a6b9b8fa15a63c2c8c89a54dde4f5dffaafd6c5f62c9e05cb21c645f4c7b9c86

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/03/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.TrojanX-gen.30150.exe
Size

1.3MB
MD5

9b83f4aef17adc5febcbd1c7f787047e
SHA1

b19fbf4f4c053d46bb99afbde6fecd7e4e547700
SHA256

a6b9b8fa15a63c2c8c89a54dde4f5dffaafd6c5f62c9e05cb21c645f4c7b9c86
SHA512

ac8cb32d4050142c57e050b666c65eebe64d5e5ab65884ee8172377761c0daa439c22055810364b967f259db7519705a22b5dececf0c135e94c024bc7dcfe324
SSDEEP

12288:OUtF7OEA8ynvlk7Bw7B67BpJFJSJipac/MZBNmXVytYSAOZHxCkMhrIGtfyog7N5:V/AvkeE9jY6/2BeotYSLtxvMhrIGh8b

Score

1^/10

Malware Config

Signatures

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1688	WMIC.exe
Token: SeSecurityPrivilege	1688	WMIC.exe
Token: SeTakeOwnershipPrivilege	1688	WMIC.exe
Token: SeLoadDriverPrivilege	1688	WMIC.exe
Token: SeSystemProfilePrivilege	1688	WMIC.exe
Token: SeSystemtimePrivilege	1688	WMIC.exe
Token: SeProfSingleProcessPrivilege	1688	WMIC.exe
Token: SeIncBasePriorityPrivilege	1688	WMIC.exe
Token: SeCreatePagefilePrivilege	1688	WMIC.exe
Token: SeBackupPrivilege	1688	WMIC.exe
Token: SeRestorePrivilege	1688	WMIC.exe
Token: SeShutdownPrivilege	1688	WMIC.exe
Token: SeDebugPrivilege	1688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1688	WMIC.exe
Token: SeRemoteShutdownPrivilege	1688	WMIC.exe
Token: SeUndockPrivilege	1688	WMIC.exe
Token: SeManageVolumePrivilege	1688	WMIC.exe
Token: 33	1688	WMIC.exe
Token: 34	1688	WMIC.exe
Token: 35	1688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe
Token: SeSystemProfilePrivilege	840	WMIC.exe
Token: SeSystemtimePrivilege	840	WMIC.exe
Token: SeProfSingleProcessPrivilege	840	WMIC.exe
Token: SeIncBasePriorityPrivilege	840	WMIC.exe
Token: SeCreatePagefilePrivilege	840	WMIC.exe
Token: SeBackupPrivilege	840	WMIC.exe
Token: SeRestorePrivilege	840	WMIC.exe
Token: SeShutdownPrivilege	840	WMIC.exe
Token: SeDebugPrivilege	840	WMIC.exe
Token: SeSystemEnvironmentPrivilege	840	WMIC.exe
Token: SeRemoteShutdownPrivilege	840	WMIC.exe
Token: SeUndockPrivilege	840	WMIC.exe
Token: SeManageVolumePrivilege	840	WMIC.exe
Token: 33	840	WMIC.exe
Token: 34	840	WMIC.exe
Token: 35	840	WMIC.exe
Token: SeIncreaseQuotaPrivilege	840	WMIC.exe
Token: SeSecurityPrivilege	840	WMIC.exe
Token: SeTakeOwnershipPrivilege	840	WMIC.exe
Token: SeLoadDriverPrivilege	840	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2036	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	28
PID 2948 wrote to memory of 2036	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	28
PID 2948 wrote to memory of 2036	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	28
PID 2948 wrote to memory of 2036	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	28
PID 2948 wrote to memory of 2708	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	30
PID 2948 wrote to memory of 2708	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	30
PID 2948 wrote to memory of 2708	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	30
PID 2948 wrote to memory of 2708	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	30
PID 2948 wrote to memory of 2984	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	32
PID 2948 wrote to memory of 2984	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	32
PID 2948 wrote to memory of 2984	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	32
PID 2948 wrote to memory of 2984	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	32
PID 2948 wrote to memory of 2572	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	34
PID 2948 wrote to memory of 2572	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	34
PID 2948 wrote to memory of 2572	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	34
PID 2948 wrote to memory of 2572	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	34
PID 2948 wrote to memory of 2584	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	36
PID 2948 wrote to memory of 2584	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	36
PID 2948 wrote to memory of 2584	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	36
PID 2948 wrote to memory of 2584	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	36
PID 2948 wrote to memory of 2664	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	38
PID 2948 wrote to memory of 2664	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	38
PID 2948 wrote to memory of 2664	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	38
PID 2948 wrote to memory of 2664	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	38
PID 2948 wrote to memory of 2784	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	40
PID 2948 wrote to memory of 2784	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	40
PID 2948 wrote to memory of 2784	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	40
PID 2948 wrote to memory of 2784	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	40
PID 2948 wrote to memory of 2776	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	42
PID 2948 wrote to memory of 2776	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	42
PID 2948 wrote to memory of 2776	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	42
PID 2948 wrote to memory of 2776	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	42
PID 2948 wrote to memory of 2940	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	44
PID 2948 wrote to memory of 2940	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	44
PID 2948 wrote to memory of 2940	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	44
PID 2948 wrote to memory of 2940	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	44
PID 2948 wrote to memory of 2544	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	46
PID 2948 wrote to memory of 2544	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	46
PID 2948 wrote to memory of 2544	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	46
PID 2948 wrote to memory of 2544	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	46
PID 2948 wrote to memory of 2460	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	48
PID 2948 wrote to memory of 2460	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	48
PID 2948 wrote to memory of 2460	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	48
PID 2948 wrote to memory of 2460	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	48
PID 2948 wrote to memory of 2636	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	50
PID 2948 wrote to memory of 2636	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	50
PID 2948 wrote to memory of 2636	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	50
PID 2948 wrote to memory of 2636	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	50
PID 2948 wrote to memory of 2228	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	52
PID 2948 wrote to memory of 2228	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	52
PID 2948 wrote to memory of 2228	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	52
PID 2948 wrote to memory of 2228	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	52
PID 2948 wrote to memory of 2540	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	54
PID 2948 wrote to memory of 2540	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	54
PID 2948 wrote to memory of 2540	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	54
PID 2948 wrote to memory of 2540	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	54
PID 2948 wrote to memory of 2428	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	56
PID 2948 wrote to memory of 2428	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	56
PID 2948 wrote to memory of 2428	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	56
PID 2948 wrote to memory of 2428	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	56
PID 2948 wrote to memory of 2456	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	58
PID 2948 wrote to memory of 2456	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	58
PID 2948 wrote to memory of 2456	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	58
PID 2948 wrote to memory of 2456	2948	SecuriteInfo.com.Win32.TrojanX-gen.30150.exe	58

