12bb854b6d0f65952e8420885232b644750e33d9cf3ee450a92110a526533192

Analysis

max time kernel
615s
max time network
617s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05-10-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
Size

30.1MB
MD5

c58d50d9f3a459ef0fc9a3a1beadf624
SHA1

5c27586448f0168dae0502fb1ca8b5b0f6aff035
SHA256

12bb854b6d0f65952e8420885232b644750e33d9cf3ee450a92110a526533192
SHA512

1e4cdf964d95a697f6990c2e61fcc47f6af53d988e7fcde2e03a0a686e1b6b9ac27d21bb31be38b72883a721724e5995a884d72ff02c75a90e6b15af5b00f256
SSDEEP

786432:yYXaswmBYPOGspvfLLlgtOz4m2dQfMVh5RCymN3:xW9GdnCYMj5RCp3

Score

7^/10

defense_evasion vmprotect

Malware Config

Signatures

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1016-241-0x000000013F170000-0x000000013FCE3000-memory.dmp	vmprotect
behavioral1/memory/1532-259-0x000000013F550000-0x00000001400C3000-memory.dmp	vmprotect
behavioral1/memory/1740-268-0x000000013F580000-0x0000000140104000-memory.dmp	vmprotect
behavioral1/memory/1664-277-0x000000013F510000-0x000000013FA54000-memory.dmp	vmprotect
behavioral1/memory/1712-285-0x000000013FAD0000-0x0000000140014000-memory.dmp	vmprotect
behavioral1/memory/2848-293-0x000000013FFE0000-0x0000000140524000-memory.dmp	vmprotect

System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs

Adversaries may abuse Verclsid to proxy execution of malicious code.

