95ed1d3a279976d188079477b484085fd36b6ddd1684f33c9a626df5b6821782

Analysis

max time kernel
1801s
max time network
1598s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SQLBOX Cracked.zip
Size

228.8MB
MD5

fe87fd3bab3bd6ae6e22a4cd31121f99
SHA1

3a72748965dcc3f364ce0bef5dce6e209f5995d6
SHA256

95ed1d3a279976d188079477b484085fd36b6ddd1684f33c9a626df5b6821782
SHA512

4abaa8c58b20a9ed43944c4dbbdf8032bc18cc224ba7d86ddf26b9d93847fc3fe3d0638b6ee080d89fcc2f879fd276db9b10750e303eb89d3851589b885bf0ad
SSDEEP

6291456:EzsOE5KnuvKozT9kzwuM4itdmTz8lq7zeW0UgGldj+gQO:EWEQPv9kzwuUZ5UgGldiS

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

SQLBOX.exeSQLBOX.exe

pid process

3316 SQLBOX.exe
3580 SQLBOX.exe

pid	process
3316	SQLBOX.exe
3580	SQLBOX.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 6 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe7zG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zG.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zG.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

5000 OpenWith.exe

pid	process
5000	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	1928	7zG.exe
Token: 35	1928	7zG.exe
Token: SeSecurityPrivilege	1928	7zG.exe
Token: SeSecurityPrivilege	1928	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

1928 7zG.exe

pid	process
1928	7zG.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeAcroRd32.exe

pid	process
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
1684	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
3204	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
1568	AcroRd32.exe
1568	AcroRd32.exe
1568	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 1684 wrote to memory of 4896	1684	OpenWith.exe	NOTEPAD.EXE
PID 1684 wrote to memory of 4896	1684	OpenWith.exe	NOTEPAD.EXE
PID 3204 wrote to memory of 4964	3204	OpenWith.exe	NOTEPAD.EXE
PID 3204 wrote to memory of 4964	3204	OpenWith.exe	NOTEPAD.EXE
PID 5000 wrote to memory of 1568	5000	OpenWith.exe	AcroRd32.exe
PID 5000 wrote to memory of 1568	5000	OpenWith.exe	AcroRd32.exe
PID 5000 wrote to memory of 1568	5000	OpenWith.exe	AcroRd32.exe
PID 1568 wrote to memory of 732	1568	AcroRd32.exe	RdrCEF.exe
PID 1568 wrote to memory of 732	1568	AcroRd32.exe	RdrCEF.exe
PID 1568 wrote to memory of 732	1568	AcroRd32.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 1920	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe
PID 732 wrote to memory of 4000	732	RdrCEF.exe	RdrCEF.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\SQLBOX Cracked.zip"
1⤵
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2848

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SQLBOX Cracked\" -ad -an -ai#7zMap31870:108:7zEvent19853
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1928

C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe
"C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe"
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\pip\_vendor\requests\auth.py
2⤵
PID:4896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_tools\nmap\scripts\auth-owners.nse
2⤵
PID:4964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\pip\_vendor\requests\auth.py"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4C2C9ECB0AF54EAF0A74CE4E31AEEDF2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1920

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9D13113958CF2A60A8306FF627AF7898 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9D13113958CF2A60A8306FF627AF7898 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4000

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2CEBA881F48C692C342B40F09565F77F --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3240

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=16FB93F59D81DA4F065E9373CF5C06A6 --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2636

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=086956B2462EA96498560314121A6631 --mojo-platform-channel-handle=2376 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:1220

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\pip\_vendor\requests\auth.py
2⤵
PID:4948

C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe
"C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe"
1⤵
- Executes dropped EXE
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SQLBOX.exe.log
Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe
Filesize
667KB

MD5
44f5842dd56e95e8fda423f7937c11cb

SHA1
387ce287a291f5ca6a3fccc6ba5684d08e41e75a

SHA256
c3b831d93604df8d708b81f1aefe32bb3016826abf8e47b6a13b110b274bc407

SHA512
9210abb3ef7c094e41ba6017067cff5bb6439969dba4354b1c6acd70ff7de752f73f44af1c11ed9bc58432167a54b26492b40b717e2beb299768a708d1da53af

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe
Filesize
667KB

MD5
44f5842dd56e95e8fda423f7937c11cb

SHA1
387ce287a291f5ca6a3fccc6ba5684d08e41e75a

SHA256
c3b831d93604df8d708b81f1aefe32bb3016826abf8e47b6a13b110b274bc407

SHA512
9210abb3ef7c094e41ba6017067cff5bb6439969dba4354b1c6acd70ff7de752f73f44af1c11ed9bc58432167a54b26492b40b717e2beb299768a708d1da53af

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\SQLBOX.exe
Filesize
667KB

MD5
44f5842dd56e95e8fda423f7937c11cb

SHA1
387ce287a291f5ca6a3fccc6ba5684d08e41e75a

SHA256
c3b831d93604df8d708b81f1aefe32bb3016826abf8e47b6a13b110b274bc407

SHA512
9210abb3ef7c094e41ba6017067cff5bb6439969dba4354b1c6acd70ff7de752f73f44af1c11ed9bc58432167a54b26492b40b717e2beb299768a708d1da53af

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\charset_normalizer-2.0.4.dist-info\INSTALLER
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\dulwich\tests\data\repos\empty.git\refs\heads\.gitignore
Filesize
14B

MD5
ff52e986b98e9119818fbe49c33b967f

SHA1
9f2903bb1ae955015fa8f73b6ec7a7e1a487f61b

SHA256
e49bdf8c01314f987ba33b15b4ec3fae9f76321db1650773d2b5cb563b0c6917

SHA512
6a48f662d60db278bd1ad5f1c261adb1e82b63238d98a4240c2b96c3bd1285edfe0b491b6f3341d12a4ed98e6b98658b3f695f409ee5663561757f66ab34b469

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\dulwich\tests\data\repos\ooo_merge.git\HEAD
Filesize
24B

MD5
b5f96fd6db21a15ca1b84e9f02ad5551

SHA1
509e0f78e789c5517a73f9884e9c4d0c89abf07b

SHA256
5ece82a78782acf6a8e184b8fcc397606b1ac4c7e3c4d379240cfb3ef3e8e1d7

SHA512
dd92eb021911490e737e6cbbd7bbbe40872e93dbf79b6bcd99afcd5c8c577cfb366855b0e3d69a72e946ab0b2b6c701c47daf71fc7efae329cc7c8b16897f51c

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\dulwich\tests\data\repos\simple_merge.git\objects\95\4a536f7819d40e6f637f849ee187dd10066349
Filesize
22B

MD5
f9c4b06d4556e78cc429f19f53026f9c

SHA1
8c114a22a853d3a928da44f2136db0e0cb78f71c

SHA256
6cd77d5900e2230bb3e6bd377b5117707870ed397f8ffe5e227e43df016d5989

SHA512
d9e0d934a5a6b091f664c9837e475c2f9e77b8a8b94ced71a5b5d4f8949c535c40315180bc57759017039389a1268f7e46d62b2c789db547df6543d57579fdc3

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\dulwich\tests\data\trees\70\c190eb48fa8bbb50ddc692a17b44cb781af7f6
Filesize
71B

MD5
6585f06697c6b9deaf7fbc488a101463

SHA1
73a07d7f4791583fe3bcf44a45de6e23641a8d4d

SHA256
2f1ea9db1dd0be30ff1b3a00dd646447077d92ad3a98a60e14f10bdf7265c43b

SHA512
aa007720aad452377046d25c06d424c1cc54b43f96f10b7e7642a5eb0f6becd0932f7cf4667dcae4ee329812cb03a8f5641b1e63ff8f06a5184a657950ab2bb9

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\pip\_internal\network\auth.py
Filesize
11KB

MD5
acc3018105dff841a20ebe9c9b3531d9

SHA1
a4a81ea92a883b2d2a9e3dc3d87d48ec5e15efb3

SHA256
76ddcdbd3449f35f364b756975814464c3d3d0984e287c85b51f8ef893252482

SHA512
6cd80518b48c94ca02150787102a0f5779a4aef25080ca14bc66a6faf4105d4ddd15568eb58fb9cc981276dcedfe6d31ad3208dc21b263c3e25bb299f117812f

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\pip\_vendor\requests\auth.py
Filesize
9KB

MD5
1a21f3f8f2851b46f099fbcbd5748867

SHA1
a4ff1efafc575773b4f225721cdf83c0ee81ab39

SHA256
38ca092152b244bcbd4c7afdd72f2bc72b19b9c9703c1f8ad57835cc1a265214

SHA512
dc86643b6b2954f9758296045242a5f3178fad77c4c0a15295194ee28f819ec7ca7d4d9ff0e43d6170dd907734082c34d136452170dfd244964933aed12c23ce

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\pip\_vendor\requests\auth.py
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\requests\auth.py
Filesize
9KB

MD5
1a21f3f8f2851b46f099fbcbd5748867

SHA1
a4ff1efafc575773b4f225721cdf83c0ee81ab39

SHA256
38ca092152b244bcbd4c7afdd72f2bc72b19b9c9703c1f8ad57835cc1a265214

SHA512
dc86643b6b2954f9758296045242a5f3178fad77c4c0a15295194ee28f819ec7ca7d4d9ff0e43d6170dd907734082c34d136452170dfd244964933aed12c23ce

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\setuptools\_vendor\packaging\__init__.py
Filesize
562B

MD5
2eed0787819307cc2e25cf45a4a9b5ad

SHA1
74e5f4a45cf9a2e4e3e1f66456676bc7c49b2fd1

SHA256
e9e9dba795e045f8c18ec23df9b9f4d078c77f94c7db53c330e2a4256f31c3ec

SHA512
3dbe5d38dfbafdae2bd2d0bc621996e3b5b857e714bb2f24264a88d929349255f9332256ce01121b8e19ba9f2ace51d5da9db3898066f43ad2f4975ed2692537

