darkcomet | e5c54e8c08be3b4e41d08b24ebcf8f99a37f587c11303dfd1a4672bb5eb3d4cc

Analysis

max time kernel
231s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

heck.zip
Size

819KB
MD5

dd652a718bced9e86425da269004c5c4
SHA1

d63f4d173ed9c6b2689f5a2db978f6e9fae11ebb
SHA256

e5c54e8c08be3b4e41d08b24ebcf8f99a37f587c11303dfd1a4672bb5eb3d4cc
SHA512

63da000f8065a5931d20dcb64b00f411188c6ddb09e7a708d88b240543f24fc169077b2500835496f57f56579ff71a94188c3f8c0d23e841c1b5609bc69d5355
SSDEEP

12288:dn+xqAHK8V0U/EYCa7P5W3RwMe4QGOmoZETqowpHuqZCFtnW1Xk3zsnNoRnXvC3H:1gbyU/EYnw32V4QFZETqo4lu0kCOqPx

Score

10^/10

darkcomet hacklenen discovery evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Hacklenen

tr3.localto.net:7975

tr3.localto.net:2152

Mutex

DC_MUTEX-GJULDQS

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
N2NDbd0wXxsm
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe

Modifies firewall policy service 3 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	FivemHackmenu.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	FivemHackmenu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	FivemHackmenu.exe

