e1b3ae8fc890c6588e5656f77ef2747ae7ddfc90b6530b240c0c5b9d0ab3ce8c

Analysis

max time kernel
159s
max time network
178s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
11-04-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dolphin-x64-5.0.exe
Size

18.4MB
MD5

eca48982effad82616f206f52336fe4b
SHA1

4d88af3572de650b0b7dccd92dc8de5854edfae6
SHA256

e1b3ae8fc890c6588e5656f77ef2747ae7ddfc90b6530b240c0c5b9d0ab3ce8c
SHA512

778755b2d12c703a2954882a4d333b7cb61ee7ed0482b5cb14c1cbc4b90c8b65f308944a2f9369a89fc54d163c613efc65adf70316c08d447183f65637fcb557
SSDEEP

393216:Y1qyjt4rPX8zs3XxdbHNemtqa7JhnurHTl0WcS4ENyQ4p9Jmm+:Y1qyZePX8khdbtecqa7JhnurHirhENys

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1432	DXSETUP.exe
1264	Dolphin.exe
1636	vc_redist.x64.exe
4628	vc_redist.x64.exe

Loads dropped DLL 64 IoCs

pid	Process
5080	dolphin-x64-5.0.exe
1432	DXSETUP.exe
1432	DXSETUP.exe
1264	Dolphin.exe
1432	DXSETUP.exe
1432	DXSETUP.exe
4628	vc_redist.x64.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe
5080	dolphin-x64-5.0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET526C.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SET526C.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSETUP.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Dolphin\Sys\GameSettings\GOYE69.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G4F.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GCF.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G3R.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GFG.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GZ2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GZLJ01.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G2B.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RLE.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RKS.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Lite\screenshot.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G6Q.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GKNEB2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GHN.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GIP.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GFZP01.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GML.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Lite\[email protected]	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\EAJ.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G5N.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\HAA.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RCP.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\EBK.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Shaders\Anaglyph\dubois-LCD-Amber-Blue.glsl	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WOT.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SL2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Shaders\auto_toon.glsl	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Blue\config.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Pink\[email protected]	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RB7.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SG8.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GGM.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GCL.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GCV.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RG6.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GD9.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Resources\[email protected]	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SKJ.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WZI.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GK7.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RG2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Shaders\Anaglyph\grayscale2.glsl	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WM8.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GFA.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\R7X.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GBK.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SOJ.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Pink\[email protected]	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\WID.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Resources\Platform_Wad.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\Themes\Clean Lite\play.png	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GS2.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\RO3.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\SHL.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GHL.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GT4.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GPO.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GSS.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GT6E70.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GTEE01.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GWT.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\G3E.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Sys\GameSettings\GH9.ini	dolphin-x64-5.0.exe
File created	C:\Program Files\Dolphin\Languages\pt\dolphin-emu.mo	dolphin-x64-5.0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DXError.log	DXSETUP.exe
File opened for modification	C:\Windows\Logs\DirectX.log	DXSETUP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Dolphin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Dolphin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Dolphin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Dolphin.exe
Key created	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Dolphin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Dolphin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3727096518-2913484142-3593445157-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Dolphin.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5080	dolphin-x64-5.0.exe
1264	Dolphin.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	2216	vssvc.exe
Token: SeRestorePrivilege	2216	vssvc.exe
Token: SeAuditPrivilege	2216	vssvc.exe
Token: SeBackupPrivilege	3612	srtasks.exe
Token: SeRestorePrivilege	3612	srtasks.exe
Token: SeSecurityPrivilege	3612	srtasks.exe
Token: SeTakeOwnershipPrivilege	3612	srtasks.exe
Token: SeBackupPrivilege	3612	srtasks.exe
Token: SeRestorePrivilege	3612	srtasks.exe
Token: SeSecurityPrivilege	3612	srtasks.exe
Token: SeTakeOwnershipPrivilege	3612	srtasks.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe
5980	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1264	Dolphin.exe
1264	Dolphin.exe
1264	Dolphin.exe
1264	Dolphin.exe
1264	Dolphin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 1432	5080	dolphin-x64-5.0.exe	73
PID 5080 wrote to memory of 1432	5080	dolphin-x64-5.0.exe	73
PID 5080 wrote to memory of 1432	5080	dolphin-x64-5.0.exe	73
PID 5080 wrote to memory of 1636	5080	dolphin-x64-5.0.exe	87
PID 5080 wrote to memory of 1636	5080	dolphin-x64-5.0.exe	87
PID 5080 wrote to memory of 1636	5080	dolphin-x64-5.0.exe	87
PID 1636 wrote to memory of 4628	1636	vc_redist.x64.exe	88
PID 1636 wrote to memory of 4628	1636	vc_redist.x64.exe	88
PID 1636 wrote to memory of 4628	1636	vc_redist.x64.exe	88
PID 5980 wrote to memory of 5996	5980	chrome.exe	91
PID 5980 wrote to memory of 5996	5980	chrome.exe	91
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 3244	5980	chrome.exe	92
PID 5980 wrote to memory of 5152	5980	chrome.exe	93
PID 5980 wrote to memory of 5152	5980	chrome.exe	93
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94
PID 5980 wrote to memory of 1820	5980	chrome.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe
"C:\Users\Admin\AppData\Local\Temp\dolphin-x64-5.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe
  "C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe" /silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe
  "C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe" /install /quiet /norestart
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{B6617FB8-04C2-425F-B168-40D1D9FDAC0B} {C6FC7C75-3B33-431E-8470-1696F452258C} 1636
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4592