defense_evasion

Verclsid

T1218.012

pid	Process
2808	verclsid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1016	vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe
2280	val_chv2[1].exe
1532	vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe
1740	main[1].exe
1664	kd[1].exe
1712	kd[1].exe
2848	kd[1].exe
2004	kd[1].exe
1152	kd[1].exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2672	7zFM.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	2672	7zFM.exe
Token: 35	2672	7zFM.exe
Token: SeSecurityPrivilege	2672	7zFM.exe
Token: SeSecurityPrivilege	2672	7zFM.exe
Token: SeDebugPrivilege	1016	vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe
Token: SeDebugPrivilege	1532	vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe
Token: 33	3032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3032	AUDIODG.EXE
Token: 33	3032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3032	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2672	7zFM.exe
2672	7zFM.exe
2672	7zFM.exe
2672	7zFM.exe
2536	msdt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2832	2324	cmd.exe	31
PID 2324 wrote to memory of 2832	2324	cmd.exe	31
PID 2324 wrote to memory of 2832	2324	cmd.exe	31
PID 2832 wrote to memory of 2776	2832	rundll32.exe	32
PID 2832 wrote to memory of 2776	2832	rundll32.exe	32
PID 2832 wrote to memory of 2776	2832	rundll32.exe	32
PID 2776 wrote to memory of 3064	2776	rundll32.exe	33
PID 2776 wrote to memory of 3064	2776	rundll32.exe	33
PID 2776 wrote to memory of 3064	2776	rundll32.exe	33
PID 3064 wrote to memory of 1128	3064	rundll32.exe	34
PID 3064 wrote to memory of 1128	3064	rundll32.exe	34
PID 3064 wrote to memory of 1128	3064	rundll32.exe	34
PID 1128 wrote to memory of 2388	1128	rundll32.exe	35
PID 1128 wrote to memory of 2388	1128	rundll32.exe	35
PID 1128 wrote to memory of 2388	1128	rundll32.exe	35
PID 2388 wrote to memory of 336	2388	rundll32.exe	36
PID 2388 wrote to memory of 336	2388	rundll32.exe	36
PID 2388 wrote to memory of 336	2388	rundll32.exe	36
PID 336 wrote to memory of 2648	336	rundll32.exe	37
PID 336 wrote to memory of 2648	336	rundll32.exe	37
PID 336 wrote to memory of 2648	336	rundll32.exe	37
PID 2648 wrote to memory of 2620	2648	rundll32.exe	38
PID 2648 wrote to memory of 2620	2648	rundll32.exe	38
PID 2648 wrote to memory of 2620	2648	rundll32.exe	38
PID 2620 wrote to memory of 2840	2620	rundll32.exe	39
PID 2620 wrote to memory of 2840	2620	rundll32.exe	39
PID 2620 wrote to memory of 2840	2620	rundll32.exe	39
PID 2840 wrote to memory of 2380	2840	rundll32.exe	40
PID 2840 wrote to memory of 2380	2840	rundll32.exe	40
PID 2840 wrote to memory of 2380	2840	rundll32.exe	40
PID 2380 wrote to memory of 2136	2380	rundll32.exe	42
PID 2380 wrote to memory of 2136	2380	rundll32.exe	42
PID 2380 wrote to memory of 2136	2380	rundll32.exe	42
PID 2136 wrote to memory of 2204	2136	rundll32.exe	43
PID 2136 wrote to memory of 2204	2136	rundll32.exe	43
PID 2136 wrote to memory of 2204	2136	rundll32.exe	43
PID 2204 wrote to memory of 1948	2204	rundll32.exe	44
PID 2204 wrote to memory of 1948	2204	rundll32.exe	44
PID 2204 wrote to memory of 1948	2204	rundll32.exe	44
PID 1948 wrote to memory of 1628	1948	rundll32.exe	45
PID 1948 wrote to memory of 1628	1948	rundll32.exe	45
PID 1948 wrote to memory of 1628	1948	rundll32.exe	45
PID 1628 wrote to memory of 524	1628	rundll32.exe	46
PID 1628 wrote to memory of 524	1628	rundll32.exe	46
PID 1628 wrote to memory of 524	1628	rundll32.exe	46
PID 524 wrote to memory of 2868	524	rundll32.exe	47
PID 524 wrote to memory of 2868	524	rundll32.exe	47
PID 524 wrote to memory of 2868	524	rundll32.exe	47
PID 2868 wrote to memory of 2936	2868	rundll32.exe	48
PID 2868 wrote to memory of 2936	2868	rundll32.exe	48
PID 2868 wrote to memory of 2936	2868	rundll32.exe	48
PID 2936 wrote to memory of 2124	2936	rundll32.exe	49
PID 2936 wrote to memory of 2124	2936	rundll32.exe	49
PID 2936 wrote to memory of 2124	2936	rundll32.exe	49
PID 2124 wrote to memory of 2940	2124	rundll32.exe	50
PID 2124 wrote to memory of 2940	2124	rundll32.exe	50
PID 2124 wrote to memory of 2940	2124	rundll32.exe	50
PID 2940 wrote to memory of 1092	2940	rundll32.exe	51
PID 2940 wrote to memory of 1092	2940	rundll32.exe	51
PID 2940 wrote to memory of 1092	2940	rundll32.exe	51
PID 1092 wrote to memory of 2424	1092	rundll32.exe	52
PID 1092 wrote to memory of 2424	1092	rundll32.exe	52
PID 1092 wrote to memory of 2424	1092	rundll32.exe	52
PID 2424 wrote to memory of 1532	2424	rundll32.exe	53

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
    3⤵
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        6⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        7⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        8⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        9⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        10⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        11⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        12⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        13⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        14⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        16⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        17⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        18⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        19⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        20⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        21⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        22⤵
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        23⤵
        
        PID:1532
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        24⤵
        
        PID:2756
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        25⤵
        Modifies registry class
        
        PID:2976
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        26⤵
        Modifies registry class
        
        PID:2588
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        27⤵
        Modifies registry class
        
        PID:2656
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        28⤵
        Modifies registry class
        
        PID:3060
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        29⤵
        Modifies registry class
        
        PID:2176
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        30⤵
        Modifies registry class
        
        PID:2532
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        31⤵
        Modifies registry class
        
        PID:1752
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        32⤵
        Modifies registry class
        
        PID:1696
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        33⤵
        Modifies registry class
        
        PID:2876
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        34⤵
        Modifies registry class
        
        PID:1352
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        35⤵
        Modifies registry class
        
        PID:1172
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        36⤵
        Modifies registry class
        
        PID:1164
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        37⤵
        Modifies registry class
        
        PID:2392
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        38⤵
        Modifies registry class
        
        PID:3048
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        39⤵
        Modifies registry class
        
        PID:2136
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        40⤵
        Modifies registry class
        
        PID:2200
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        41⤵
        Modifies registry class
        
        PID:2968
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        42⤵
        Modifies registry class
        
        PID:1700
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        43⤵
        Modifies registry class
        
        PID:948
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        44⤵
        Modifies registry class
        
        PID:2432
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        45⤵
        Modifies registry class
        
