5f1d73602982331b76d49f123d1defdf29c394c7a84571b1834afeb2690dcadc

Analysis

max time kernel
152s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8aaf342051afd5949aa5119134405d.exe
Size

12.3MB
MD5

5f8aaf342051afd5949aa5119134405d
SHA1

0f403390eb2dd0187347c0598fe553b538e202d0
SHA256

5f1d73602982331b76d49f123d1defdf29c394c7a84571b1834afeb2690dcadc
SHA512

d85d545763ded0dc285460a0822b60912115185d630dbd4e9914e02354bd42695bf58763cb469c1c1bafa7359a420ae1f289a023af350f18f905c4fd95599548
SSDEEP

393216:4QQBBFwWWEpCEDLJ83a10RtN3ZWbs1TJ2KsD:4QKFwW3pCEDtEa6tN3KO

Score

7^/10

spyware stealer

Malware Config

Signatures

Loads dropped DLL 20 IoCs

pid	Process
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe
2612	5f8aaf342051afd5949aa5119134405d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
3	api.ipify.org

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2612	5f8aaf342051afd5949aa5119134405d.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
2640	tasklist.exe
2896	tasklist.exe
1736	tasklist.exe
2600	tasklist.exe
2168	tasklist.exe
892	tasklist.exe
740	tasklist.exe
328	tasklist.exe
1688	tasklist.exe
2552	tasklist.exe
2640	tasklist.exe
328	tasklist.exe
1240	tasklist.exe
2980	tasklist.exe
1944	tasklist.exe
2808	tasklist.exe
1968	tasklist.exe
1920	tasklist.exe
1652	tasklist.exe
1912	tasklist.exe
1708	tasklist.exe
2272	tasklist.exe
1808	tasklist.exe
1704	tasklist.exe
2080	tasklist.exe
1356	tasklist.exe
1928	tasklist.exe
1012	tasklist.exe
2304	tasklist.exe
2752	tasklist.exe
1664	tasklist.exe
1636	tasklist.exe
604	tasklist.exe
1196	tasklist.exe
1848	tasklist.exe
2808	tasklist.exe
1816	tasklist.exe
2232	tasklist.exe
2416	tasklist.exe
2044	tasklist.exe
2996	tasklist.exe
832	tasklist.exe
876	tasklist.exe
1308	tasklist.exe
1324	tasklist.exe
2464	tasklist.exe
2172	tasklist.exe
2168	tasklist.exe
744	tasklist.exe
2540	tasklist.exe
856	tasklist.exe
2268	tasklist.exe
2688	tasklist.exe
112	tasklist.exe
940	tasklist.exe
544	tasklist.exe
1560	tasklist.exe
2204	tasklist.exe
792	tasklist.exe
2520	tasklist.exe
1576	tasklist.exe
2584	tasklist.exe
2628	tasklist.exe
2556	tasklist.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2852	wmic.exe
Token: SeSecurityPrivilege	2852	wmic.exe
Token: SeTakeOwnershipPrivilege	2852	wmic.exe
Token: SeLoadDriverPrivilege	2852	wmic.exe
Token: SeSystemProfilePrivilege	2852	wmic.exe
Token: SeSystemtimePrivilege	2852	wmic.exe
Token: SeProfSingleProcessPrivilege	2852	wmic.exe
Token: SeIncBasePriorityPrivilege	2852	wmic.exe
Token: SeCreatePagefilePrivilege	2852	wmic.exe
Token: SeBackupPrivilege	2852	wmic.exe
Token: SeRestorePrivilege	2852	wmic.exe
Token: SeShutdownPrivilege	2852	wmic.exe
Token: SeDebugPrivilege	2852	wmic.exe
Token: SeSystemEnvironmentPrivilege	2852	wmic.exe
Token: SeRemoteShutdownPrivilege	2852	wmic.exe
Token: SeUndockPrivilege	2852	wmic.exe
Token: SeManageVolumePrivilege	2852	wmic.exe
Token: 33	2852	wmic.exe
Token: 34	2852	wmic.exe
Token: 35	2852	wmic.exe
Token: SeIncreaseQuotaPrivilege	2852	wmic.exe
Token: SeSecurityPrivilege	2852	wmic.exe
Token: SeTakeOwnershipPrivilege	2852	wmic.exe
Token: SeLoadDriverPrivilege	2852	wmic.exe
Token: SeSystemProfilePrivilege	2852	wmic.exe
Token: SeSystemtimePrivilege	2852	wmic.exe
Token: SeProfSingleProcessPrivilege	2852	wmic.exe