C:\Program Files\Dolphin\Dolphin.exe
"C:\Program Files\Dolphin\Dolphin.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1264

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 00000000000302FA /startuptips
1⤵
PID:4640

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:2496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffcc83b9758,0x7ffcc83b9768,0x7ffcc83b9778
  2⤵
  PID:5996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1708,i,15600272873041873638,4179157927397237455,131072 /prefetch:2
  2⤵
  PID:3244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1912 --field-trial-handle=1708,i,15600272873041873638,4179157927397237455,131072 /prefetch:8
  2⤵
  PID:5152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1708,i,15600272873041873638,4179157927397237455,131072 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1708,i,15600272873041873638,4179157927397237455,131072 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1708,i,15600272873041873638,4179157927397237455,131072 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=1708,i,15600272873041873638,4179157927397237455,131072 /prefetch:1
  2⤵
  PID:5516

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Dolphin\Dolphin.exe

Filesize
14.9MB

MD5
9660ec7cddf093a1807cb25fe0946b8e

SHA1
5986661c62d689380476db238d7c18fa37d1b616

SHA256
19d5c382204d7e40a764e116967aec610f502b9be60b9d3b095073827aa93c66

SHA512
5213c828d4f0742c3cde59ceea7b111a1402779602f09fa5e898083b07f2860bb33119f97741bc049fefc0cd745879d22a12dc37ece8e0dd8b308dcc84079755

Download Submit
C:\Program Files\Dolphin\Languages\en\dolphin-emu.mo

Filesize
360B

MD5
5f2ef5689c1da7fa09327a955c501758

SHA1
b81399dfb95a2d41e3f171d80ce8d480ed7fb4dd

SHA256
a9f391648f8781c90a22cc9720d4013767afb8797efa2d4594ae119c73ad5c6d

SHA512
75d25371c0cbd9e210ef6104b973d5313ba623afb133e6fa971c15bd4da2ca56a038998998ab655d9f1c58ce2beb36d4d4e9b88f99fe94550a2d9843692019db

Download Submit
C:\Program Files\Dolphin\Languages\it\dolphin-emu.mo

Filesize
121KB

MD5
f00a5461ba0b2c95f801923fef70c266

SHA1
f7717e3f341e1b56c46407df643d4ac6dcc09885

SHA256
19c8af2231c12fe7969e63595f818baf9421542d1e4f3ea64ac2ff79352a6f12

SHA512
a9977db27df94510bc75ee961924804c59c0005b9bc9b8961d63b01359c72920a6a6f0f3b014c715f3b0c4208038deb65f114f83dee157422dc035b84a267315