Executes dropped EXE 64 IoCs

pid	Process
3628	FivemHackmenu.exe
4632	msdcsc.exe
4592	FivemHackmenu.exe
2284	FivemHackmenu.exe
3932	FivemHackmenu.exe
2952	FivemHackmenu.exe
4216	FivemHackmenu.exe
4672	FivemHackmenu.exe
4332	FivemHackmenu.exe
4608	FivemHackmenu.exe
3712	FivemHackmenu.exe
1556	FivemHackmenu.exe
2752	FivemHackmenu.exe
3928	FivemHackmenu.exe
4432	FivemHackmenu.exe
5084	FivemHackmenu.exe
4512	FivemHackmenu.exe
4716	FivemHackmenu.exe
4516	FivemHackmenu.exe
1352	FivemHackmenu.exe
3424	FivemHackmenu.exe
1548	FivemHackmenu.exe
1696	FivemHackmenu.exe
4592	FivemHackmenu.exe
4984	FivemHackmenu.exe
1620	FivemHackmenu.exe
4072	FivemHackmenu.exe
2468	FivemHackmenu.exe
2636	FivemHackmenu.exe
2236	FivemHackmenu.exe
4904	FivemHackmenu.exe
2312	FivemHackmenu.exe
4304	FivemHackmenu.exe
5004	FivemHackmenu.exe
4872	FivemHackmenu.exe
4708	FivemHackmenu.exe
3768	FivemHackmenu.exe
1104	FivemHackmenu.exe
1308	FivemHackmenu.exe
1476	FivemHackmenu.exe
920	FivemHackmenu.exe
2040	FivemHackmenu.exe
2724	FivemHackmenu.exe
3552	FivemHackmenu.exe
3668	FivemHackmenu.exe
1524	FivemHackmenu.exe
4648	FivemHackmenu.exe
3888	FivemHackmenu.exe
412	FivemHackmenu.exe
2584	FivemHackmenu.exe
2664	FivemHackmenu.exe
3344	FivemHackmenu.exe
3388	FivemHackmenu.exe
4672	FivemHackmenu.exe
1056	FivemHackmenu.exe
4836	FivemHackmenu.exe
2992	FivemHackmenu.exe
4940	FivemHackmenu.exe
1584	FivemHackmenu.exe
4072	FivemHackmenu.exe
5024	FivemHackmenu.exe
212	FivemHackmenu.exe
3652	FivemHackmenu.exe
1856	FivemHackmenu.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	FivemHackmenu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cc3-4.dat	upx
behavioral1/memory/3628-5-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3628-21-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-22-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-23-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-24-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4592-26-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-27-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-28-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2284-30-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2284-32-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-33-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3932-36-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-37-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-38-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-39-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2952-42-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4216-44-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4672-47-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4332-50-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4608-52-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3712-55-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1556-57-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2752-60-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3928-62-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4432-66-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/5084-68-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4512-72-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4716-71-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4716-73-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4516-75-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1352-77-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3424-79-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3424-81-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1548-83-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1696-86-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4632-88-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4592-89-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4984-91-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2468-96-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1620-99-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2236-100-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2636-105-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1476-169-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4940-179-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3768-183-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4648-197-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2992-215-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4836-213-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1056-211-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2584-209-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3888-207-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4672-205-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/4940-203-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2664-201-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3388-199-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2724-195-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2040-193-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1524-191-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3344-189-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/3668-187-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/1104-185-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/412-181-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2664-178-0x0000000000400000-0x0000000000502000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FivemHackmenu.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4632	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4700	7zFM.exe
Token: 35	4700	7zFM.exe
Token: SeSecurityPrivilege	4700	7zFM.exe
Token: SeIncreaseQuotaPrivilege	3628	FivemHackmenu.exe
Token: SeSecurityPrivilege	3628	FivemHackmenu.exe
Token: SeTakeOwnershipPrivilege	3628	FivemHackmenu.exe
Token: SeLoadDriverPrivilege	3628	FivemHackmenu.exe
Token: SeSystemProfilePrivilege	3628	FivemHackmenu.exe
Token: SeSystemtimePrivilege	3628	FivemHackmenu.exe
Token: SeProfSingleProcessPrivilege	3628	FivemHackmenu.exe
Token: SeIncBasePriorityPrivilege	3628	FivemHackmenu.exe
Token: SeCreatePagefilePrivilege	3628	FivemHackmenu.exe
Token: SeBackupPrivilege	3628	FivemHackmenu.exe
Token: SeRestorePrivilege	3628	FivemHackmenu.exe
Token: SeShutdownPrivilege	3628	FivemHackmenu.exe
Token: SeDebugPrivilege	3628	FivemHackmenu.exe
Token: SeSystemEnvironmentPrivilege	3628	FivemHackmenu.exe
Token: SeChangeNotifyPrivilege	3628	FivemHackmenu.exe
Token: SeRemoteShutdownPrivilege	3628	FivemHackmenu.exe
Token: SeUndockPrivilege	3628	FivemHackmenu.exe
Token: SeManageVolumePrivilege	3628	FivemHackmenu.exe
Token: SeImpersonatePrivilege	3628	FivemHackmenu.exe
Token: SeCreateGlobalPrivilege	3628	FivemHackmenu.exe
Token: 33	3628	FivemHackmenu.exe
Token: 34	3628	FivemHackmenu.exe
Token: 35	3628	FivemHackmenu.exe
Token: 36	3628	FivemHackmenu.exe
Token: SeIncreaseQuotaPrivilege	4632	msdcsc.exe
Token: SeSecurityPrivilege	4632	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4632	msdcsc.exe
Token: SeLoadDriverPrivilege	4632	msdcsc.exe
Token: SeSystemProfilePrivilege	4632	msdcsc.exe
Token: SeSystemtimePrivilege	4632	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4632	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4632	msdcsc.exe
Token: SeCreatePagefilePrivilege	4632	msdcsc.exe
Token: SeBackupPrivilege	4632	msdcsc.exe
Token: SeRestorePrivilege	4632	msdcsc.exe
Token: SeShutdownPrivilege	4632	msdcsc.exe
Token: SeDebugPrivilege	4632	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4632	msdcsc.exe
Token: SeChangeNotifyPrivilege	4632	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4632	msdcsc.exe
Token: SeUndockPrivilege	4632	msdcsc.exe
Token: SeManageVolumePrivilege	4632	msdcsc.exe
Token: SeImpersonatePrivilege	4632	msdcsc.exe
Token: SeCreateGlobalPrivilege	4632	msdcsc.exe
Token: 33	4632	msdcsc.exe
Token: 34	4632	msdcsc.exe
Token: 35	4632	msdcsc.exe
Token: 36	4632	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4592	FivemHackmenu.exe
Token: SeSecurityPrivilege	4592	FivemHackmenu.exe
Token: SeTakeOwnershipPrivilege	4592	FivemHackmenu.exe
Token: SeLoadDriverPrivilege	4592	FivemHackmenu.exe
Token: SeSystemProfilePrivilege	4592	FivemHackmenu.exe
Token: SeSystemtimePrivilege	4592	FivemHackmenu.exe
Token: SeProfSingleProcessPrivilege	4592	FivemHackmenu.exe
Token: SeIncBasePriorityPrivilege	4592	FivemHackmenu.exe
Token: SeCreatePagefilePrivilege	4592	FivemHackmenu.exe
Token: SeBackupPrivilege	4592	FivemHackmenu.exe
Token: SeRestorePrivilege	4592	FivemHackmenu.exe
Token: SeShutdownPrivilege	4592	FivemHackmenu.exe
Token: SeDebugPrivilege	4592	FivemHackmenu.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4700	7zFM.exe
4700	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4632	msdcsc.exe
5096	OpenWith.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4632	3628	FivemHackmenu.exe	99
PID 3628 wrote to memory of 4632	3628	FivemHackmenu.exe	99
PID 3628 wrote to memory of 4632	3628	FivemHackmenu.exe	99
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100
PID 4632 wrote to memory of 5088	4632	msdcsc.exe	100

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\heck.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4700

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
  "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:5088

