Analysis
-
max time kernel
66s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-12-2023 08:55
General
-
Target
memorium.exe
-
Size
1.6MB
-
MD5
c4ee913e290d76916d7e7658049491a5
-
SHA1
9e3e83c128e51a3f8b9a044957a390429e6b5e29
-
SHA256
967e7d816b6ec752b3d99256dacc0216af80f63046f36d4db699c90219c17ae5
-
SHA512
06aabdc66e26f2c2f66314cbcb7f7ae8735fd57f4b51778d7866a3a5272b58d15e724b2c4f7cced20614edbb056d6fee82a76828288908cffbc772ab95dbb5f1
-
SSDEEP
24576:vbw+7NLKcPZFML5xxIOUyTyPUz977wsAKaBApkF77RpoCgfdt6on7iuk77DNj:jwuYLZIYyPUzJAKrq6hp+ZDN
Malware Config
Signatures
-
Cerber 23 IoCs
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 11 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Kills process with taskkill 16 IoCs
-
Modifies registry key 1 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
-
Suspicious behavior: LoadsDriver 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\memorium.exe"C:\Users\Admin\AppData\Local\Temp\memorium.exe"1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerUI.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im HTTPDebuggerSvc.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop HTTPDebuggerPro3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im epicgameslauncher.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im epicgameslauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicWebHelper.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient - Win64 - Shipping_EAC.exe3⤵
- Cerber
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping_BE.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient - Win64 - Shipping_BE.exe3⤵
- Cerber
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteLauncher.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient - Win64 - Shipping.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient - Win64 - Shipping.exe3⤵
- Cerber
- Kills process with taskkill
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im EasyAntiCheat.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im BEService.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d 4359572-4348-17746-12159 /f4⤵
- Modifies registry key
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im BEServices.exe > nul2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEServices.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /im BattleEye.exe > nul2⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im BattleEye.exe3⤵
- Cerber
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop BattlEye Service2⤵
-
C:\Windows\system32\sc.exesc stop BattlEye Service3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc stop EasyAntiCheat2⤵
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Volumeid(s):2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vol C:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vol D:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Motherboard:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo CHASSIS:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic systemenclosure get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo SMBIOS:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo BIOS:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic bios get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo CPU:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber3⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /BS 4288-26251-4552-126414⤵
- Cerber
- Executes dropped EXE
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Mac:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c getmac2⤵
-
C:\Windows\system32\getmac.exegetmac3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo DISK SERIALS SHOULDN'T CHANGE2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /SU auto2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /SU auto3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /SS %random%-%random%2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /BS %random%-%random%-%random%-%random%2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /CS %random%-%random%-%random%2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /CS 4291-4232-224163⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /SK "To be filled by O.E.M"2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /SK "To be filled by O.E.M"3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /SF "To be filled by O.E.M."2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /SF "To be filled by O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /BT "To be filled by O.E.M."2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /BT "To be filled by O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /BLC "To be filled by O.E.M."2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /BLC "To be filled by O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /CA "To be filled by O.E.M."2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /CA "To be filled by O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /CSK "To be filled by O.E.M."2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /CSK "To be filled by O.E.M."3⤵
- Cerber
- Executes dropped EXE
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /IVN "American Megatrends International, LLC."2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /ID "06/27/23"2⤵
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /ID "06/27/23"3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\zhjers.exe /IV "A.F0"2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vdfjdisfudasu.exe C:\ 1C6E-93E42⤵
-
C:\Windows\System32\vdfjdisfudasu.exeC:\Windows\System32\vdfjdisfudasu.exe C:\ 1C6E-93E43⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vdfjdisfudasu.exe E:\ 7CE9-36BC2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\vdfjdisfudasu.exe D:\ 1B9B-20912⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v ProductId /t REG_SZ /d 4359572-4348-17746-12159 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d %random% /f2⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v BuildLabEx /t REG_SZ /d 4359 /f3⤵
- Modifies registry key
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic computersystem where name=%computername% call rename=%random%2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem where name=EYHRDPTG call rename=43593⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {%random%%random%-%random%-%random%-%random%%random%} /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d %random% /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d %random%%random% /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKLM\SOFTWARE\Microsoft\Cryptography /v MachineGuid /t REG_SZ /d %random%%random%-%random%-%random%-%random% /f2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Volumeid(s):2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vol C:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vol D:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Motherboard:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo CHASSIS:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic systemenclosure get serialnumber2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo SMBIOS:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo BIOS:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic bios get serialnumber2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo CPU:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic cpu get serialnumber2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Mac:2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c getmac2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo DISK SERIALS SHOULDN'T CHANGE2⤵
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /SS 4288-262511⤵
- Cerber
- Executes dropped EXE
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /IVN "American Megatrends International, LLC."1⤵
- Executes dropped EXE
-
C:\Windows\System32\zhjers.exeC:\Windows\System32\zhjers.exe /IV "A.F0"1⤵
-
C:\Windows\System32\vdfjdisfudasu.exeC:\Windows\System32\vdfjdisfudasu.exe D:\ 1B9B-20911⤵
-
C:\Windows\System32\vdfjdisfudasu.exeC:\Windows\System32\vdfjdisfudasu.exe E:\ 7CE9-36BC1⤵
-
C:\Windows\system32\reg.exeREG ADD HKLM\SYSTEM\CurrentControlSet\Control\IDConfigDB\Hardware" "Profiles\0001 /v HwProfileGuid /t REG_SZ /d {4359572-4348-17746-121598345} /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallTime /t REG_SZ /d 4359 /f1⤵
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKLM\SOFTWARE\Microsoft\Windows" "NT\CurrentVersion /v InstallDate /t REG_SZ /d 4359572 /f1⤵
- Modifies registry key
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic systemenclosure get serialnumber1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid1⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get serialnumber1⤵
-
C:\Windows\system32\getmac.exegetmac1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500
-
Filesize
110KB
MD5bae958a8bc719b40071b326ea518aad1
SHA12b569acb88b6d3e7d4c8c4644bb54778c524c48a
SHA2560142b7fdf0f9f803625aeaadc318971d81b2df4e76e5e17b2914d0959aa2d6ed
SHA512559eed92dba9cbcc351fafa602daf961a12375b3e52e5920296a6b584b6511c8619deb80c183be58b58157d47c4d9d650b65cd51facffd6fbfcf52a9e42a08fa
-
Filesize
39KB
MD56d92487a3157d27c93102d18d2f7198a
SHA1166bfe5b85227d24839a7af02d7156009ca086cf
SHA2565448d31a6c0002b5ab8356bd68c8b40c830f5aa0427b4bbf915b6ba17157b18f