Download Submit
C:\Program Files\Dolphin\Sys\Resources\Dolphin.png

Filesize
926B

MD5
9fe19b4e1a945054df212d0537618ed2

SHA1
e68049b826954e88bbdd2b485d6bdcc9394c0dfd

SHA256
2f6a49ce74b1049aa4062a6c376735bcb46f7e2a7de2aaf6850757f7be23b19a

SHA512
14041cf51e8870cf0fe2adfaf57da5a32e601fbcda223871b90b8c19a4ec66d4dee0f9cd56ae3ec013a5cfd0bc68e73de0a24c1886650fdd1a6b387f4a6693cf

Download Submit
C:\Program Files\Dolphin\Sys\Resources\toolbar_debugger_step_over.png

Filesize
988B

MD5
926a446e9de7d51c34ae548673386417

SHA1
5a0a2666b270eca354f1632de8f98fc966864d08

SHA256
85f27cf7d073c5931530c102d4c39ff731a3eb30c67d506c6626b0ad72f26539

SHA512
d5117a0a76c22b06aa91f7586f866387ad74b4962e569cab64d6abeb83d701c8b66331dc6193478f36faef616a95f404cb15a7a0b0b86f863c93ab09f908ea53

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\classic.png

Filesize
957B

MD5
5d754b21146c432a3903083533eb46a5

SHA1
0294dc29f57de4eb1a070fff9c75ccbc4b5dc180

SHA256
d951fb1bc62e3a193c130c3eb7f69f9a0ca4110935e26c2740e9a1e820a2d97c

SHA512
bc1446d82b8c459cfd8e237dec2a487ea84f4925cf065e9655653e8b691b97cd77fb2257c1a6aacc26ce6ae3559c8159a27e6e9f01eb4d4c2cd51cb048014d89

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\config.png

Filesize
311B

MD5
fee4d8eae163897c71c406d60c39714a

SHA1
76e338248fd1a4514cfb71cb96e3a5be23712c01

SHA256
03dcbbcf698c3e92d4adaac32e2c0932e4e79bbd4a637a93ba92fa30709686ac

SHA512
e168b9b897719e3cef7c6c422054ebb6c1fdf9ab2a5bab6933a78f1db217c59d1dc45aff0c8e894bade6b2d0b56d6499f8cc9ecfea5ff99422054007ff2b8398

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\fullscreen.png

Filesize
564B

MD5
7b263aa1cc8e5ca2b48ec974152b4aab

SHA1
1ed5a615966eccfeeea1cbbc17a837c491779592

SHA256
1e74d2a8cf28b75bad1bfb448c2c2bcaf17462a39c7b9e8dc52d648e0f491cc6

SHA512
019023f1dc4d983d11a0e876507118f9bab395921e0f8952985445ed5d9f4e204b77f0e0c91451f3bc0216933ff8f5cae8ba44a33d051636a4ee621e8a600041

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\graphics.png

Filesize
482B

MD5
0f898e3f88ba3083067cf99293ce9d26

SHA1
edf59f23e6fa0c3837066131dd3e2c3c59a121df

SHA256
42c2bd96aa24c949580a06848e31dfe69982b6e4f36f08c7d1aff242f2376776

SHA512
e3a03373997fa9a63f06793f77599121c35657ac39ae31a465712973b19eaff92cf610d8e7f302b929f438786c855a5b68a107ef6260537ad34ea4af6af377ff

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\open.png

Filesize
649B

MD5
23504875aa860db451ad0c04acaf12fb

SHA1
7097ec5e27ea877b91da329e0c64a5ccceb7c0c9

SHA256
f2de81c8579cc0486ad77c67dfa92b3a12248dc284836eadb80ea3a379c4c70c

SHA512
5e076f96f4b49b2a8c9b038095dbfd6f0cf9ba48e4506b6e2e0255221255d61ea84dcca9f455c5d77d4df105fd54eea223c4a021db647a4d46c248515a27902a