Token: SeIncBasePriorityPrivilege	2852	wmic.exe
Token: SeCreatePagefilePrivilege	2852	wmic.exe
Token: SeBackupPrivilege	2852	wmic.exe
Token: SeRestorePrivilege	2852	wmic.exe
Token: SeShutdownPrivilege	2852	wmic.exe
Token: SeDebugPrivilege	2852	wmic.exe
Token: SeSystemEnvironmentPrivilege	2852	wmic.exe
Token: SeRemoteShutdownPrivilege	2852	wmic.exe
Token: SeUndockPrivilege	2852	wmic.exe
Token: SeManageVolumePrivilege	2852	wmic.exe
Token: 33	2852	wmic.exe
Token: 34	2852	wmic.exe
Token: 35	2852	wmic.exe
Token: SeDebugPrivilege	2584	tasklist.exe
Token: SeDebugPrivilege	2628	tasklist.exe
Token: SeDebugPrivilege	2272	tasklist.exe
Token: SeDebugPrivilege	2556	tasklist.exe
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeDebugPrivilege	2640	tasklist.exe
Token: SeDebugPrivilege	2808	tasklist.exe
Token: SeDebugPrivilege	1816	tasklist.exe
Token: SeDebugPrivilege	2896	tasklist.exe
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeDebugPrivilege	740	tasklist.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	1808	tasklist.exe
Token: SeDebugPrivilege	1340	tasklist.exe
Token: SeDebugPrivilege	1636	tasklist.exe
Token: SeDebugPrivilege	328	tasklist.exe
Token: SeDebugPrivilege	2168	tasklist.exe
Token: SeDebugPrivilege	1576	tasklist.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	2904	tasklist.exe
Token: SeDebugPrivilege	2232	tasklist.exe
Token: SeDebugPrivilege	2416	tasklist.exe
Token: SeDebugPrivilege	2204	tasklist.exe
Token: SeDebugPrivilege	2268	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2612	1936	5f8aaf342051afd5949aa5119134405d.exe	31
PID 1936 wrote to memory of 2612	1936	5f8aaf342051afd5949aa5119134405d.exe	31
PID 1936 wrote to memory of 2612	1936	5f8aaf342051afd5949aa5119134405d.exe	31
PID 2612 wrote to memory of 2008	2612	5f8aaf342051afd5949aa5119134405d.exe	32
PID 2612 wrote to memory of 2008	2612	5f8aaf342051afd5949aa5119134405d.exe	32
PID 2612 wrote to memory of 2008	2612	5f8aaf342051afd5949aa5119134405d.exe	32
PID 2612 wrote to memory of 2852	2612	5f8aaf342051afd5949aa5119134405d.exe	33
PID 2612 wrote to memory of 2852	2612	5f8aaf342051afd5949aa5119134405d.exe	33
PID 2612 wrote to memory of 2852	2612	5f8aaf342051afd5949aa5119134405d.exe	33
PID 2612 wrote to memory of 2848	2612	5f8aaf342051afd5949aa5119134405d.exe	35
PID 2612 wrote to memory of 2848	2612	5f8aaf342051afd5949aa5119134405d.exe	35
PID 2612 wrote to memory of 2848	2612	5f8aaf342051afd5949aa5119134405d.exe	35
PID 2612 wrote to memory of 2584	2612	5f8aaf342051afd5949aa5119134405d.exe	36
PID 2612 wrote to memory of 2584	2612	5f8aaf342051afd5949aa5119134405d.exe	36
PID 2612 wrote to memory of 2584	2612	5f8aaf342051afd5949aa5119134405d.exe	36
PID 2612 wrote to memory of 2628	2612	5f8aaf342051afd5949aa5119134405d.exe	37
PID 2612 wrote to memory of 2628	2612	5f8aaf342051afd5949aa5119134405d.exe	37
PID 2612 wrote to memory of 2628	2612	5f8aaf342051afd5949aa5119134405d.exe	37
PID 2612 wrote to memory of 2272	2612	5f8aaf342051afd5949aa5119134405d.exe	38
PID 2612 wrote to memory of 2272	2612	5f8aaf342051afd5949aa5119134405d.exe	38
PID 2612 wrote to memory of 2272	2612	5f8aaf342051afd5949aa5119134405d.exe	38
PID 2612 wrote to memory of 2556	2612	5f8aaf342051afd5949aa5119134405d.exe	39