        PID:1816
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        46⤵
        Modifies registry class
        
        PID:376
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        47⤵
        Modifies registry class
        
        PID:2480
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        48⤵
        Modifies registry class
        
        PID:2404
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        49⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        50⤵
        Modifies registry class
        
        PID:2760
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        51⤵
        Modifies registry class
        
        PID:2796
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        52⤵
        Modifies registry class
        
        PID:2496
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        53⤵
        Modifies registry class
        
        PID:2564
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        54⤵
        Modifies registry class
        
        PID:236
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        55⤵
        
        PID:1904
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        56⤵
        Modifies registry class
        
        PID:1432
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        57⤵
        Modifies registry class
        
        PID:2092
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        58⤵
        Modifies registry class
        
        PID:584
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        59⤵
        Modifies registry class
        
        PID:3032
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        60⤵
        Modifies registry class
        
        PID:492
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        61⤵
        Modifies registry class
        
        PID:2440
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        62⤵
        Modifies registry class
        
        PID:2488
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        63⤵
        Modifies registry class
        
        PID:2284
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        64⤵
        
        PID:2180
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        65⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        66⤵
        Modifies registry class
        
        PID:1328
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        67⤵
        
        PID:920
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        68⤵
        Modifies registry class
        
        PID:1988
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        69⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        70⤵
        Modifies registry class
        
        PID:2936
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        71⤵
        
        PID:1176
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        72⤵
        Modifies registry class
        
        PID:2464
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        73⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        74⤵
        Modifies registry class
        
        PID:1768
        
        C:\Windows\system32\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar
        75⤵
        
        PID:1624

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401
1⤵
- System Binary Proxy Execution: Verclsid
PID:2808

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AB-SSP (TROJANA GENERATICOS - MEMECAT DEATHER WINDOWS .rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2672

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe"
1⤵
PID:1964
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCWAFEE.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2536

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
PID:2364
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzis0rsp.cmdline"
  2⤵
  PID:1328
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1C3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB1C2.tmp"
    3⤵
    PID:3016
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rpiv0bbh.cmdline"
  2⤵
  PID:936
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB1F1.tmp"
    3⤵
    PID:2880

C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe
"C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:1076
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe" MD5
    3⤵
    PID:2108
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1064
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:2160
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1016 -s 552
  2⤵
  PID:2428

C:\Users\Admin\Desktop\brc\val_chv2[1].exe
"C:\Users\Admin\Desktop\brc\val_chv2[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2280 -s 168
  2⤵
  PID:2552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\brc\sec7[1].dll
1⤵
PID:2988

C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe
"C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe" C:\Users\Admin\Desktop\brc\sec7[1].dll
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:1520
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\brc\vanguardbypassed73467_bigbomb1337_new_priv3_godmode39[1].exe" MD5
    3⤵
    PID:2236
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1408
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1904
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1532 -s 540
  2⤵
  PID:2652

C:\Users\Admin\Desktop\brc\main[1].exe
"C:\Users\Admin\Desktop\brc\main[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\brc\main[1].exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  PID:644
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\Desktop\brc\main[1].exe" MD5
    3⤵
    PID:2412
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1748
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1740 -s 532
  2⤵
  PID:1952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Users\Admin\Desktop\brc\BP\kd[1].exe
"C:\Users\Admin\Desktop\brc\BP\kd[1].exe" C:\Users\Admin\Desktop\brc\BP\l2[1].dll
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Users\Admin\Desktop\brc\BP\kd[1].exe
"C:\Users\Admin\Desktop\brc\BP\kd[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\Desktop\brc\BP\kd[1].exe
"C:\Users\Admin\Desktop\brc\BP\kd[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2848

C:\Users\Admin\Desktop\brc\BP\kd[1].exe
"C:\Users\Admin\Desktop\brc\BP\kd[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Users\Admin\Desktop\brc\BP\kd[1].exe
"C:\Users\Admin\Desktop\brc\BP\kd[1].exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

System Binary Proxy Execution

T1218

Verclsid

T1218.012

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024100522.000\PCW.0.debugreport.xml

Filesize
2KB

MD5
1bced8ece34f7143e94028ae8bb875d7

SHA1
2b3b7f5d49095c10729d42d262e9f72b2476d2a5

SHA256
72006c6b8b8144c5698b8ba858c2ef7c1d9c918b27156d54e5fcddcabbd132c7

SHA512
1bf1a6b34578f4b4cd1d00b6521a72079d38b2c3cef45da2a3cc2b9212ec7872146c323532f7e551e8d32d3aff77d4596871e33f89c3cea35943ab1c45ce9a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCWAFEE.xml