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\pause.png

Filesize
220B

MD5
d088a333312e9799215b91e0f00bc17f

SHA1
abcb3d36f01e2310bb431f9bcdfaa0b4d6716973

SHA256
d196e7d251765a6c80513e4f9fcbec406df8b117cfd913845a644b6fad4829ff

SHA512
157fe84e5272379be8460b71ccca289519db8629a6c98d4e84ab8dc772617ccbb71e8015fe17aa8d26fd73735875c267052e9b76ea646443ac5bb7752edc1800

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\play.png

Filesize
349B

MD5
1fcde5514eb0ad0e46a419019260ffd2

SHA1
a9483932c08d9d4573f24f328e385627a09d1460

SHA256
7baad4a2eba3a765a160e3866bbd2555ed6b2cb57f3187f36ff9a7897d779264

SHA512
fa028a59bca12c1b425bc2d7e56e528177de36918e64c6d052848248326c3351405bd206a42acffa05d3228b451cdde3db83c54717abac7eb73f3ef46a637a49

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\refresh.png

Filesize
781B

MD5
0ae9fd96fc7d5567ae3c4bf3c40a3a4a

SHA1
3f8f7fde1935e8b166ee4cd0c982926ae842b4c2

SHA256
d8762fc8ba1b8aa8b89f1d904d9c30d9f754b60b55b8552adc8924224d1096ff

SHA512
37d24fb81f8528efe2a1b843b64293837f6546f34a8088ad27607304724eec8075252efc60c55f1bc6b2df5eaa4dc9e098d0bc3d4f411aa0f21112b71d336b59

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\screenshot.png

Filesize
711B

MD5
11db70d22366386777c8b402f937d19a

SHA1
d39d8dc9522e8b7149122cc2d16f65b14b8ea506

SHA256
39955a49064f892619a1b82a34793cfc9f8383d70bacbddf91fe3437ce83df8c

SHA512
ee94a0707314ab73b780a364f91581e2a65c2062243773a66bb892f6762d82865a52f5599cf594510602e999fe7e8e241ce38b67250b24196a04a8eea93edc34

Download Submit
C:\Program Files\Dolphin\Sys\Themes\Clean\stop.png

Filesize
221B

MD5
1dcd10ed07bdfb5f5491da8f1fc53dac

SHA1
a7efa962a6ce5aefc7631e7bee6ad44c1b6cf612

SHA256
91962a22111c81099da4611f146af26e4d1b60df44b2e84cfbb67b23078a2eb9

SHA512
84571faac7c26c43067e63108eb57cec9e6417f8c91f9898cebb791155dc8d35ee022c7cb1edc5d75c0e8df14a535ed63387baa0a0d6bab8a8f5cbac5a595222

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\ec\shopsetu.log

Filesize
32B

MD5
70bc8f4b72a86921468bf8e8441dce51

SHA1
de8a847bff8c343d69b853a215e6ee775ef2ef96

SHA256
66687aadf862bd776c8fc18b8e9f8e20089714856ee233b3902a591d0d5f2925

SHA512
5046adc1dba838867b2bbbfdd0c3423e58b57970b5267a90f57960924a87f1960a6a85eaa642dac835424b5d7c8d637c00408c7a73da672b7f498521420b6dd3

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\sys\SYSCONF

Filesize
16KB

MD5
9473c879a5e51040e7a202b4538773a7

SHA1
3256c026284a24fb99d2ec1558d95db3b5dcc2e9

SHA256
a8ec1ec377ee3a3c93a27f74dadf9edf95112ce167fc23d1abdbeb4fa15eb179

SHA512
139dbb6648a1c8b7e5224e52ca8f8093f069b7d5f83e2b84099688b927eb77cb8445bc46f9da98ce56d3b883bfe8e38905b5e252c87a5295a334fc8b6890bff3

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\mbox\Readme.txt

Filesize
103B

MD5
5ed871ef86a282106e4881614d4aa843

SHA1
3e304bc6ee181eb787245690c3c723f7f2622b2e

SHA256
e5a888912968050c6c1d46d1c364c324684e1d15aaa62cfe36cf7fce2c687b21

SHA512
68bda6660f07b2203292ccceb41e7fb132baaf4bdc4db0a8b79f60ed9a60243140a1b5faae181848abd66053904ba28bcd9f8bda71d07594bf5c0eadc7a3f507

