436d0f9548a56b1623cbda9bf3615b27e9c2311cd2aa9f7e6a86d3b7809ac473

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
Size

13.2MB
MD5

edf56f261cc5db035cbc049883ab2948
SHA1

d72c70cea568ed844248362045221fc44d6b661a
SHA256

436d0f9548a56b1623cbda9bf3615b27e9c2311cd2aa9f7e6a86d3b7809ac473
SHA512

66ed6570a127387efa8b6399df5c19cc5524930048e9d10be6eeb1bd7ed29b7188a4b3b63028544dd3f95bef53b156fc789d9241ce0a1987fd25a5a1821a3f2f
SSDEEP

49152:zZxO2LUeuITSI3n4MJjfew99Tz4FUpV3E03HCnBTaXMdYrkTcz:zZxxnJfNj4FglEgUBTaXMmrg

Score

10^/10

discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/3044-12-0x0000000000400000-0x0000000000425000-memory.dmp	Nirsoft

Executes dropped EXE 64 IoCs

pid	Process
3044	Builderx.exe
2784	Builder.exe
2912	avguix.exe
2804	avguix.exe
2104	avguix.exe
2672	avguix.exe
2664	avguix.exe
836	avguix.exe
2792	avguix.exe
2508	avguix.exe
2568	avguix.exe
2128	avguix.exe
3016	avguix.exe
1712	avguix.exe
592	avguix.exe
520	avguix.exe
988	avguix.exe
1480	avguix.exe
572	avguix.exe
2844	avguix.exe
2840	avguix.exe
2880	avguix.exe
844	avguix.exe
1976	avguix.exe
1964	avguix.exe
2480	avguix.exe
1300	avguix.exe
1820	avguix.exe
2720	avguix.exe
2744	avguix.exe
1792	avguix.exe
1920	avguix.exe
1936	avguix.exe
1032	avguix.exe
2116	avguix.exe
2124	avguix.exe
756	avguix.exe
2936	avguix.exe
2136	avguix.exe
2220	avguix.exe
1420	avguix.exe
2376	avguix.exe
1356	avguix.exe
912	avguix.exe
1748	avguix.exe
2148	avguix.exe
2372	avguix.exe
2168	avguix.exe
1724	avguix.exe
1324	avguix.exe
1868	avguix.exe
112	avguix.exe
1020	avguix.exe
864	avguix.exe
1028	avguix.exe
2288	avguix.exe
1200	avguix.exe
2268	avguix.exe
1832	avguix.exe
2416	avguix.exe
2012	avguix.exe
2296	avguix.exe
2276	avguix.exe
2972	avguix.exe