Filesize
814B

MD5
b4be7f6db08f84e13df61f3ff29d326d

SHA1
06d07988a0892e3e86e044b09414fb47f4be380e

SHA256
e6a5c50674f44c8995fa790b1f392ca73e4566f1846dbf48b486a495632dcf8b

SHA512
3cc3b07a8e270c913395e072ea1ddd8211dde49bd7e46706ac9263b02f9827fd4852b8213179078ca6eeae75e0135dc00fc99be946b6cc544250b0795f95bb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1C3.tmp

Filesize
1KB

MD5
00610fd32fa8030f092407a665ca5afd

SHA1
1c8e612154efa8964687c789002762e727bd8ef1

SHA256
b39d7c5a54c7a4c9a6f059e6d455a162fff89f4fd380c4234d963ef242c36083

SHA512
73f4fd2959682b5acb4c9b6b47088d7cc0fdba534b5cfd8fc257ac277da3ee5b2ae5c3cb449786952efb9f65e36b264fb8e7f5ae09f54b7f00f045205177170c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzis0rsp.dll

Filesize
4KB

MD5
30919a40fb74345ee5a8bc2e6f1018bf

SHA1
40b9d5c14f06f72a2c55520d1b62e479f20ff957

SHA256
b2e077802aae1162678925ab8db02cf6348107870b9e312d76571efa16c9b90c

SHA512
6002fb83c8937de6f26126423d1eb7c282b0e1a96192c317940ae02f82a6ba745ae577f0725a37dd209f2c0cc1e3be1ca47e3517963f30a45c83751ccaa4f582

Download Submit
C:\Users\Admin\AppData\Local\Temp\dzis0rsp.pdb

Filesize
11KB

MD5
4800896de8db4ac14f6629c9db951272

SHA1
b24fbd64ff58c5220cb2058a716689fa2235bd15

SHA256
43435974491715029e13f098345b4e871c90a4be05da71ab935c62436318f89b

SHA512
744d6fa386d17ae1e480edb5781c448636b8d15f26a434c03abc40b0af6efe6e76dd28bd5cf2e5570d90d9cf1ad1098f5f2ae7f5af1de8842b19f6bb651887a0

Download Submit
C:\Windows\TEMP\SDIAG_e55028df-52ef-42e5-82df-93d7c381b488\TS_ProgramCompatibilityWizard.ps1

Filesize
9KB

MD5
46e22c2582b54be56d80d7a79fec9bb5

SHA1
604fac637a35f60f5c89d1367c695feb68255ccd

SHA256
459af2960b08e848573d45a7350223657adb2115f24a3c37e69ffe61dea647f9

SHA512
a9a24df3fb391738405d2ea32cd3ef8657d8d00d7366858a39c624dc9ebbf0b64d2817355d41eed6ad3cc7703d264d2921c8a2590ff95601d89f3cca72ba786f

Download Submit
C:\Windows\TEMP\SDIAG_e55028df-52ef-42e5-82df-93d7c381b488\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
5e03d8afb0fae97904a14d6b2d1cac9a

SHA1
78f401b1944ed92965d7a48dba036413688f949a

SHA256
538a5f22a12b0be59a7a83e0381c6ff661932f07643a87c2d3a542eade741671

SHA512
884c0494728dd9f1a4fc8092152b2253350304b745d6fc1e4b02c9cd2366bc8c92a169c549cd77bcd67e5e2e515d89d46c1d11de5eeb500d531d87839365cd19

Download Submit
C:\Windows\Temp\SDIAG_e55028df-52ef-42e5-82df-93d7c381b488\DiagPackage.dll

Filesize
64KB

MD5
e382ec1c184e7d7d6da1e0b3eacfa84b

SHA1
9a0d95eb339774874f4f0da35d10fd326438b56c

SHA256
786d95dc0d59089e14055385cce8765888f55236b5220fdfd28cf2d9b07e63ee

SHA512
019bcb4f41b5bc5853db2fa528ef126e839c5b0d0dc096dd441ba02d8c71e7913efd16b74aed93952ad2cc5422b151c12d3017fc22a65ae5ce2e7e1fc72a396c

Download Submit
C:\Windows\Temp\SDIAG_e55028df-52ef-42e5-82df-93d7c381b488\en-US\DiagPackage.dll.mui