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\mbox\wc24recv.ctl

Filesize
32KB

MD5
59f19ca228e8c8cc7d227f620ac28326

SHA1
18cc21df587d9cd9302f38a00ed9a23d619f5673

SHA256
31f2c580b271f7c8bb98f4ed1deac3a89fd1c95089c7c4a7061466e2286cd964

SHA512
662eda56266cc3ef826327881865e32d758db1d5e6927f89ab5b395cf5a470e9bd563230ff3ace54deeb9befe881e08457a7e560986967c17a2a46a7086a8554

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\mbox\wc24recv.mbx

Filesize
48B

MD5
87a6fc7b9d7a069dce6049dc599213a4

SHA1
5aad884478da3c4495e033567c68e29bd8e9e783

SHA256
dd2ad8c9fb38884523459963bfaec5d5aeaa5fd20efcdc209764d461e690e435

SHA512
aa5e4117a761b164eb344cef1af360f6a036584d41138a97750f23eb4f5f23f7b8a41daca29c75201135898ab96ea5ab9a04d4916fa7d38fbfaf6d2316e141a8

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\mbox\wc24send.ctl

Filesize
16KB

MD5
22cff426c64ccd3e257debc67d5550d8

SHA1
8fcee88c8cf818e5d2a6a8ad0cc1c4168c93694e

SHA256
430c3795f1a0aeb198bf626a4a2ff6d123321d453807dd7b904dc3b74db35d13

SHA512
3a879504fa402f511c8f0b927f3bff1e2d4142a80f9961b4c6bdf13b52aab21cbac359b812de7b75d447347a4b8397f80e49e8a07b1a261d71af633a65515e63

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\mbox\wc24send.mbx

Filesize
48B

MD5
04dd38bd6f40bb7f68c1e71dc65ce4b8

SHA1
704a576c5f18a8ce4729f4dfc7f8814d6ac09802

SHA256
c248dc031ce09f7be1e55956b6f173e79d6a47d913c22a16593c4687325692b7

SHA512
ee934b94a2b4da98c1cdf7647686a65ce9fd0090f631a5fbd58ac5a850ca5dc4284b361010b4e1b7ecba0125b08ec12c148426b06f3bdd01e196642f9175f0e8

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\misc.bin

Filesize
1024B

MD5
09697a2bb22132b4b4a28f7e846037f5

SHA1
08509dd4567fa61baa2bae01ba8361e8ca439659

SHA256
13dd5b6b2682defd3b23afd8e2983d00edc25bd4dc28a8389380dee0ec45a4a5

SHA512
92ee5cf81dd89da157bd6ea1b189a755d9a46af7186d3c6b41bdc119edc1823735380cae7c4c76748411e0f4f6a1caccc016b454ac4454827107479df1bbbf26

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\nwc24dl.bin

Filesize
62KB

MD5
42372c6860eb0a0d108b08c502035337

SHA1
27d53b55779a0db2e76dea50f51e633a53609cd5

SHA256
057b6f840c19b41ce080318bc7e717e2b910965ce72ab781a7e319017636c38e

SHA512
ed355f425aa29d8be5eaa477cc1daacb8a0c83c707a7c49374640abbc1ace2defbe2bb21c12241643106e68fb8a44341c0482fb123ba8b6efb6de8a3d787f0ae

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\nwc24fl.bin

Filesize
32KB

MD5
deae3b73484ee178352e9d98e3fb5906

SHA1
472c670d701bd233bc03afe4c9f18e22a6fd15c1

SHA256
ed94af416c47ed3bc2c944ebcd1d734b8935d9697feb0f7039d8fea3ec514c18

SHA512
166225daf2fd97edadbc6b186a8930f81ba342d814d45d9c121e230b2b5e6c80896053f6782311199c2e76b4791532cdc7317adf431f61ab0f13a30deb47a18d