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.30150.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.30150.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\A\bat\*.dll
  2⤵
  PID:2036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\A\bat\*.txt
  2⤵
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\A\bat\*.bat
  2⤵
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\B\bat\*.dll
  2⤵
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\B\bat\*.txt
  2⤵
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\B\bat\*.bat
  2⤵
  PID:2664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.dll
  2⤵
  PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.txt
  2⤵
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.bat
  2⤵
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.dll
  2⤵
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.txt
  2⤵
  PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\K\bat\*.bat
  2⤵
  PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\L\bat\*.dll
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\L\bat\*.txt
  2⤵
  PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\L\bat\*.bat
  2⤵
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.dll
  2⤵
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.txt
  2⤵
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\R\bat\*.bat
  2⤵
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\S\bat\*.dll
  2⤵
  PID:2600
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\S\bat\*.txt
  2⤵
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\S\bat\*.bat
  2⤵
  PID:300
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\T\bat\*.dll
  2⤵
  PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\T\bat\*.txt
  2⤵
  PID:1556
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\T\bat\*.bat
  2⤵
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\U\bat\*.dll
  2⤵
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\U\bat\*.txt
  2⤵
  PID:1200
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\U\bat\*.bat
  2⤵
  PID:2208
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.dll
  2⤵
  PID:796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.txt
  2⤵
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\W\bat\*.bat
  2⤵
  PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /F C:\Sfero\Sfero365\I\bat\*.dll
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic computersystem get name >C:\Sfero\Sfero365\I\bat\11name.dll
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic computersystem get name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get VolumeSerialNumber >C:\Sfero\Sfero365\I\bat\12id.dll
  2⤵
  PID:776
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get VolumeSerialNumber
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic baseboard get Product,serialnumber,status,tag >C:\Sfero\Sfero365\I\bat\21pb.dll
  2⤵
  PID:580
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic baseboard get Product,serialnumber,status,tag
    3⤵
    PID:328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic baseboard get Manufacturer >C:\Sfero\Sfero365\I\bat\22marca.dll
  2⤵
  PID:2360
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic baseboard get Manufacturer
    3⤵
    PID:1684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic cpu get name, NumberOfCores, NumberOfLogicalProcessors, Status, StatusInfo >C:\Sfero\Sfero365\I\bat\23cpu.dll
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic cpu get name, NumberOfCores, NumberOfLogicalProcessors, Status, StatusInfo
    3⤵
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic memorychip get devicelocator, manufacturer, partnumber, serialnumber, capacity, speed, formfactor, BankLabel, Status, Tag >C:\Sfero\Sfero365\I\bat\24memory.dll
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic memorychip get devicelocator, manufacturer, partnumber, serialnumber, capacity, speed, formfactor, BankLabel, Status, Tag
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c net use >C:\Sfero\Sfero365\I\bat\31unidadesred.dll
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\net.exe
    net use
    3⤵
    PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk list brief >C:\Sfero\Sfero365\I\bat\31unidades.dll
  2⤵
  PID:900
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk list brief
    3⤵
    PID:1072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get Size >C:\Sfero\Sfero365\I\bat\32sizec.dll
  2⤵
  PID:1124
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get Size
    3⤵
    PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get FreeSpace >C:\Sfero\Sfero365\I\bat\32sizecfree.dll
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get FreeSpace
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic logicaldisk where "DeviceID='c:'" get filesystem >C:\Sfero\Sfero365\I\bat\32systemc.dll
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic logicaldisk where "DeviceID='c:'" get filesystem
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic path win32_VideoController get AdapterRAM,Caption,CurrentHorizontalResolution,CurrentVerticalResolution,MaxRefreshRate,Status > C:\Sfero\Sfero365\I\bat\25gpu.dll
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic path win32_VideoController get AdapterRAM,Caption,CurrentHorizontalResolution,CurrentVerticalResolution,MaxRefreshRate,Status
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wmic printer get Default, DriverName, Name, Portname, Status > C:\Sfero\Sfero365\I\bat\26printers.dll
  2⤵
  PID:2112
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic printer get Default, DriverName, Name, Portname, Status
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c PowerShell "Get-PhysicalDisk" >C:\Sfero\Sfero365\I\bat\33discos.dll
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Get-PhysicalDisk"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Sfero\Sfero365\Z\bat\Z365.bat

Filesize
1KB

MD5
d4338cee69907d8a8b668746fec5c9bf

SHA1
ffd22089ccbcbb3e5179a8e845b29e256993d1b5

SHA256
43a766e3a89314ef66f91e067d979e178a9039f2a0aae5691e88efa61beb5d8b

SHA512
92148d89e95a3cd3b5a81a6c007b915aa9edc06f58ec6adcb3c769b99bbe16532b43f32aaeb0b1481f894fedb297f439bdeac6c98009a2fd396291c117c26b40

Download Submit
memory/2688-53-0x000000006E7F0000-0x000000006ED9B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-51-0x000000006E7F0000-0x000000006ED9B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-52-0x0000000001C70000-0x0000000001CB0000-memory.dmp

Filesize
256KB

Download
memory/2688-54-0x0000000001C70000-0x0000000001CB0000-memory.dmp

Filesize
256KB

Download
memory/2688-57-0x000000006E7F0000-0x000000006ED9B000-memory.dmp

Filesize
5.7MB

Download
memory/2688-58-0x0000000001C70000-0x0000000001CB0000-memory.dmp

Filesize
256KB

Download
memory/2688-59-0x0000000001C70000-0x0000000001CB0000-memory.dmp

Filesize
256KB

Download
memory/2688-60-0x0000000001C70000-0x0000000001CB0000-memory.dmp

Filesize
256KB

Download
memory/2948-2-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download
memory/2948-1-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-0-0x00000000012A0000-0x00000000013FA000-memory.dmp

Filesize
1.4MB

Download
memory/2948-55-0x0000000073F50000-0x000000007463E000-memory.dmp

Filesize
6.9MB

Download
memory/2948-56-0x0000000004F30000-0x0000000004F70000-memory.dmp

Filesize
256KB

Download