Loads dropped DLL 5 IoCs

pid	Process
1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
2784	Builder.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000014b28-3.dat	upx
behavioral1/memory/1120-5-0x0000000002B90000-0x0000000002BB5000-memory.dmp	upx
behavioral1/memory/3044-12-0x0000000000400000-0x0000000000425000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AVG Internet Security = "C:\\Users\\Admin\\AppData\\Local\\avguix.exe"	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Builder Security = "C:\\Users\\Admin\\AppData\\Local\\Builder.exe"	Builder.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\OikACA10D46.sys	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
File created	C:\windows\SysWOW64\OikxACA10D46.sys	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avguix.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe
2784	Builder.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	Builderx.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
2912	avguix.exe
2804	avguix.exe
2104	avguix.exe
2672	avguix.exe
2664	avguix.exe
836	avguix.exe
2792	avguix.exe
2508	avguix.exe
2568	avguix.exe
2128	avguix.exe
3016	avguix.exe
1712	avguix.exe
592	avguix.exe
520	avguix.exe
988	avguix.exe
1480	avguix.exe
572	avguix.exe
2844	avguix.exe
2840	avguix.exe
2880	avguix.exe
844	avguix.exe
1976	avguix.exe
1964	avguix.exe
2480	avguix.exe
1300	avguix.exe
1820	avguix.exe
2720	avguix.exe
2744	avguix.exe
1792	avguix.exe
1920	avguix.exe
1936	avguix.exe
1032	avguix.exe
2116	avguix.exe
2124	avguix.exe
756	avguix.exe
2936	avguix.exe
2136	avguix.exe
2220	avguix.exe
1420	avguix.exe
2376	avguix.exe
1356	avguix.exe
912	avguix.exe
1748	avguix.exe
2148	avguix.exe
2372	avguix.exe
2168	avguix.exe
1724	avguix.exe
1324	avguix.exe
1868	avguix.exe
112	avguix.exe
1020	avguix.exe
864	avguix.exe
1028	avguix.exe
2288	avguix.exe
1200	avguix.exe
2268	avguix.exe
1832	avguix.exe
2416	avguix.exe
2012	avguix.exe
2296	avguix.exe
2276	avguix.exe
2972	avguix.exe
2052	avguix.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 3044	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	28
PID 1120 wrote to memory of 3044	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	28
PID 1120 wrote to memory of 3044	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	28
PID 1120 wrote to memory of 3044	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	28
PID 1120 wrote to memory of 2784	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2784	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2784	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2784	1120	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe	29
PID 2784 wrote to memory of 2912	2784	Builder.exe	30
PID 2784 wrote to memory of 2912	2784	Builder.exe	30
PID 2784 wrote to memory of 2912	2784	Builder.exe	30
PID 2784 wrote to memory of 2912	2784	Builder.exe	30
PID 2784 wrote to memory of 2804	2784	Builder.exe	31
PID 2784 wrote to memory of 2804	2784	Builder.exe	31
PID 2784 wrote to memory of 2804	2784	Builder.exe	31
PID 2784 wrote to memory of 2804	2784	Builder.exe	31
PID 2784 wrote to memory of 2104	2784	Builder.exe	32
PID 2784 wrote to memory of 2104	2784	Builder.exe	32
PID 2784 wrote to memory of 2104	2784	Builder.exe	32
PID 2784 wrote to memory of 2104	2784	Builder.exe	32
PID 2784 wrote to memory of 2672	2784	Builder.exe	33
PID 2784 wrote to memory of 2672	2784	Builder.exe	33
PID 2784 wrote to memory of 2672	2784	Builder.exe	33
PID 2784 wrote to memory of 2672	2784	Builder.exe	33
PID 2784 wrote to memory of 2664	2784	Builder.exe	34
PID 2784 wrote to memory of 2664	2784	Builder.exe	34
PID 2784 wrote to memory of 2664	2784	Builder.exe	34
PID 2784 wrote to memory of 2664	2784	Builder.exe	34
PID 2784 wrote to memory of 836	2784	Builder.exe	35
PID 2784 wrote to memory of 836	2784	Builder.exe	35
PID 2784 wrote to memory of 836	2784	Builder.exe	35
PID 2784 wrote to memory of 836	2784	Builder.exe	35
PID 2784 wrote to memory of 2792	2784	Builder.exe	36
PID 2784 wrote to memory of 2792	2784	Builder.exe	36
PID 2784 wrote to memory of 2792	2784	Builder.exe	36
PID 2784 wrote to memory of 2792	2784	Builder.exe	36
PID 2784 wrote to memory of 2508	2784	Builder.exe	37
PID 2784 wrote to memory of 2508	2784	Builder.exe	37
PID 2784 wrote to memory of 2508	2784	Builder.exe	37
PID 2784 wrote to memory of 2508	2784	Builder.exe	37
PID 2784 wrote to memory of 2568	2784	Builder.exe	38
PID 2784 wrote to memory of 2568	2784	Builder.exe	38
PID 2784 wrote to memory of 2568	2784	Builder.exe	38
PID 2784 wrote to memory of 2568	2784	Builder.exe	38
PID 2784 wrote to memory of 2128	2784	Builder.exe	39
PID 2784 wrote to memory of 2128	2784	Builder.exe	39
PID 2784 wrote to memory of 2128	2784	Builder.exe	39
PID 2784 wrote to memory of 2128	2784	Builder.exe	39
PID 2784 wrote to memory of 3016	2784	Builder.exe	40
PID 2784 wrote to memory of 3016	2784	Builder.exe	40
PID 2784 wrote to memory of 3016	2784	Builder.exe	40
PID 2784 wrote to memory of 3016	2784	Builder.exe	40
PID 2784 wrote to memory of 1712	2784	Builder.exe	41
PID 2784 wrote to memory of 1712	2784	Builder.exe	41
PID 2784 wrote to memory of 1712	2784	Builder.exe	41
PID 2784 wrote to memory of 1712	2784	Builder.exe	41
PID 2784 wrote to memory of 592	2784	Builder.exe	42
PID 2784 wrote to memory of 592	2784	Builder.exe	42
PID 2784 wrote to memory of 592	2784	Builder.exe	42
PID 2784 wrote to memory of 592	2784	Builder.exe	42
PID 2784 wrote to memory of 520	2784	Builder.exe	43
PID 2784 wrote to memory of 520	2784	Builder.exe	43
PID 2784 wrote to memory of 520	2784	Builder.exe	43
PID 2784 wrote to memory of 520	2784	Builder.exe	43