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\nwc24fls.bin

Filesize
12KB

MD5
76f1f47e4340fbee8171faf2a4bd8135

SHA1
c0bb6540f7f888bd60be958d7c1de3b221d51a33

SHA256
c3a4a5649d6ed2322a0de98d2258b96a6a1d3c0179854fd21e9835d529736822

SHA512
400ef8d777ef865da1249592075f158b5a977b1267e1d38a09e69b7d3f545d6e8e394a2c4cae532600a34823741d6fbb2ba1491a379ba7a68c73c4b02391710f

Download Submit
C:\Program Files\Dolphin\Sys\Wii\shared2\wc24\nwc24msg.cbk

Filesize
1024B

MD5
0c425c24e91335f18a3246b1d611a8ca

SHA1
caf8a96a36573d7e67f086f73fec675a5d1c4245

SHA256
7afebf33eeb0035397cc74e15e892e700cd2903641d26562f5d46cfbb6171109

SHA512
001e0d8dd5e5b2e2d8b8357bba7d8c20ac33dca3a6b7897f11a1f01f391118da4f457d5a5c6531eedabebd6883dcde0bb3526b97ed7b3357a7e6d768d9c322af

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX4992.tmp\apr2007_xinput_x64.inf

Filesize
860B

MD5
94563a3b9affb41d2bfd41a94b81e08d

SHA1
17cad981ef428e132aa1d571e0c77091e750e0dd

SHA256
0d6e1c0e961d878b319ac30d3439056883448dcf26774003b73920f3377ecac8

SHA512
53cac179d7e11c74772e7b9bd7dd94ffbc810cfc25e28326e4d0844f3f59fd10d9089b44a88358ac6dbd09fb8b456a0937778f78ecc442645764f693ccd620b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX4992.tmp\apr2007_xinput_x86.inf

Filesize
1KB

MD5
e188f534500688cec2e894d3533997b4

SHA1
f073f8515b94cb23b703ab5cdb3a5cfcc10b3333

SHA256
1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5

SHA512
332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX4992.tmp\dxupdate.inf

Filesize
12KB

MD5
e6a74342f328afa559d5b0544e113571

SHA1
a08b053dfd061391942d359c70f9dd406a968b7d

SHA256
93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

SHA512
1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX4992.tmp\xinput1_3.dll

Filesize
79KB

MD5
77f595dee5ffacea72b135b1fce1312e

SHA1
d2a710b332de3ef7a576e0aed27b0ae66892b7e9

SHA256
8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

SHA512
a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\Apr2007_xinput_x64.cab

Filesize
94KB

MD5
743b333c2db3d4cf190fb39c29f3c346

SHA1
26b3616d7321978bd45656391a75ee231196a4a2

SHA256
e7a09f8235cc587cc63f583e39fbc75008d9677c8bb4dcc11cb8d0178a5153ac

SHA512
77fbdb86c79d7228bca2982a3285a417a365af980488a5ac2d470b532fa59fcc15e0e8dbee6eb1a3a5256fc29e0e3391529cd2ac13e0f72987ee0da136000957

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\Apr2007_xinput_x86.cab

Filesize
52KB

MD5
c234df417c9b12e2d31c7fd1e17e4786

SHA1
92f32e74944e5166db72d3bfe8e6401d9f7521dd

SHA256
2acea6c8b9f6f7f89ec51365a1e49fbd0d8c42c53418bd0783dbf3f74a744e6d

SHA512
6cbae19794533ad9401f92b10bd9549638ba20ce38375de4f9d0e20af20d78819e46856151cc6818325af9ac774b8128e18fbebd2da5da4efbd417fc2af51dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\DSETUP32.DLL

Filesize
1.5MB

MD5
d8fa7bb4fe10251a239ed75055dd6f73

SHA1
76c4bd2d8f359f7689415efc15e3743d35673ae8

SHA256
fb0e534f9b0926e518f1c2980640dfd29f14217cdfa37cf3a0c13349127ed9a8

SHA512
73f633179b1340c1c14d0002b72e44cab1919d0ef174f307e4bfe6de240b0b6ef233e67a8b0a0cd677556865ee7b88c6de152045a580ab9fbf1a50d2db0673b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\DXSETUP.exe