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Lib\site-packages\soupsieve-2.2.1.dist-info\WHEEL
Filesize
92B

MD5
11aa48dbe7e7cc631b11dd66dc493aeb

SHA1
249fdb01ad3e3f71356e33e1897d06f23cfb20c2

SHA256
3aa464174798e461ecb0ca2b16395b4c8ab4ef6be91e917ad1f21003a952f710

SHA512
edd5892c9b2fe1f2439c53d2cd05f4478ec360885054bd06afcf7936f6d066377fee07796dae9ecdf810e3d6100e039cad48f00ad0e3145693d53e844cc5319d

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_env\python\Scripts\normalizer.exe
Filesize
103KB

MD5
9bc20ecb652bdd71f09b6de65923b64f

SHA1
d2bd5cea969f87868db9567475c81e1de1108954

SHA256
8106c3c1eded5f2a2fd4eb19419116756139647419e4d2e147b6a9842474a2c7

SHA512
dc73a460a262ca0b51a8254f0687f26fac9067c6d2edda3cc6091f684a0675d261ed1ed44b155cc44f0243fcda03fa122694a8c724d74634d06d430f85d8b748

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_tools\nmap\scripts\auth-owners.nse
Filesize
2KB

MD5
dad4292ae11ed26b049e1cc47af63226

SHA1
06051af0c125324cb6bec4aafd26ea80f879430a

SHA256
e15e2151926d6d3f21ad3790d62734aca9a141c24dd61e4643394e8eb5f6063a

SHA512
756a986dcdb15bec4135ac74aca732455d296fbab910a3a36e904603797f156473ed88c99f9263b1cb2a95bf679ef48127fc0fe0a9d459c4b638639afc41d98e

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_tools\sqlmap\extra\dbgtool\__init__.py
Filesize
146B

MD5
d51431ce81616e81ffab62e201c7976d

SHA1
90b1c1b085383a3f8c7a9a293b076c36e0d50180

SHA256
613c052f7ad605b4cd31a604dfb697c114f4b0caf38dd6ab6c76077a3e89a067

SHA512
2a50f1f11ba51f2397118d88afd160e6565223c2b8e9a08e72db1ce33ce703096e818e421db2fb6829e3cae30d98930c4d3171b8320e9b4f105d2e6a7edf5071

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_tools\sqlmap\plugins\dbms\cratedb\filesystem.py
Filesize
259B

MD5
ded3f3123d4da5f240213755fad3d52a

SHA1
9256e406af1a1efc2d41f9d67883395ed40d1feb

SHA256
41393352e30dfe0eac87ddb1c2b6521243c7e664bcca2ceb70e86e408bd31143

SHA512
2275a62855b48b6629db096f41039bb67bfe393ebe4958b98e949986e25aadc34654a9502e2db47bf365ffc22014aee73e38a1239416e3499ec305b9d79f584f

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_tools\sqlmap\plugins\dbms\extremedb\syntax.py
Filesize
447B

MD5
02bd34acfeb582de959bb89eebb3127f

SHA1
ef58708231905a6e237de713d251f8d5c453a929

SHA256
b97fa025718ac94f60412803d28d02bbcd2f8488f2bd68f39b010c206dfd51e3

SHA512
540da12be07a917b6a2ec9be87436ccc19e5835a014e963afac45f3386308f786a10d364cc448762ca2a03406b4d5d03c3e82984ec660fa45eb183fd574626a6

Download Submit
C:\Users\Admin\Desktop\SQLBOX Cracked\SQLBOX Cracked\XDATA\_tools\sqlmap\plugins\dbms\presto\syntax.py
Filesize
677B

MD5
3668cd26fbb3351accfe1f6eddd63e2d

SHA1
10ff437c69db25e08f513e55ca07ee2e416a3c22

SHA256
aa5fdb335fa859b363e3ad0a0cf00ae411cea9f734ea333e1052d0ead0bb93a0

SHA512
e6bd1f86553373357738005a72e5b5ffcc05ed507b520571d5dcc4679f11a2adb9f1b0bb62973eb8e58ecd3de6e4dcd7169c7b84f6273adfc063df6b2a20c0a3

Download Submit
memory/3316-7434-0x0000000005390000-0x0000000005934000-memory.dmp

Filesize
5.6MB

Download
memory/3316-7439-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3316-7443-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3316-7437-0x00000000059E0000-0x00000000059EA000-memory.dmp

Filesize
40KB

Download
memory/3316-7436-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3316-7435-0x0000000005940000-0x00000000059D2000-memory.dmp

Filesize
584KB

Download
memory/3316-7438-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3316-7433-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3316-7441-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3316-7442-0x0000000005A60000-0x0000000005A70000-memory.dmp

Filesize
64KB

Download
memory/3580-7490-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3580-7491-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3580-7492-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/3580-7493-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/3580-7495-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/3580-7496-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/3580-7497-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download