SHA512e0e34363f488774b92b31ee93d8a1bdeba071b7e2bb014fa4cd17fd69edb5117380b093bee51564f3a50b1086454cc28f2d59c014d24a49fcf67bba858854b53
-
Filesize
17KB
MD56a61203de060723e97ed7b65cd6f7bd0
SHA1352062a111a3c9bed28282e7e5e6882947f9f73f
SHA256919887e03592f745870a404056ec41bb1407d8dc5c6cb090ae770fee1acb5bf2
SHA512469d9ae8596955b00fa9023918f3ffadf5f7405da24ad2f8260f53600bb8b8c18085f11becfe2841a3a932017c8bbd810688ef6240daf9d465bf94bd52aebff4
-
Filesize
123KB
MD5cae0abe8f8198fdef791be6212c5b566
SHA10b89992ba85621eaab90d63712ff787ea3a0a3f7
SHA256374da733d89b72354d7a1944bb999648fca230dbf38c333d647906726820922d
SHA512e3d83a6f41c8769b414401ebcbf9121229bd2781f34b109f860e44cff64090030097aec52d54a0774a98f6446a818701b9ab1d5c105470295e51311863cde5f3
-
Filesize
102KB
MD52cb4f473fed508de278ab428a0658de4
SHA16cf30aaf671d4fef24f741698b31e21e8fa281fb
SHA2564c49f35f9ec023b6f25b53074ee78d0f5ccabb05e245fdd7af90a1251f332343
SHA512a8b6322a2ab1e554642f9ab8424643d97518f908f89d3bdc4feee970d159c2eb8f70905d9a64c51f027490c51a5da71569bbbfed9bbfc4add9b21223bb5504c9
-
Filesize
65KB
MD5443ca362e0e957abb44ec92b14770e7c
SHA17a54d8cd640efccdcfcba109dee297da1eda2285
SHA25664bd1f463b33936241c53d55364b60a9a195e2f9c855548d63a45f61195c9ccc
SHA512c64e76c5646c5aa3dc142e387a2cf4c85f195a1e6528cd147a96812461f9e082dfc1050b87bf4b36c44ce930e4a96b502fdb79d4b5f734ed09c574684d622f51
-
Filesize
84KB
MD578e144a4a6ba9d850ba132940c1b033b
SHA1e00623d11c7962e2aa10bcdc6f43116616e86207
SHA256868d5f9f1e600c342392fee4e9c2572d1f72b1560080c8773a5bd57354c9a8c9
SHA51282a7df042a2e1065652f968a17414c13a66b2444b0f44cb039ad292604bdcbba28e63bdfb48e2d58cb477f3dedb1e424799f731aaa4ded477f5f5bcd5826d123
-
Filesize
151KB
MD5f6eb3a285f71552d284a0e2f353569e8
SHA1d43dace3217955ce41da9da514d7d299761b9ff1
SHA256e8b4b811924810beee42f6b8fcb70f3629a1026ac28570837f6ad32232115553
SHA512df3fac32e80b66e718e636f5f0d81f392efa4773e2686779a3d03e07bf862f982e31702ac9431ac9f4534fb10ce7e11aa978e71c3c323c42a80c8a9813a4d284
-
Filesize
15KB
MD5bf0c0278487f4a426305dbd26c072e7a
SHA1b754f676219d1ec2b155596efefc348fe8ee75a8
SHA25666f38f8a13a458d3c57b6a4a86a655e896560198d103add897fc29a9c2ef06f0
SHA5124d08de950827d71b3af3ffdaf1d10ef2dcc1c53458cce5655aa8117ee4d44cb7b063f717fd337db11551fcd340f19171a924f13a30fd190d01440f63de70ce49
-
Filesize
97KB
MD58d9d5100a22eb75a2568c9f2fe09632e
SHA154a37edaf8516c50d3bde3991dbabe6d16129c82
SHA2565cb1bfc78af7114167f9c876f9daafc3e19a6b8342c6f73b2bd94504bb16732d
SHA51241475d4eab64f822842aae31075a6745b85ca24c9db743ddb30514914feaa0da8b23cad543e6d6f021de6c090f76182e23b89ed6dcaebc5b5a8eeb0e3eb305eb
-
Filesize
113KB
MD57fb129a96ffa7cfdf695ca0193e4a083
SHA1eae9714df05c2231c145ff31f32cab55500ede7e
SHA2563d11b807e1547303e0391d8b6458ff67f0ae68615da4162ae04447322ad413f0
SHA5121966e5667f82b93e47da8690c82672f5262fa6ad1cdcf6f3e54b35ceaab93a517c975d4d53463d73ed43b86c5d2c2d5df3b67e2fd98d29e8e222778870dfdae7
-
Filesize
327KB
MD50019893fc6514821617f901fc6c42945
SHA1ea98981dcf95f16ed7d4f851ebf171206c573aa5
SHA256bfc3eb77578987ac85bd6abd27c7c5d33448cbd162cdc045853bbf9ff0d30f84
SHA5127903e7b4816ba20fff0007cc6fba933f8662d2f1ff5d8ce935a2b34f669c38997baf2ef827e71d74e1e3a27559a601a42aea33a5ea1124e464f39e221f033891
-
Filesize
230KB
MD5158f2f592b9a9053e40b71dd31fe6ce9
SHA1937fa870d2b195604ae77286d0b250d07adf24d0
SHA256c1f38ef765866022ecfa380f16f75302ecbb4493e92c4ecbe2885e9ee23ad56e
SHA512c58605984cbd8d717ef99477e5ada320db3380f92bd2fd495949064b23e91fb1e10d17f036cc5349b8993f2ec1ab89909f39efc365558cf2f625b3d92ec25275
-
Filesize
28KB
MD52fc711de74dddfdcb256821cc068b115
SHA1671968eb1ef61231510ddd748e6f8d0d1cea9c16
SHA2561595dd9cdb7dabdacac602977f2d639946a9317b4b73092e1acc045f561b39ea
SHA51290e7f100188ba2d5c3429021523b4157e9f11ea4cf604c2871f719c5b3b6342883b3b8b226868c921246eb84e6d42e83f7f47d866c800a2aad997ed28b5ace74
-
Filesize
151KB
MD585ab74a26bc0cf6b3a36367867d5075d
SHA19d43f6048f7ad6b6aa801d4c45d261256cd3ee34
SHA2567b27b9031eacbdaba479dcc1756a5ba3c9205913ce986c803cfc4505ba25878f
SHA512640ee57d93ec922aa6ce46ce5ece6f3061c7860885fb2ea3570aac44313fbb5245060895ead24b4de6bd1b90dcd53297357f9accbc6999785eceb40778cfd5d4
-
Filesize
125KB
MD56423fcc249e0e4290d316efc12dd62b5
SHA1d8cfc9179e0710c32b62199a6ee8b08e194b6468
SHA2569a23fd374af7d6314e9b6e5992d110694e24710636f66bf951795306cfceb244
SHA5128228aa16413119b62a69e7eaffbd09a0128df799b442b1762e3291fda63dd2c1c276c97b5ca896f4856515c3d46a6d2d2c60849d7b8a3edc01ec171aef8b38bb
-
Filesize
58KB
MD55244fcb9e640a2394fa5e2fb4d8f2d22
SHA1f0617b5b2672901556443d1a3da0afa6b15895da
SHA256b52a5d7746a4fb3fb2d65d9c8ac24ee3fba53203ec064840b0f8030ecbd9862c
SHA51286c64dfd033b0a7393ae0cb6a63ab4d297286e7cd1f98ee1f7750ba150265d85a37e69c8028e29d3379f27e4ffd0b77746b0a01cbb8a444bf35bc44b3ac45ff0