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\edf56f261cc5db035cbc049883ab2948_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1120
- C:\Users\Admin\AppData\Local\Builderx.exe
  C:\Users\Admin\AppData\Local\Builderx.exe /stext "c:\top.txt"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Users\Admin\AppData\Local\Builder.exe
  C:\Users\Admin\AppData\Local\Builder.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2912
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2672
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:836
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2792
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2508
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2568
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3016
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1712
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:592
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:520
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:988
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1480
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:572
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2880
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:844
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1964
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2480
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1300
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2720
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1792
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1920
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1936
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1032
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2124
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:756
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2136
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2220
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1420
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2376
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1356
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:912
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2148
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2372
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2168
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1020
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:864
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1028
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1200
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2268
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1832
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2972
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2052
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1720
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:3040
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2400
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2068
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2584
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:3044
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2240
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2780
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2920
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2616
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2680
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2984
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2860
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2660
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:836
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2656
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3000
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1424
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1712
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:696
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:440
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1056
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1488
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:608
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1088
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2592
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2832
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2872
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1808
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2252
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1996
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1820
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2756
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2580
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1936
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1032
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2096
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2368
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2160
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2940
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2348
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2180
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2200
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1356
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1540
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1748
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2396
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2084
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:2168
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1724
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1328
- - C:\Users\Admin\AppData\Local\avguix.exe
    C:\Users\Admin\AppData\Local\avguix.exe
    3⤵
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Builder.exe

Filesize
444KB

MD5
347fc1d0f433446fde0ffeb3bb692209

SHA1
edeb9e30d32367d4905d10b05eb0d2ba2a476026

SHA256
62d43256d64d17bd6c01e91a68a71cf5419374423c6c76bfd6916603f4990852

SHA512
cd7087fa966684d3bbe51f79a00a590a6220198260b290b1e0c7e686f1893871deadffe0618facd2ec520e053dc99ac2277421023df10c7b4273e5e5481252ce

Download Submit
\Users\Admin\AppData\Local\Builderx.exe

Filesize
65KB

MD5
3f40a7ed3a5ee04bb43d43bd94823e72

SHA1
0b2995e1fee683b2706e9299e320d4fd6b09f98d

SHA256
6be9603316045e51b4b0a1fba90bc011aee14689f05659a50b2060c51d330ea1

SHA512
bc493d90d37eaf0b55c30e561d8bba3e37e0cf720169b4cb278ed0336e693412a8ad7fdab1721fa31ccc4f58dcf11cea82ffc95aa9c8bef4d3dee5db5b3a0687

Download Submit
\Users\Admin\AppData\Local\avguix.exe

Filesize
13.2MB

MD5
edf56f261cc5db035cbc049883ab2948

SHA1
d72c70cea568ed844248362045221fc44d6b661a

SHA256
436d0f9548a56b1623cbda9bf3615b27e9c2311cd2aa9f7e6a86d3b7809ac473

SHA512
66ed6570a127387efa8b6399df5c19cc5524930048e9d10be6eeb1bd7ed29b7188a4b3b63028544dd3f95bef53b156fc789d9241ce0a1987fd25a5a1821a3f2f

Download Submit
memory/112-140-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/520-60-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/572-66-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/592-58-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/756-106-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/836-41-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/844-76-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/864-144-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/912-122-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/988-62-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1020-142-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1032-100-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1120-0-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1120-30-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1120-95-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1120-5-0x0000000002B90000-0x0000000002BB5000-memory.dmp

Filesize
148KB

Download
memory/1120-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1120-22-0x0000000002B90000-0x0000000002BB5000-memory.dmp

Filesize
148KB

Download
memory/1300-84-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1324-134-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1356-120-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1420-115-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1480-64-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1712-56-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1724-132-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1748-124-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1792-93-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1820-86-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1868-136-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1920-96-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1936-98-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1964-80-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/1976-78-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2104-35-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2116-102-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2124-104-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2128-52-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2136-110-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2148-126-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2168-130-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2220-112-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2372-128-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2376-118-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2480-82-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2508-45-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2568-49-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2664-39-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2672-37-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2720-88-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2744-90-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2784-47-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2784-48-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2784-137-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2784-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2792-43-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2804-33-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2840-71-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2844-68-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2880-74-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2912-31-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/2936-108-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/3016-54-0x0000000000400000-0x0000000001138000-memory.dmp

Filesize
13.2MB

Download
memory/3044-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download