Filesize
505KB

MD5
bf3f290275c21bdd3951955c9c3cf32c

SHA1
9fd00f3bb8a870112dae464f555fcd5e7f9200c0

SHA256
8f47d7121ef6532ad9ad9901e44e237f5c30448b752028c58a9d19521414e40d

SHA512
d2c354ee8b6977d01f23c6d2bb4977812bf653eae25e7a75a7d0a36b588c89fcdbdc2a8087c24d6ff687afebd086d4b7d0c92203ce39691b21dab71eafd1d249

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\dsetup.dll

Filesize
93KB

MD5
eb701def7d0809e8da765a752ab42be5

SHA1
7897418f0fae737a3ebe4f7954118d71c6c8b426

SHA256
2a61679eeedabf7d0d0ac14e5447486575622d6b7cfa56f136c1576ff96da21f

SHA512
6ff8433c0dadc0e87d18f04289ab6f48624c908acbda506708f5e0f3c9522e9316e587e71f568938067ba9f37f96640b793fdfaa580caedc3bf9873dc221271f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dxredist\dxupdate.cab

Filesize
94KB

MD5
d495680aba28caafc4c071a6d0fe55ac

SHA1
5885ece90970eb10b6b95d6c52d934674835929e

SHA256
e18a5404b612e88fa8b403c9b33f064c0a89528db7ef9a79aa116908d0e6afed

SHA512
a25c647678661473b99462d7433c1d05af54823d404476e35315c11c93b3f5ece92c912560af0d9efe8f07e36ae68594362d73abf5d5de409a3f0a146fe31a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDE8B.tmp\System.dll

Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDE8B.tmp\ioSpecial.ini

Filesize
480B

MD5
dafacef75860b3dcac350412672a37dd

SHA1
b53a063718743af34e53bfe52b4bfccc9fa617f5

SHA256
7f676a9c80a8716671ca6d4f2b8c6a45d29e93f226d0e3bd6b319a8bb8ab839f

SHA512
0ae92c28566f9ae2833535fc3f85f43869c5380ba658887db78bbe7217224bd047ced58bdae4d58d78ad1c21f548b21c7d0c09de977866476ef97a8c63a83121

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfDE8B.tmp\ioSpecial.ini

Filesize
493B

MD5
e85a61d4ae0180d64c748f9bf76e3f63

SHA1
8b1475e640c29a3e381079f86ee7b3b5c5ed767b

SHA256
af8d405021f781237db3d59d315c3ac4df3036f19e79b54c4cdb5c4b82a53c85

SHA512
3a5a3d92a87e7f810ea77e4937fc6e77e4098d243b30cc07c6b748206e73ba0684bb3b2d5f79361ad36a318fb97100ac9f24600b7dbecffeda76210691529b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcredist\vc_redist.x64.exe

Filesize
14.1MB

MD5
883c499d04c145a69622f7658e353265

SHA1
bb64084762abd4a06b2fddd16f0092860bc3043f

SHA256
df58f4aa566a10776c864c1007e0ac0987835fa1e9f7445bed8ba21a9101d414

SHA512
ce840c9420e928c9da6c30c3cd97eeb047d34ee7046b8cfcd20b512fbddfe885329ab4db3ca53f7094bf1caeb600c834cb2db10797ceade859c21786144206c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\Documents\Dolphin Emulator\Config\Dolphin.ini

Filesize
2KB

MD5
9e1c3f444e62310f7af3cb57fd806b5e

SHA1
80dd9458ef2761f06a7ed6569e4fe8948533bb69

SHA256
35f6396baefd13e4b64b6dd0a897e2314327025f3abe69b57fe5384ebc672576

SHA512
be431f3af73a86cd236161d02a3f62f1714a63c56da0e6adaaca21830c4433d1fdcbc451c47fdc51375fcf9c0ebf91440e65aaa007206000bd2d6b38f9890105