PID 2612 wrote to memory of 2556	2612	5f8aaf342051afd5949aa5119134405d.exe	39
PID 2612 wrote to memory of 2556	2612	5f8aaf342051afd5949aa5119134405d.exe	39
PID 2612 wrote to memory of 1664	2612	5f8aaf342051afd5949aa5119134405d.exe	40
PID 2612 wrote to memory of 1664	2612	5f8aaf342051afd5949aa5119134405d.exe	40
PID 2612 wrote to memory of 1664	2612	5f8aaf342051afd5949aa5119134405d.exe	40
PID 2612 wrote to memory of 2640	2612	5f8aaf342051afd5949aa5119134405d.exe	41
PID 2612 wrote to memory of 2640	2612	5f8aaf342051afd5949aa5119134405d.exe	41
PID 2612 wrote to memory of 2640	2612	5f8aaf342051afd5949aa5119134405d.exe	41
PID 2612 wrote to memory of 2808	2612	5f8aaf342051afd5949aa5119134405d.exe	42
PID 2612 wrote to memory of 2808	2612	5f8aaf342051afd5949aa5119134405d.exe	42
PID 2612 wrote to memory of 2808	2612	5f8aaf342051afd5949aa5119134405d.exe	42
PID 2612 wrote to memory of 1816	2612	5f8aaf342051afd5949aa5119134405d.exe	43
PID 2612 wrote to memory of 1816	2612	5f8aaf342051afd5949aa5119134405d.exe	43
PID 2612 wrote to memory of 1816	2612	5f8aaf342051afd5949aa5119134405d.exe	43
PID 2612 wrote to memory of 2896	2612	5f8aaf342051afd5949aa5119134405d.exe	44
PID 2612 wrote to memory of 2896	2612	5f8aaf342051afd5949aa5119134405d.exe	44
PID 2612 wrote to memory of 2896	2612	5f8aaf342051afd5949aa5119134405d.exe	44
PID 2612 wrote to memory of 1640	2612	5f8aaf342051afd5949aa5119134405d.exe	45
PID 2612 wrote to memory of 1640	2612	5f8aaf342051afd5949aa5119134405d.exe	45
PID 2612 wrote to memory of 1640	2612	5f8aaf342051afd5949aa5119134405d.exe	45
PID 2612 wrote to memory of 740	2612	5f8aaf342051afd5949aa5119134405d.exe	46
PID 2612 wrote to memory of 740	2612	5f8aaf342051afd5949aa5119134405d.exe	46
PID 2612 wrote to memory of 740	2612	5f8aaf342051afd5949aa5119134405d.exe	46
PID 2612 wrote to memory of 2172	2612	5f8aaf342051afd5949aa5119134405d.exe	47
PID 2612 wrote to memory of 2172	2612	5f8aaf342051afd5949aa5119134405d.exe	47
PID 2612 wrote to memory of 2172	2612	5f8aaf342051afd5949aa5119134405d.exe	47
PID 2612 wrote to memory of 1808	2612	5f8aaf342051afd5949aa5119134405d.exe	48
PID 2612 wrote to memory of 1808	2612	5f8aaf342051afd5949aa5119134405d.exe	48
PID 2612 wrote to memory of 1808	2612	5f8aaf342051afd5949aa5119134405d.exe	48
PID 2612 wrote to memory of 1340	2612	5f8aaf342051afd5949aa5119134405d.exe	49
PID 2612 wrote to memory of 1340	2612	5f8aaf342051afd5949aa5119134405d.exe	49
PID 2612 wrote to memory of 1340	2612	5f8aaf342051afd5949aa5119134405d.exe	49
PID 2612 wrote to memory of 1636	2612	5f8aaf342051afd5949aa5119134405d.exe	50
PID 2612 wrote to memory of 1636	2612	5f8aaf342051afd5949aa5119134405d.exe	50
PID 2612 wrote to memory of 1636	2612	5f8aaf342051afd5949aa5119134405d.exe	50
PID 2612 wrote to memory of 328	2612	5f8aaf342051afd5949aa5119134405d.exe	51
PID 2612 wrote to memory of 328	2612	5f8aaf342051afd5949aa5119134405d.exe	51
PID 2612 wrote to memory of 328	2612	5f8aaf342051afd5949aa5119134405d.exe	51
PID 2612 wrote to memory of 2168	2612	5f8aaf342051afd5949aa5119134405d.exe	52
PID 2612 wrote to memory of 2168	2612	5f8aaf342051afd5949aa5119134405d.exe	52
PID 2612 wrote to memory of 2168	2612	5f8aaf342051afd5949aa5119134405d.exe	52
PID 2612 wrote to memory of 1576	2612	5f8aaf342051afd5949aa5119134405d.exe	53

C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe
"C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe
  "C:\Users\Admin\AppData\Local\Temp\5f8aaf342051afd5949aa5119134405d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2008
- - C:\Windows\System32\Wbem\wmic.exe
    wmic csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1664
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1816
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1340
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:792
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:832
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:624
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1928
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:604
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1736
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1704
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1944
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2696
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2520
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2640
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2808
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:744
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1968
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1308
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2504
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:328
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1196
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2304
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2080
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2464
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2540
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:2812
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1240
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:1728
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1356
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:544
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19362\VCRUNTIME140.dll

Filesize
83KB

MD5
210047846b7ba1fb8d5b7eecbcc25504

SHA1
57b477291c7526aa1f6a94558aedbc86f16b01d6

SHA256
c9bba5881f3f52a219fc31e9f114af052f630c2484bc3a27ddaec447c5a9f407

SHA512
6ac824a4d990c1f0ebbebeffdd79dda582b0e6d5c41dd1e9c376e70c92e3e03e014c14460535aea8eb24642082e1637e49ae3121508285e9c4f0c9801847a868

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_bz2.pyd

Filesize
33KB

MD5
a3015f67a63499f3e3a0dbca18f9bf05

SHA1
ce474a948132d9cd580642cc6eba2d3539f8624d

SHA256
6a28f09b893344b7dd3f8e1db0b49f8b34bf17b88572da083c02952734469a7d

SHA512
81f7bfc867fae49448e84a6e63c8e277bdf9f73beae55bf136958687c6f3d991a0c2ac77a9362251181e62b85457f417a0c603e4fbf9e7af6399c351c6a3eaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_pytransform.dll

Filesize
222KB

MD5
219f434d545d51b2d322ca9c542459ad

SHA1
418f3e16d572d9b23b4f8ea8390a9d22dda0e045

SHA256
1f5419de74b61bc96b9775265ec131cf1f7809b80fcd8e1f7c542f8d4829e8c8

SHA512
59efcba9bb55d1dccbdc7a5a89985772ad4335d1754dd0d375693a724943fa1dfa9bcaa720e4b3372f4957d56a57528a183fdce9629b3c971d66deee9af9b680

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\base_library.zip

Filesize
200KB

MD5
d7fbe8e82a4f84afc969e563eb73b53b

SHA1
e5073e26213f60e610a5b8a07e400b013113e3db

SHA256
b507cf499b265c12ed6e9ac6c15480535f1053a0744bbbae0b4b50464a25d3ca

SHA512
d23353da2c9013a9feb376a107a8cc682e10c18cb3daea563f0d68d632107f75d171a1e93648a949972f3eace9ef7734ab0c4c21659b5bef0bf0585a8ee062bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\libcrypto-1_1.dll

Filesize
290KB

MD5
c57d9e652326c6dbe3ffb8963a764d0a

SHA1
f5303aa1ac8cbfd63b081d2d5cd0f564359f7f65

SHA256
ee04c82414b291e70f3606098b21bae4346f3f11266e604b7eaff38be4c7c48f

SHA512
d43d9be20d4de9e4dd04283c2a308c94228a8c44e7776c1957b1f974a247f3b5df5340a617ab99b3cd818d7547d1584b90937b0fc023eabf1313c52bce3fd4ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\libssl-1_1.dll

Filesize
156KB

MD5
6ed89ddcea9d0d676c02a6ca541e8df3

SHA1
b826aa0f178d1dfc32e72186b185a868c0aa6f0a

SHA256
7f5b70d2f804a08a9a1d2c572bc4455068ce33482e983e7e483821bb9bc063bb

SHA512
d6149929c4bb2f031aae040ebe41a18aaba7f1b705bcaf0031e15ce9bf48ec2ab82e0435e40ca868697c943cc5d6675695094fd7911f52c26f0730d0877f769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\pyexpat.pyd

Filesize
187KB

MD5
2ae23047648257afa90d0ca96811979f

SHA1
0833cf7ccae477faa4656c74d593d0f59844cadd

SHA256
5caf51f12406bdb980db1361fab79c51be8cac0a2a0071a083adf4d84f423e95

SHA512
13052eb183bb7eb8bb2740ff39f63805b69e920f2e21b482657a9995aa002579a88296b81ec415942511d2ed146689d1868b446f7e698e72da22f5c182706030

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\python38.dll

Filesize
1.4MB

MD5
f68fa50d7ce5976122a5ed078796aab1

SHA1
5d3b1f390f9df7836ec5d097e00512ce2b858bf3

SHA256
d16aef09556bcd0ca08cf877063f853bb7a3571815a305829bb7b7f806e43a97

SHA512
c0e27e0c05561ddc97d58f362dc543dee05076d70c5ffa305c19d8708317f39ec4656f3aa50cef24c7b9be2e4052ae0f7dcedbd42ce3e641d047e3f67e628d83

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\_bz2.pyd

Filesize
85KB

MD5
a49c5f406456b79254eb65d015b81088

SHA1
cfc2a2a89c63df52947af3610e4d9b8999399c91

SHA256
ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced

SHA512
bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\_ctypes.pyd

Filesize
124KB

MD5
291a0a9b63bae00a4222a6df71a22023

SHA1
7a6a2aad634ec30e8edb2d2d8d0895c708d84551

SHA256
820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324

SHA512
d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\_lzma.pyd

Filesize
159KB

MD5
cf9fd17b1706f3044a8f74f6d398d5f1

SHA1
c5cd0debbde042445b9722a676ff36a0ac3959ad

SHA256
9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4

SHA512
5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\_pytransform.dll

Filesize
125KB

MD5
9a43176c3f8381d7e0e91c9cd8141bbf

SHA1
78dfd73e15f8397c1d8eb49717978dd49fd9e7b5

SHA256
53092452b1f3650314aa79e82fea25e8bf2d8686868383920bd688ab6b2f2264

SHA512
ae0984a38f13e1ba49447a04433c1656b5b91ae1a2dc312ca1ee0329911ff78cd30f38473391014024777005089b9c8450b649bd271ddce967b6510615ac79b2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\_socket.pyd

Filesize
78KB

MD5
4827652de133c83fa1cae839b361856c

SHA1
182f9a04bdc42766cfd5fb352f2cb22e5c26665e

SHA256
87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba

SHA512
8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\_ssl.pyd

Filesize
152KB

MD5
d4dfd8c2894670e9f8d6302c09997300

SHA1
c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e

SHA256
0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0

SHA512
1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\libcrypto-1_1.dll

Filesize
415KB

MD5
4065eb1430fde474d57e484f3ab6ab87

SHA1
dc065e9d9da4710fad8daf2f1231e4ce4c7aacee

SHA256
f3e11c05aa71f67e16f6a0abcac271d1e5cd75f46f732fb0cffd38a48168c135

SHA512
c0fc7e3cb148fbb2357516e4aee8b4f2e3cbb8f26256556707697c24deb2c91555e15925b8038e046e3d0b2a89afe9e1debb797e8ee12ed9b12b1f4306669297

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\libssl-1_1.dll

Filesize
229KB

MD5
8d52d06234550e79446396cd0c3cfe28

SHA1
f62bf971f788802b6be1c81f0de82c06dfe80da7

SHA256
99dd4379c94e3cd6bfe71d86874e6f475b75f3ed4b8ce4defbe45569613c749c

SHA512
06830a727213735cdb8232bd9d653f58a3c81f24560754f639c354e308211831d8e7673b2935ffd482d9e1f3f94840da0a2e95534f0ab4642b29dcd491c2afd1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19362\python38.dll

Filesize
355KB

MD5
7164acc998c52ae7b3de661ef247b74e

SHA1
adfac9f693630af2fe6780834dec0c39e1e3a416

SHA256
1966d3871be5b11c2ac707e56a9df9886c86b82d678c4782ce8117d8b87bb306

SHA512
cd4a844274532ed9f0a40324cd76cf7666e5b6bf9c3bc40a50d2f0fa6e018967f2189266fd636b87cbab4c4c418cc552785f0fe1591a36639d992c51aee6df0b

Download Submit
memory/2612-1011-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-991-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1021-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1019-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1017-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1015-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1013-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1025-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1009-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1007-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1005-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1003-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1001-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-999-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-997-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-995-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-993-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1023-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-989-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-987-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-985-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-983-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-982-0x0000000002E70000-0x0000000002E71000-memory.dmp

Filesize
4KB

Download
memory/2612-1027-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1029-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1031-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1033-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1037-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1039-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1041-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1043-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1045-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2612-1035-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download