\"C:\\Program Files\\mGBA\\mGBA.exe\" \"%1\""	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\DefaultIcon\ = "C:\\Program Files\\mGBA\\mGBA.exe,0"	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\shell\open	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\DefaultIcon\ = "C:\\Program Files\\mGBA\\mGBA.exe,0"	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\shell\open	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\ = "Game Boy ROM"	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\DefaultIcon\ = "C:\\Program Files\\mGBA\\mGBA.exe,0"	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\shell\open\command	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\shell\open	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\shell\open	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\ = "Game Boy Advance ROM"	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\shell	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\DefaultIcon	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\shell	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\shell\open\command	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\shell	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gb\shell\open\command\ = "\"C:\\Program Files\\mGBA\\mGBA.exe\" \"%1\""	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba\DefaultIcon	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.gbc\ = "Game Boy Color ROM"	mGBA-0.10.2-win64-installer.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sgb\DefaultIcon\ = "C:\\Program Files\\mGBA\\mGBA.exe,0"	mGBA-0.10.2-win64-installer.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gba	mGBA-0.10.2-win64-installer.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

mGBA.exe

pid process

1240 mGBA.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

mGBA-0.10.2-win64-installer.tmp

pid process

1280 mGBA-0.10.2-win64-installer.tmp
1280 mGBA-0.10.2-win64-installer.tmp
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

mGBA.exe

pid process

1240 mGBA.exe

pid	process
1240	mGBA.exe

pid	process
1280	mGBA-0.10.2-win64-installer.tmp
1280	mGBA-0.10.2-win64-installer.tmp

pid	process
1240	mGBA.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1380	AUDIODG.EXE
Token: 33	1380	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1380	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

mGBA-0.10.2-win64-installer.tmpiexplore.exe

pid process

1280 mGBA-0.10.2-win64-installer.tmp
1692 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

mGBA.exeiexplore.exeIEXPLORE.EXE

pid process

1240 mGBA.exe
1240 mGBA.exe
1692 iexplore.exe
1692 iexplore.exe
1240 mGBA.exe
280 IEXPLORE.EXE
280 IEXPLORE.EXE

pid	process
1280	mGBA-0.10.2-win64-installer.tmp
1692	iexplore.exe

pid	process
1240	mGBA.exe
1240	mGBA.exe
1692	iexplore.exe
1692	iexplore.exe
1240	mGBA.exe
280	IEXPLORE.EXE
280	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

mGBA-0.10.2-win64-installer.exemGBA-0.10.2-win64-installer.tmpiexplore.exe

description	pid	process	target process
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1740 wrote to memory of 1280	1740	mGBA-0.10.2-win64-installer.exe	mGBA-0.10.2-win64-installer.tmp
PID 1280 wrote to memory of 1692	1280	mGBA-0.10.2-win64-installer.tmp	iexplore.exe
PID 1280 wrote to memory of 1692	1280	mGBA-0.10.2-win64-installer.tmp	iexplore.exe
PID 1280 wrote to memory of 1692	1280	mGBA-0.10.2-win64-installer.tmp	iexplore.exe
PID 1280 wrote to memory of 1692	1280	mGBA-0.10.2-win64-installer.tmp	iexplore.exe
PID 1280 wrote to memory of 1836	1280	mGBA-0.10.2-win64-installer.tmp	NOTEPAD.EXE
PID 1280 wrote to memory of 1836	1280	mGBA-0.10.2-win64-installer.tmp	NOTEPAD.EXE
PID 1280 wrote to memory of 1836	1280	mGBA-0.10.2-win64-installer.tmp	NOTEPAD.EXE
PID 1280 wrote to memory of 1836	1280	mGBA-0.10.2-win64-installer.tmp	NOTEPAD.EXE
PID 1280 wrote to memory of 1240	1280	mGBA-0.10.2-win64-installer.tmp	mGBA.exe
PID 1280 wrote to memory of 1240	1280	mGBA-0.10.2-win64-installer.tmp	mGBA.exe
PID 1280 wrote to memory of 1240	1280	mGBA-0.10.2-win64-installer.tmp	mGBA.exe
PID 1280 wrote to memory of 1240	1280	mGBA-0.10.2-win64-installer.tmp	mGBA.exe
PID 1692 wrote to memory of 280	1692	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 280	1692	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 280	1692	iexplore.exe	IEXPLORE.EXE
PID 1692 wrote to memory of 280	1692	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\mGBA-0.10.2-win64-installer.exe
"C:\Users\Admin\AppData\Local\Temp\mGBA-0.10.2-win64-installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\is-0PVSS.tmp\mGBA-0.10.2-win64-installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0PVSS.tmp\mGBA-0.10.2-win64-installer.tmp" /SL5="$70126,15026443,876032,C:\Users\Admin\AppData\Local\Temp\mGBA-0.10.2-win64-installer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1280

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\mGBA\README.html
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:280

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\mGBA\CHANGES.txt
3⤵
PID:1836

C:\Program Files\mGBA\mGBA.exe
"C:\Program Files\mGBA\mGBA.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\mGBA\CHANGES.txt
Filesize
98KB

MD5
3b378295f7e9a4fe3d01969e00ad3cf2

SHA1
768941f185913767282dd69057720f87a1faa87c

SHA256
2dc4d9da0aaf8c1a23ff2e49632aed3fe21128f98100ef9a0e82a0f7a2fa2308

SHA512
bc96e62180857c3de91281487adfd0a1d0370529314af2d6ca9ca552b5360f2ff49129cab5a724e910030ccd0fb9e34a96783753ab2f146463c7be2f02d024f8

Download Submit
C:\Program Files\mGBA\README.html
Filesize
14KB

MD5
eba6ef85acfde22aa764dbdad65ff861

SHA1
5577d7bd24282e3477da83699081ab8791420653

SHA256
85c27a644f1e4bfd1bb50a7dad3b234ddafca3c4b0cb97b089870d963a77d8aa

SHA512
94b04405534572478bc01bad787eb71e7e52e2c0285bc5f7ce8335f05ba8152499fc53a1a8480c26e2f54b1af6b00eb67f82d23d3a16fc5aa1d02affaa109050

Download Submit
C:\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
C:\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
C:\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
C:\Program Files\mGBA\nointro.dat
Filesize
1.9MB

MD5
6e2845be175763739a9122a8e5b6330b

SHA1
5e4b5cc17914ef1fb686468abf3234c471758fc8

SHA256
0534ba4c13ce813a9fd0d62bbaa1c34910c53981d4a26d3047dba7a83ad2c57c

SHA512
8220dd26428e801bb75dc83215d42319b696d88b5737892a1f4eb401142e47b812b2734df94c118fc4f01369581d3aed6215be8274dbc9c4393021b51262f3c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0PVSS.tmp\mGBA-0.10.2-win64-installer.tmp
Filesize
3.1MB

MD5
7e0f22cff7a0cf15d734aad2c28c4f8b

SHA1
2ed8f9754145f6331160fdcd699b6a7adbcb3624

SHA256
346b1872d7fd3e10693932685012cd8674f5c78574099d55964cf3596baa51d9

SHA512
fcf3276223fd14ae13c74c218278cedd465f81ee060e59c787e50fa30f03ef18bbc35cb47ff415d7d4c455924faf3c512554254c09aedda6bc547532e821b4db

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0PVSS.tmp\mGBA-0.10.2-win64-installer.tmp
Filesize
3.1MB

MD5
7e0f22cff7a0cf15d734aad2c28c4f8b

SHA1
2ed8f9754145f6331160fdcd699b6a7adbcb3624

SHA256
346b1872d7fd3e10693932685012cd8674f5c78574099d55964cf3596baa51d9

SHA512
fcf3276223fd14ae13c74c218278cedd465f81ee060e59c787e50fa30f03ef18bbc35cb47ff415d7d4c455924faf3c512554254c09aedda6bc547532e821b4db

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Program Files\mGBA\mGBA.exe
Filesize
40.8MB

MD5
13e00df982bc412ad7b6c27edc417e58

SHA1
f80142741f533f4cd9a1987f137611cc1282d3a2

SHA256
94484216159683d03d2dc696f0ecc60c8eda462cba4ca6f44d1e3ca6a0405151

SHA512
8011d8a395e7fafa8dcaa170d13b4a505430efa56e779722c37a70dee8b0936cddfc883a4f916d04eab5ad3a3ad25c25bd13e8757da30dad9a580ae08b6e0eb3

Download Submit
\Users\Admin\AppData\Local\Temp\is-0PVSS.tmp\mGBA-0.10.2-win64-installer.tmp
Filesize
3.1MB

MD5
7e0f22cff7a0cf15d734aad2c28c4f8b

SHA1
2ed8f9754145f6331160fdcd699b6a7adbcb3624

SHA256
346b1872d7fd3e10693932685012cd8674f5c78574099d55964cf3596baa51d9

SHA512
fcf3276223fd14ae13c74c218278cedd465f81ee060e59c787e50fa30f03ef18bbc35cb47ff415d7d4c455924faf3c512554254c09aedda6bc547532e821b4db

Download Submit
memory/1240-237-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-240-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-247-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-246-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-245-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-244-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-212-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1240-243-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-242-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-241-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-217-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1240-218-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1240-239-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-220-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-225-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-228-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1240-229-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/1240-234-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-235-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1240-236-0x000000013F710000-0x00000001422B6000-memory.dmp

Filesize
43.6MB

Download
memory/1280-85-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1280-65-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1280-83-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1280-199-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1280-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1280-64-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1280-208-0x0000000000400000-0x0000000000725000-memory.dmp

Filesize
3.1MB

Download
memory/1740-54-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1740-216-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/1740-63-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download