Download Submit
C:\Users\Admin\Documents\Dolphin Emulator\Config\Dolphin.ini

Filesize
2KB

MD5
d30334932d4e87df2d2ba58a376767f3

SHA1
bcadfc2ff9060cce988f9beb003301b3962a6044

SHA256
378e2eaa681769962926c28ac078d7f9c53e3084420b1b59f84794dc36bc4ec4

SHA512
fbdd4f0fab6bd7a23ee13f0b4295a7bc231b9a64a481017922d7ed16d8d8506fd5d01cf2cb0e132ff28879471a778b24889ba2f465f5f203234ed8c6f9d21a22

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\Logs\DXError.log

Filesize
705B

MD5
522d6524d98e9ba65b956e2b2caa015f

SHA1
ac2a9010b7969571fb630962fba50a079937ef35

SHA256
a467fb93e42494a0fa085b059a67518382f900754fe38afa0e74c453e4a1005e

SHA512
1259c8e5b9e732af13869183053b8481b6b840b29ca8acb9dff7959bc45e2a5d933c5030a30a16aa6c8ff821419084c7e46dec111061edaac6d7e000ed54ef1d

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
474B

MD5
af790b99a5833895b5552bac17aa669c

SHA1
db1d1b5230fd9a31966d03ce7aa8497e577cc76b

SHA256
8d0ca4e780ae61ee95fd207c8e373daa90e34bd08dfdabef6a247e1e9e295030

SHA512
5d72aa249a783dc49fdf20a8641c843053fa8faf7d6d1f9cd2b258ed6c605d1cc0c7dc1128c2b915fca8b72941fb8b1d7d3174f50e5f01fc273ba6ebc6f8bc2e

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
42KB

MD5
18f26413492636b296b67c80ee9c04b1

SHA1
97d521fa714a2f06b19bb6b8a8594d525cdb1803

SHA256
11310481d2a618f08bb937bcb5ddd60260d3fde5b45643ea8d97464211933bec

SHA512
259b6d44d948629b9d71c5989c8c0f32073056b0f6bf47578feef4a8b8839614b45170e77bb0a3f346bec759d2017d6b3903881835f30cb20c02995bde267a45

Download Submit
\Program Files\Dolphin\OpenAL32.dll

Filesize
778KB

MD5
8091d616ce52e75e6631d785289bf168

SHA1
9b66bc99faa688c151e871bb5af27270889bdbf8

SHA256
0603c00bb8c96f6b4c88d20da4bd635ef41708f9963d4d139f53d3b28defd557

SHA512
64d67263c6438df30d57bb328e7f7c1f9251cddaaf8bde19ad77624b8cb6858d736f62e952ce665c12f73a55aa232d922ce9aa7ec660c1dec099b404def5cd01

Download Submit
\Users\Admin\AppData\Local\Temp\DX4992.tmp\dxupdate.dll

Filesize
173KB

MD5
7ed554b08e5b69578f9de012822c39c9

SHA1
036d04513e134786b4758def5aff83d19bf50c6e

SHA256
fb4f297e295c802b1377c6684734b7249d55743dfb7c14807bef59a1b5db63a2

SHA512
7af5f9c4a3ad5c120bcdd681b958808ada4d885d21aeb4a009a36a674ad3ece9b51837212a982db6142a6b5580e5b68d46971b802456701391ce40785ae6ebd9

Download Submit
\Users\Admin\AppData\Local\Temp\nsfDE8B.tmp\LangDLL.dll

Filesize
5KB

MD5
e447e49175c0db1f27888aede301084f

SHA1
f5946c743265cd8e81f3e7b6376dada57f99877f

SHA256
fd26ef21d72797fedecd3d15f2001cea793383aceb3cee19a5ae2a3d30e197b6

SHA512
e6543bf81bedce94a58f48cd6f9daaec891775e01ff76b771c22d459a778490f9bba0bebbf111b1ca3091b3ca69bca806a9b5e68ce12df03abbaa6ce5c4b7cec

Download Submit
\Users\Admin\AppData\Local\Temp\{dab68466-3a7d-41a8-a5cf-415e3ff8ef71}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
memory/1264-1688-0x000000006B600000-0x000000006B69F000-memory.dmp

Filesize
636KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads