Analysis
-
max time kernel
73s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-02-2023 01:11
Static task
static1
Behavioral task
behavioral1
Sample
Fivem hack.rar
Resource
win7-20221111-en
General
-
Target
Fivem hack.rar
-
Size
1.9MB
-
MD5
4156197b492c58a50e3fb2ffb4bcf681
-
SHA1
7e5171efeaabe69d72ab28dbed028cc7efcdc6af
-
SHA256
fadf73572a43a77edf12de54a2fe9cc13e58a6653d538202cde992c0ee8fdf1d
-
SHA512
76f585aa8c00f9f09ac58b4379c1fe296088133bc8acc5f664458cdd34e6e8b138d9e1125e0dcf161ae8007088d6f202e07b233d8ac1c112863f58f65aaab8e6
-
SSDEEP
49152:4NB5tG9MW7vXU4EzJuI1OKLf/7mnQYE2Xzp:4pTIWAKLXWNE2Xzp
Malware Config
Extracted
vidar
2.5
408
-
profile_id
408
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
Fivem hack.exe99508117318636619476.exepid process 1956 Fivem hack.exe 768 99508117318636619476.exe -
Loads dropped DLL 4 IoCs
Processes:
AppLaunch.exepid process 1504 AppLaunch.exe 1504 AppLaunch.exe 1504 AppLaunch.exe 1504 AppLaunch.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Fivem hack.exedescription pid process target process PID 1956 set thread context of 1504 1956 Fivem hack.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AppLaunch.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AppLaunch.exe -
Modifies registry class 64 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 88003100000000006b551284110050524f4752417e310000700008000400efbeee3a851a6b5512842a0000003c000000000001000000000000000000460000000000500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\.rar rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Applications\7zFM.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\rar_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Applications\7zFM.exe\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Applications\7zFM.exe\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\rar_auto_file\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4c003100000000006b55757e1000372d5a697000380008000400efbe6b55757e6b55757e2a0000000003010000000200000000000000000000000000000037002d005a0069007000000014000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7zFM.exe\" \"%1\"" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Applications\7zFM.exe rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\rar_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\rar_auto_file\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Applications rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\rar_auto_file rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Applications\7zFM.exe\shell\open rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\.rar\ = "rar_auto_file" rundll32.exe Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7zFM.exeAppLaunch.exepid process 316 7zFM.exe 1504 AppLaunch.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1716 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
7zFM.exedescription pid process Token: SeRestorePrivilege 316 7zFM.exe Token: 35 316 7zFM.exe Token: SeSecurityPrivilege 316 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 316 7zFM.exe 316 7zFM.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
rundll32.exepid process 1716 rundll32.exe 1716 rundll32.exe 1716 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
cmd.exerundll32.exe7zFM.exeFivem hack.exeAppLaunch.exe99508117318636619476.execmd.exedescription pid process target process PID 832 wrote to memory of 1716 832 cmd.exe rundll32.exe PID 832 wrote to memory of 1716 832 cmd.exe rundll32.exe PID 832 wrote to memory of 1716 832 cmd.exe rundll32.exe PID 1716 wrote to memory of 316 1716 rundll32.exe 7zFM.exe PID 1716 wrote to memory of 316 1716 rundll32.exe 7zFM.exe PID 1716 wrote to memory of 316 1716 rundll32.exe 7zFM.exe PID 316 wrote to memory of 1956 316 7zFM.exe Fivem hack.exe PID 316 wrote to memory of 1956 316 7zFM.exe Fivem hack.exe PID 316 wrote to memory of 1956 316 7zFM.exe Fivem hack.exe PID 316 wrote to memory of 1956 316 7zFM.exe Fivem hack.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1956 wrote to memory of 1504 1956 Fivem hack.exe AppLaunch.exe PID 1504 wrote to memory of 768 1504 AppLaunch.exe 99508117318636619476.exe PID 1504 wrote to memory of 768 1504 AppLaunch.exe 99508117318636619476.exe PID 1504 wrote to memory of 768 1504 AppLaunch.exe 99508117318636619476.exe PID 1504 wrote to memory of 768 1504 AppLaunch.exe 99508117318636619476.exe PID 768 wrote to memory of 632 768 99508117318636619476.exe cmd.exe PID 768 wrote to memory of 632 768 99508117318636619476.exe cmd.exe PID 768 wrote to memory of 632 768 99508117318636619476.exe cmd.exe PID 632 wrote to memory of 1064 632 cmd.exe choice.exe PID 632 wrote to memory of 1064 632 cmd.exe choice.exe PID 632 wrote to memory of 1064 632 cmd.exe choice.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Fivem hack.rar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Fivem hack.rar2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Fivem hack.rar"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zOC312515C\Fivem hack.exe"C:\Users\Admin\AppData\Local\Temp\7zOC312515C\Fivem hack.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\99508117318636619476.exe"C:\ProgramData\99508117318636619476.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\99508117318636619476.exe7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 08⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\99508117318636619476.exeFilesize
7.4MB
MD5211810b3c634cb6cc6f685efcc2a5c93
SHA1e123714e64a040d06b66775e0c2aec8c7014ce08
SHA25626e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770
SHA512a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0
-
C:\ProgramData\99508117318636619476.exeFilesize
7.4MB
MD5211810b3c634cb6cc6f685efcc2a5c93
SHA1e123714e64a040d06b66775e0c2aec8c7014ce08
SHA25626e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770
SHA512a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0
-
C:\Users\Admin\AppData\Local\Temp\7zOC312515C\Fivem hack.exeFilesize
761.7MB
MD5f4b515b98bdd8d50a4e9c80c42940723
SHA15b534564abc6f7b198f0f4861f9f6f09c0055f18
SHA256117126021411bc66431a70f6738c3bddb09dfa45165507d6107a4595ae2f1170
SHA512f91ad2d492b5e97955e2611e968dc6df23601d481d0047cf873f1d2b884323ce35bfe14eaba961af5271c453a6d86d0e8b4358cbd63e0ff5e94679c8ed09e58a
-
\ProgramData\99508117318636619476.exeFilesize
7.4MB
MD5211810b3c634cb6cc6f685efcc2a5c93
SHA1e123714e64a040d06b66775e0c2aec8c7014ce08
SHA25626e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770
SHA512a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0
-
\ProgramData\99508117318636619476.exeFilesize
7.4MB
MD5211810b3c634cb6cc6f685efcc2a5c93
SHA1e123714e64a040d06b66775e0c2aec8c7014ce08
SHA25626e7ecccd5143958996bf523d854c928ae5dfa045f661c23d69599dfdf0d7770
SHA512a481a3250714fd4b96474a450844afd9245cb927b112fcdf83e7c306c3fe0e0a04e855a9e49cc42a4534eb5bbce2e462379204844aa5b227e13cba98007b8be0
-
\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
memory/316-82-0x0000000000000000-mapping.dmp
-
memory/632-122-0x0000000000000000-mapping.dmp
-
memory/768-120-0x0000000000000000-mapping.dmp
-
memory/832-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/1064-123-0x0000000000000000-mapping.dmp
-
memory/1504-86-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1504-98-0x0000000050FA0000-0x0000000051093000-memory.dmpFilesize
972KB
-
memory/1504-97-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1504-96-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB
-
memory/1504-95-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1504-94-0x0000000000432A3C-mapping.dmp
-
memory/1504-88-0x0000000000400000-0x0000000000472000-memory.dmpFilesize
456KB
-
memory/1716-76-0x0000000000000000-mapping.dmp
-
memory/1956-84-0x0000000000000000-mapping.dmp