Filesize
8KB

MD5
526bcf713fe4662e9f8a245a3a57048f

SHA1
cf0593c3a973495c395bbce779aef8764719abf7

SHA256
c8190f45d62c5c03013ffc66b3f9bf60f52a32464fa271d2fad5fd10432da606

SHA512
df7e93617461c2fd25b5b684311126e66b7cf9f1ecfbf4c8a944f65fb2c904194ec635a9c7b962d4583ea77b0312435c7dc1b5ecbcb1fb3a5a74fc1eb2c21d04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB1C2.tmp

Filesize
652B

MD5
9e5105198ef8bc12122c92c8867fdefc

SHA1
ce9a828af1fc08c7db2b7e476880780491ee2ecb

SHA256
ca23164985117225cb65c4ca1b7d7bb1621098773e733aa26eeb5de9d15bad01

SHA512
eb035e414f3d37857557debe25a1169e3f81ea0d8b995348510f0055e808e3030433b1ebfc7301b3c2f42c0ea23f956eeeb353619f062e6d2605497058b6d55d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB1F1.tmp

Filesize
652B

MD5
234af1d6facebe5fe1d1f5ff5c09849e

SHA1
15400a18fc42af128b2487a2ffa2f17d03ad5908

SHA256
461378dd0219f979448638fa34a4eeda708d8cb462301cc4974a27bd408985ce

SHA512
d7ba9bce9551fa7d2019ad63f01ad303faa245eb88773873991c27afb1743c497895f456519f2bcfa087ef45f425ece9b62c5070be1da5da5c54fd5b272af22f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzis0rsp.0.cs

Filesize
965B

MD5
b0dc59b099ca7c12fb8ad72d3c50c82c

SHA1
f19e28849921cf51e322824c5a8ae8bc00014cd1

SHA256
e75eaaa3d7908fb05000c0a957048d20091a0d2575e87d091d11cdb3a5b562e5

SHA512
852c937d36afe3b6df5826b9f1877d511259e2a0ffcdf229c8c655ced7346b36e526928537386121e3ecbc8b1285144dabe3b760db1873cb3baaf70a0f21c364

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzis0rsp.cmdline

Filesize
309B

MD5
9a50202cefafe16faeb5cdd7cd69995f

SHA1
2d0705cfd105da92c4cec5d21a83efa8c84763ff

SHA256
f9d0863401780aeb6b40b74d8f2eb668b7e962b479d44768c079575fc486b274

SHA512
1465a8658d86847a6dd4f431b9d91771973e81d611e24b06ae9b1a8f79872dd2abe4176e49a1c95b6a5de426c955fd85d8952d94a6901a1a7b4ec92f551d07ae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpiv0bbh.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rpiv0bbh.cmdline

Filesize
309B

MD5
d383b6b1324c49e8aaae6f61564baaf8

SHA1
c7c4327894ec6b3c335f7b77e464b81331613cba

SHA256
3b142e5d3eda50be2794db00762bb07bc6731981776eda23ccfe7af144141570

SHA512
905392fad1e3f0a61972659d92c47b62d045ecf6d503ba4ed0c968c55c2b8ffe3df55784c9297126cf1a970101d7936f1907da550257c693021e97902caa5704

Download Submit
memory/1016-240-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1016-241-0x000000013F170000-0x000000013FCE3000-memory.dmp

Filesize
11.4MB

Download
memory/1016-238-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1016-236-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1532-258-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1532-259-0x000000013F550000-0x00000001400C3000-memory.dmp

Filesize
11.4MB

Download
memory/1664-276-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1664-277-0x000000013F510000-0x000000013FA54000-memory.dmp

Filesize
5.3MB

Download
memory/1712-285-0x000000013FAD0000-0x0000000140014000-memory.dmp

Filesize
5.3MB

Download
memory/1712-284-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1740-268-0x000000013F580000-0x0000000140104000-memory.dmp

Filesize
11.5MB

Download
memory/1740-267-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/2280-250-0x000000013FA00000-0x00000001405F3000-memory.dmp

Filesize
11.9MB

Download
memory/2280-249-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/2364-199-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2364-185-0x0000000002800000-0x0000000002808000-memory.dmp

Filesize
32KB

Download
memory/2848-292-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/2848-293-0x000000013FFE0000-0x0000000140524000-memory.dmp

Filesize
5.3MB

Download