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2284

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4896

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4216

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4672

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4332

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2752

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3928

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5084

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4512

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4516

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1352

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3424

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:1548

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1696

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4592

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4984

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1620

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2636

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2468

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2236

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4304

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:4872

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4708

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:1104

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:3552

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:1308

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:1476

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:920

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:3668

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1524

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4648

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3888

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:412

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2584

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2664

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:3344

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3388

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:2992

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:4940

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- Executes dropped EXE
PID:5024

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:212

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Executes dropped EXE
PID:1856

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4332

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1492

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1192

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:5084

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:512

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:388

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4820

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:412

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3668

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3344

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3628

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4456

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1884

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:3756

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4940

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4672

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4408

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2584

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3808

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2172

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4792

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:3452

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2524

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4372

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2260

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4172

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2704

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3520

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:3028

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:1728

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:1548

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1696

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2124

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2280

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Adds Run key to start application
PID:3948

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2156

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2608

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:2236

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3200

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4640

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1648

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:784

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:4156

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:3744

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:436

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:5084

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:3436

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:1164

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4820

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1836

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2616

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2664

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1040

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:396

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3888

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3572

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4940

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:900

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2808

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:708

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2868

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:516

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2392

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2076

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4584

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3452

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3632

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2884

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3448

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4660

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3028

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:4784

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2556

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:768

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4948

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4480

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4528

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2800

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1704

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2972

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:428

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:2156

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2796

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Adds Run key to start application
PID:3512

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4048

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:512

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4600

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3744

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4032

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4576

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3436

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1824

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2680

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:872

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Adds Run key to start application
PID:2492

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:3628

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:396

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Adds Run key to start application
PID:4700

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4036

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4836

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4852

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2584

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1628

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1160

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:2148

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4764

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:516

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:3064

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:3960

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4484

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2076

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2172

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3448

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2468

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4908

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:5100

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4056

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4948

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1832

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2952

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3604

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:5072

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2312

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:1212

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1476

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2156

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2488

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4860

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1068

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4048

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3024

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4600

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:388

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4900

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:2644

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1656

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3992

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4652

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:696

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:5020

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4052

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:336

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4016

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3896

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1580

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2868

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4408

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2964

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4864

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:5056

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:2148

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3344

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:636

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3452

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2076

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1440

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3032

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4528

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3008

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2468

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:2936

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:1260

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:1832

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
PID:764

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:3424

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
- Modifies firewall policy service
PID:4872

C:\Users\Admin\Desktop\FivemHackmenu.exe
"C:\Users\Admin\Desktop\FivemHackmenu.exe"
1⤵
PID:4432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\FivemHackmenu.exe

Filesize
400KB

MD5
1dd9ed1f09ce2b5f379809dea86bcefe

SHA1
a35ce191c9c942e0f78849bfd32e1d04d7e18029

SHA256
24f721f152465bbf5dc2275e7825ce73947e2ccd7e97db8501f25d249a73400c

SHA512
5ecd9e8f5aaea33a0600a72fef9cd011ca0b9385af93287efa1f9c5bc400f1de4fc945f195e83bb002d29d5de6594ea5b2965f9263fc1774e01a855b8c26d0d4

Download Submit
memory/212-230-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/212-225-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/388-246-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/412-250-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/412-181-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/412-152-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/512-244-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/920-136-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/920-175-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1056-211-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1056-165-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1104-185-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1104-120-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1192-240-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1308-158-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1308-126-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1352-77-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1476-133-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1476-169-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1492-238-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1524-191-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1524-149-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1548-83-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1556-57-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1584-218-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1620-99-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1696-86-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1856-234-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/1884-256-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2040-193-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2040-137-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2236-100-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2236-117-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2284-32-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2284-30-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2312-135-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2468-96-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2468-104-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2584-177-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2584-209-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2636-105-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2664-201-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2664-178-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2724-195-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2724-139-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2752-60-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2952-42-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2992-215-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2992-166-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3344-254-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3344-162-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3344-189-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3388-163-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3388-199-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3424-79-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3424-81-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3552-176-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3628-21-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3628-7-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3628-5-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3652-232-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3652-228-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3668-252-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3668-187-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3668-140-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3712-55-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3756-257-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3768-183-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3768-119-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3888-207-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3888-151-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3928-62-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/3932-36-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4072-222-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4072-107-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4216-44-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4304-147-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4332-50-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4332-236-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4432-66-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4456-255-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4512-72-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4516-75-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4592-26-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4592-89-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4608-52-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-24-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-37-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-33-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-23-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-39-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-88-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-22-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-27-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-38-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4632-28-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4648-197-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4648-150-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4672-164-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4672-47-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4672-205-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4708-118-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4708-159-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4716-71-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4716-73-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4820-248-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4836-213-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4836-167-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4872-112-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4872-161-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4904-154-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4940-203-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4940-179-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4940-258-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/4984-91-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5004-173-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5024-227-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5084-242-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5084-68-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/5088-20-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads