Analysis Overview
SHA256
4270cf9684c5839b360fc33c9a8101e40f2f4c768a8ce55b4b0e0236a1bb7082
Threat Level: Shows suspicious behavior
The file WaveBypasser.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Detects videocard installed
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-15 21:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-15 21:26
Reported
2024-10-15 21:30
Platform
win7-20240903-en
Max time kernel
62s
Max time network
164s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe
"C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe"
C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe
"C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef52d9758,0x7fef52d9768,0x7fef52d9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1436 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2144 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1376 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1368 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3460 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:8
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1224,i,9720195805215138623,17317449875670891313,131072 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.200.36:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | tcp |
| GB | 142.250.179.238:443 | apis.google.com | tcp |
| GB | 142.250.187.202:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 216.58.201.110:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI18482\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18482\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE
| MD5 | 141643e11c48898150daa83802dbc65f |
| SHA1 | 0445ed0f69910eeaee036f09a39a13c6e1f37e12 |
| SHA256 | 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741 |
| SHA512 | ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f |
C:\Users\Admin\AppData\Local\Temp\_MEI18482\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18482\python312.dll
| MD5 | 5750b5cbbb8628436ce9a3557efad861 |
| SHA1 | fb6fda4ca5dd9415a2031a581c1e0f055fed63b5 |
| SHA256 | 587598b6c81f4f4dce3afd40ca6d4814d6cfdb9161458d2161c33abfdadc9e48 |
| SHA512 | d23938796b4e7b6ae7601c3ab9c513eb458cccb13b597b2e20762e829ce4ace7b810039c713ec996c7e2ce8cfb12d1e7231903f06f424266f460a004bd3f6f53 |
memory/3012-840-0x000007FEF52E0000-0x000007FEF59A5000-memory.dmp
memory/3012-841-0x000007FEF52E0000-0x000007FEF59A5000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
\??\pipe\crashpad_2844_DYPQIHBSFXFIXCIO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b54874c2d8effb3575e6426cf37f638d |
| SHA1 | 6fc5eba81395b251101ffadb8714502fb9e14d73 |
| SHA256 | e992fd0362ef3d4fe6b9cb01dc1d09da1427ac2da4cee01764f012d5c2b4b04e |
| SHA512 | ece291b83f1455fa6664f5b492877f08b1954cc7b247803bf5928310b235d71c78fda2901adb389013db6717dfa3e357c5c25bc3bd9f5775efc0f333b6fe0c70 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | b9041b7c2239e612b441aa6a76c2a847 |
| SHA1 | 78318aa37dac12acdf56c0a679e130d53a20d2d6 |
| SHA256 | c7dd1deb29c610a7a3c4d17aaf7c77dd2bbcdb52e23b74d8fdb16bbbf7909f8d |
| SHA512 | 608eb632414a96d5cb668893ebc78d7acaff05e09b0cd6c538a47b7c472824121808e372fa1a96b8d8a84780f433f91a4ece400d5f249582b53ab6610228b400 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-15 21:26
Reported
2024-10-15 21:29
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\SYSTEM32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\netsh.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3350944739-639801879-157714471-1000\{4E0BC643-132E-4666-8FF2-12E64B287688} | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe
"C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe"
C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe
"C:\Users\Admin\AppData\Local\Temp\WaveBypasser.exe"
C:\Windows\SYSTEM32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
C:\Windows\System32\Wbem\WMIC.exe
wmic path softwarelicensingservice get OA3xOriginalProductKey
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.179.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI14842\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE
| MD5 | 141643e11c48898150daa83802dbc65f |
| SHA1 | 0445ed0f69910eeaee036f09a39a13c6e1f37e12 |
| SHA256 | 86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741 |
| SHA512 | ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL
| MD5 | 43136dde7dd276932f6197bb6d676ef4 |
| SHA1 | 6b13c105452c519ea0b65ac1a975bd5e19c50122 |
| SHA256 | 189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714 |
| SHA512 | e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\python312.dll
| MD5 | 5750b5cbbb8628436ce9a3557efad861 |
| SHA1 | fb6fda4ca5dd9415a2031a581c1e0f055fed63b5 |
| SHA256 | 587598b6c81f4f4dce3afd40ca6d4814d6cfdb9161458d2161c33abfdadc9e48 |
| SHA512 | d23938796b4e7b6ae7601c3ab9c513eb458cccb13b597b2e20762e829ce4ace7b810039c713ec996c7e2ce8cfb12d1e7231903f06f424266f460a004bd3f6f53 |
memory/532-842-0x00007FFA134C0000-0x00007FFA13B85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\base_library.zip
| MD5 | fe165df1db950b64688a2e617b4aca88 |
| SHA1 | 71cae64d1edd9931ef75e8ef28e812e518b14dde |
| SHA256 | 071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35 |
| SHA512 | e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_ctypes.pyd
| MD5 | dfd13a29d4871d14aeb3ef6e0aafae71 |
| SHA1 | b159bdbd5820dc3007a9b56b9489037aed7624d4 |
| SHA256 | d74b1c5b0b14e2379aad50ca5af0b1cd5979fd2f065b1beee47514e6f11deb2f |
| SHA512 | 45035d17f1aadd555edb595a4a0e656d4720771a58a7d8cd80b66740fe7f7565acae4b6a03fea4994a896f67fc5ca883d15dacb80d6146bfbf0ccb2bec9ef588 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\libffi-8.dll
| MD5 | be8ceb4f7cb0782322f0eb52bc217797 |
| SHA1 | 280a7cc8d297697f7f818e4274a7edd3b53f1e4d |
| SHA256 | 7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676 |
| SHA512 | 07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_lzma.pyd
| MD5 | 96e99c539e2cb0683b148da367ce4389 |
| SHA1 | 098c7b3ff65823236cd935d7cb80aa8009cecc3d |
| SHA256 | 72a7d452b3a164195b4a09b85a8e33ad4e6b658c10396b1a313e61da8f814304 |
| SHA512 | 7572291adad01c60b9c1f266aff44ed63474436e2087a834103fc5f9e380d9c33adcdb3b82cc13f1e13caf4a84d0a8dac0511d39bf90966a821f80cafcc6eca0 |
memory/532-858-0x00007FFA235F0000-0x00007FFA2361D000-memory.dmp
memory/532-855-0x00007FFA23620000-0x00007FFA2363A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_wmi.pyd
| MD5 | d6731fc47332f01c741d8b64521d86a0 |
| SHA1 | 29751383560d17029952fd1fa0e92168f8096b3d |
| SHA256 | 5632cc7e014771e3bfd0580d24244ed3b56447689d97bd851d02601f615baae4 |
| SHA512 | 88838be8ca11afc5951a373ccd6e34b91e69a68a2ad9f3b042f708b54e1e7d9745ec59eab9ab58398de9ab1205546eb20c96469c59fa5809d350ccda35d29cc4 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_uuid.pyd
| MD5 | d8c6d60ea44694015ba6123ff75bd38d |
| SHA1 | 813deb632f3f3747fe39c5b8ef67bada91184f62 |
| SHA256 | 8ae23bfa84ce64c3240c61bedb06172bfd76be2ad30788d4499cb24047fce09f |
| SHA512 | d3d408c79e291ed56ca3135b5043e555e53b70dff45964c8c8d7ffa92b27c6cdea1e717087b79159181f1258f9613fe6d05e3867d9c944f43a980b5bf27a75ab |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_ssl.pyd
| MD5 | 4dc99d3cbe1bb4b474d8c1bc70b5b7d0 |
| SHA1 | 356565045cc67ee517900f13fb9b3042e336804a |
| SHA256 | 570e29e73fc398c52abeebb92654ac321dad50e625c1230d919d88da1fd8d8d0 |
| SHA512 | bc35069e407ba14c859e5d1372d19ca6dbdc2449f93760c012a492eee404e11255e9ea0d883b7a3807e1e0afcc223e27694acd794b7986f5ed5fdd6b7abd0000 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_sqlite3.pyd
| MD5 | 337889448ecd97a305a96cf61f1b84b9 |
| SHA1 | c981100ec4b5921d5b7c865d4458b67af67cf325 |
| SHA256 | a35a017ee1c003290f4850b4c3d7140f5f0df98d2178bf67923a610aee1679be |
| SHA512 | 6f7789bcf2c63faff5842ecf8494a0f47446fa0dcb6890bf664cc661f030309d28fa3d5d18f20c7ddd9fda036068902b42fff7ae34b84ca035b2729ba4ef6306 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
memory/532-884-0x00007FFA239D0000-0x00007FFA239DF000-memory.dmp
memory/532-883-0x00007FFA23A40000-0x00007FFA23A4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_queue.pyd
| MD5 | 51c7b2ca2871fa9d4a948f2abd22de05 |
| SHA1 | a915c58f1090a5cfa4386efbd31cbdd0391547cf |
| SHA256 | 36ec2ef3f553257912e3e3d17706920c1a52c3619d5c7b157c386c1dbe6e3f52 |
| SHA512 | f398891a152049506ed278b7383d6d7df1e304b6afb41ffe15b732b0c07fced977c29fe22bfa26cd454dc0d3576ec0218e8f0dedeff6ed7b7dd55daa9b10db62 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_socket.pyd
| MD5 | 0a4bec3acc2db020d129e0e3f2d0cd95 |
| SHA1 | 180b4d4c5802ae94fc041360bb652cde72eca620 |
| SHA256 | 3c6bb84d34e46e4fdf1ba192a4b78c4caf9217f49208147e7c46e654d444f222 |
| SHA512 | 5ffde27846b7acf5ff1da513930ead85c6e95f92c71ee630bcc8932fdf5e4f9c42b027e14df8e9596adf67f9d6467c5454b3bda5a39d69e20745f71eca7ed685 |
memory/532-886-0x00007FFA23580000-0x00007FFA23594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\libcrypto-3.dll
| MD5 | 64c76a85cbc744a0a930e9cfc29e20a1 |
| SHA1 | e67b24269797d67e3e94042b8c333dc984bdddb8 |
| SHA256 | 5bcb5de3eff2a80e7d57725ab9e5013f2df728e8a41278fe06d5ac4de91bd26c |
| SHA512 | 7e7fdb2356b18a188fd156e332f7ff03b29781063cadc80204159a789910763515b8150292b27f2ce2e9bdaf6c704e377561601d8a5871dcb6b9dd967d9ffa7f |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_hashlib.pyd
| MD5 | 2e27d0a121f60b37c72ac44b210e0f4f |
| SHA1 | 7e880cf5f2e49ca56f8a422c74ca4f4b34017a09 |
| SHA256 | cebc38091bd20b4e74bcb1f0b1920e2422eed044aa8d1fd4e1e3adc55dcf3501 |
| SHA512 | 93362cd566d4a9d3d9253abd461c2c49ab0efe972d1a946a0eb2e34bb37b7723e3164a438b3378b8b1c9e87ac987b335a2ce0499d9a50bdf7104657bb6b28647 |
memory/532-888-0x00007FFA12F80000-0x00007FFA134B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_overlapped.pyd
| MD5 | a849bfcef664851201326a739e1dba41 |
| SHA1 | f64332ffdb1dfcfc853f2b00914e7422a33b1ae3 |
| SHA256 | 7e23125519f4c79b0651a36dd7820e278c0b124395d7f1fb0bc7dca78d14834b |
| SHA512 | e33684226f445d2ec7df4452e482c4804ffd735e6c73aaa441fa3f476113de678b3945ef49d35653b614c605403f5c79cb497eb3d23025d88fc80c26206abfb3 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_multiprocessing.pyd
| MD5 | 7016551a054fe5e51b83e71242cb4662 |
| SHA1 | cec3cc32a79d77f212055a57856cac2cfe4096be |
| SHA256 | 5fb8194f04e0f05ab8ede8a68f906984c7f6770f19a76c0fca30dbbdaa069135 |
| SHA512 | 5fae6fe874dcf74b78fd7978a804addd086001f3bf54b2a26bea48d36b04c5f5d02fdc9ded82b5e02757921db34afcc2c793ac4bd0c2bfa519ab97ca0a8c005e |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_elementtree.pyd
| MD5 | 39ac9ef240c031a8ee97cd8df897d859 |
| SHA1 | 0f0233ac96fc493837dad7dce6f4b919aaae4613 |
| SHA256 | 6d01d4b4d48c0d8b44e2fefd78b0f3bf0e4c6fab5a6b4e4e6e85c18b972c7bcc |
| SHA512 | 83e82cbcb9e1e00b144d0453af41b090f71809313ab652a9d6dbc27524b4f67336dbb50d9422846d6ab4b9fb775a1e4e68cf796eaef26d4cbf5cffd57ecefc87 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_decimal.pyd
| MD5 | 423186e586039fa189a65e843acf87e0 |
| SHA1 | 8849f6038914de79f64daff868f69133c3354012 |
| SHA256 | 302bd83bc48ca64cd9fe82465b5db16724f171ee7e91f28aa60b9074e9f92a7a |
| SHA512 | c91030f91d9e0ba4ea5fcbadf2b4077d736bd7e9fa71351a85dbcca7204fecdbfd04c6afe451adb8ae1ab0c880c879e42e624645717a690ec75b5b88cac90f1a |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_cffi_backend.cp312-win_amd64.pyd
| MD5 | 27004b1f01511fd6743ee5535de8f570 |
| SHA1 | b97baa60d6c335670b8a923fa7e6411c8e602e55 |
| SHA256 | d2d3e9d9e5855a003e3d8c7502a9814191cf2b77b99ba67777ac170440dfdccf |
| SHA512 | bdcd7a9b9bea5a16186d1a4e097253008d5ecd37a8d8652ec21b034abafbc7e5ff9ca838c5c4cb5618d87b1aceda09e920878c403abafafa867e2d679d4d98d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_asyncio.pyd
| MD5 | 07fb4d6d21ce007476a53655659f69ae |
| SHA1 | 0e5618325c0128ef77118c692c14c12e68e51e90 |
| SHA256 | d4d85776c7bab9726d27b1fc5fb92ae7d38657cc18960f72acdfb51276d7ac67 |
| SHA512 | 86c77a3617588baa94bc1fdd6fdd530a438f5270ca95f104242c29facebfe3a55d0c76ea704ef2b31ecc01eeccc56586188cc3fbd228fedf6d4ee94c85b735ab |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\unicodedata.pyd
| MD5 | 129b358732e77d400bcf38f00cdd197e |
| SHA1 | 384b16e35ed4b9a55f35cedbb71be354fa78242a |
| SHA256 | e397fc3ccaee0233f1b793c953f7506426d64765a801a05259afd1a10a25b05a |
| SHA512 | 8af8e97fd52e9026da877ebe94b1c82e32ab19233f312f170bf589db9ec15b0736cfa39abd5cf6e1e4d9a3bc6a212578f81fdd9c04758b6ab5a2834b203067da |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\sqlite3.dll
| MD5 | 89c7a4482b66a862b282a25a1903fde3 |
| SHA1 | 15d9d4df5d6bdfef70e50cfaf56c405293ddd835 |
| SHA256 | 1f7c0eef1a1c27826f056f8c931b130001b45337d6984b27f6f10355c119bba8 |
| SHA512 | e234c1769e8881683c821d2bf5b1c713493b4212fbfecec95eba3cf33ca23d66bcd07767f6e46506a4acc25f2db71c8b682a60be0ae8e349df1c844a5ccce067 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\select.pyd
| MD5 | b14ab29e811eaa90076840426ab1ab1b |
| SHA1 | 14f18ed4eebcc9567dec7967a23d35429ab2edba |
| SHA256 | 231d5f116b86a46dad697b5f2725b58df0ceee5de057eec9363f86136c162707 |
| SHA512 | a382c0d311953b8fcf06c0758ac92060ccf04b344485025af4a466ecd8f84f5665e29b4169fe5ed4b1c2daeeaa5e44069a5f1cdf5fc59a00a16b8bd883a5d658 |
memory/532-897-0x00007FFA235A0000-0x00007FFA235C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
memory/532-898-0x00007FFA14270000-0x00007FFA1433E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\pyexpat.pyd
| MD5 | 228e59c72c273970a4a7ab134f9cf282 |
| SHA1 | a19ff9c27f969c3657865ecc4202613a721c4610 |
| SHA256 | b255658ed4c5f8dc2d8de1652237f3199d3f10d560e8f4c9e8b81168b994849f |
| SHA512 | 5cc585172c65443f72f17dce87faafddf6c055a201c7899d046b14c67696aef4a1416faad81718476982f6fd191683e1126b9bb35666d9905b9c855aa8d9dedd |
memory/532-896-0x00007FFA1CA30000-0x00007FFA1CA63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\libssl-3.dll
| MD5 | 860af4bc2bad883faef1715a1cebb0dd |
| SHA1 | 9e498e8267f0d680b7f8f572bc67ef9ec47e5dd9 |
| SHA256 | 5027010163bfecded82cb733e971c37a4d71653974813e96839f1b4e99412a60 |
| SHA512 | 9f5a130d566cf81d735b4d4f7816e7796becd5f9768391c0f73c6e9b45e69d72ee27ec9e2694648310f9de317ae0e42fab646a457758e4d506c5d4d460660b0f |
memory/532-906-0x00007FFA141E0000-0x00007FFA14267000-memory.dmp
memory/532-912-0x00007FFA1AB80000-0x00007FFA1ABA7000-memory.dmp
memory/532-911-0x00007FFA23510000-0x00007FFA2351B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\charset_normalizer\md__mypyc.cp312-win_amd64.pyd
| MD5 | 044aa54c359f57f827647c7eee04d267 |
| SHA1 | 88b6e44d3c40173a06e9e3378494e0eb9b06d8e0 |
| SHA256 | f03556de88030fa893711275b4daeff39f1f14c30b1967ea3a9b140cc8632bb5 |
| SHA512 | d22cad7389020f0ed895ffcfa6cc17f3a6cb7f73ffebb5636df7b64d6ab3caf7c503e7d407f47f4250fd5981156789b2f7235eb49830b1d86a268ef2c53ed441 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\charset_normalizer\md.cp312-win_amd64.pyd
| MD5 | e7bc35f372642dd06c9d21a1db3ea4fc |
| SHA1 | e5ea4bf23ee6e21925ea0c19562b9ea586b06e9e |
| SHA256 | d28c01169a704d1ba33c7c650775b206af3d07abcd4168235bc2416d193985c1 |
| SHA512 | 3d294427b21ac6a4ecaa2a95d8cee097d2c7e74b4c0c85c03700c05ecc794df32a988af8d9a725afddca98b1f4eba3ed2b7f3155847330aefbc09214832d8e30 |
memory/532-905-0x00007FFA235F0000-0x00007FFA2361D000-memory.dmp
memory/532-915-0x00007FFA12E60000-0x00007FFA12F7A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\certifi\cacert.pem
| MD5 | 50ea156b773e8803f6c1fe712f746cba |
| SHA1 | 2c68212e96605210eddf740291862bdf59398aef |
| SHA256 | 94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47 |
| SHA512 | 01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0 |
memory/532-914-0x00007FFA23580000-0x00007FFA23594000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\zstandard\backend_c.cp312-win_amd64.pyd
| MD5 | 2f12da584a362bad45c6b9b3ddd2445c |
| SHA1 | 86adc05435a9a7dc0b0c676456b15f64d7df6f44 |
| SHA256 | da95d86762fb4ea6a479990e1b91591ccad7d0f88072a7805052cd71168db115 |
| SHA512 | 6113292936ea39c45764c240e04a92479403ef6c64aa959922e94f990f8d405299793acbdeb8a4c924d81857e12b3d83e7c8c93c261e8101f4eee44ab77dc92e |
memory/532-902-0x00007FFA14E90000-0x00007FFA14EC6000-memory.dmp
memory/532-901-0x00007FFA23620000-0x00007FFA2363A000-memory.dmp
memory/532-894-0x00007FFA235D0000-0x00007FFA235DD000-memory.dmp
memory/532-893-0x00007FFA134C0000-0x00007FFA13B85000-memory.dmp
memory/532-890-0x00007FFA22B10000-0x00007FFA22B29000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\luna.aes
| MD5 | 2c55264fac63415f0bba96a3972152c8 |
| SHA1 | c8d30bcdbe11c7ae783123b7dda5dd3cc61b36fa |
| SHA256 | 7325310a89914706e74b1fe7df0805a70019314d508735c02e8dfb39d3ebbdfd |
| SHA512 | 78f069154786625b4224e2daa013ac75ba18f2c4570059ccc56d960d90b27ffd518f3798f6975e59e92d5917049efea563c8b94cdfbf80fc3e96bbffb28c2bdf |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\_bz2.pyd
| MD5 | c9f84cbfff18bf88923802116a013aa0 |
| SHA1 | 4aabe0b93098c3ac5b843599bd3cb6b9a7d464a1 |
| SHA256 | 5f33cd309ae6f049a4d8c2b6b2a8cd5ade5e8886408ed2b81719e686b68b7d13 |
| SHA512 | d3b2a8b0fa84ce3bf34f3d04535c89c58ea5c359757f2924fecea613a7a041c9bd9a47ca5df254690c92705bbd7e8f4f4be4801414437d7a5749cffde5272fe7 |
memory/532-852-0x00007FFA23DE0000-0x00007FFA23DEF000-memory.dmp
memory/532-850-0x00007FFA235A0000-0x00007FFA235C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\python3.dll
| MD5 | 5eace36402143b0205635818363d8e57 |
| SHA1 | ae7b03251a0bac083dec3b1802b5ca9c10132b4c |
| SHA256 | 25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2 |
| SHA512 | 7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4 |
memory/532-932-0x00007FFA1DD40000-0x00007FFA1DD4C000-memory.dmp
memory/532-931-0x00007FFA1EFB0000-0x00007FFA1EFBB000-memory.dmp
memory/532-940-0x00007FFA1AB80000-0x00007FFA1ABA7000-memory.dmp
memory/532-939-0x00007FFA14170000-0x00007FFA1417D000-memory.dmp
memory/532-938-0x00007FFA14180000-0x00007FFA1418C000-memory.dmp
memory/532-937-0x00007FFA141E0000-0x00007FFA14267000-memory.dmp
memory/532-941-0x00007FFA12CE0000-0x00007FFA12E5F000-memory.dmp
memory/532-950-0x00007FFA12C60000-0x00007FFA12C6C000-memory.dmp
memory/532-951-0x00007FFA12C00000-0x00007FFA12C2F000-memory.dmp
memory/532-955-0x00007FFA12BD0000-0x00007FFA12BEC000-memory.dmp
memory/532-956-0x00007FFA141B0000-0x00007FFA141D4000-memory.dmp
memory/532-954-0x00007FFA12BF0000-0x00007FFA12BFB000-memory.dmp
memory/532-957-0x00007FFA127A0000-0x00007FFA12BC5000-memory.dmp
memory/532-953-0x00007FFA12C30000-0x00007FFA12C5A000-memory.dmp
memory/532-952-0x00007FFA12E60000-0x00007FFA12F7A000-memory.dmp
memory/532-949-0x00007FFA12C70000-0x00007FFA12C82000-memory.dmp
memory/532-948-0x00007FFA12C90000-0x00007FFA12C9D000-memory.dmp
memory/532-947-0x00007FFA12CA0000-0x00007FFA12CAB000-memory.dmp
memory/532-958-0x00007FFA10B90000-0x00007FFA11F37000-memory.dmp
memory/532-946-0x00007FFA12CB0000-0x00007FFA12CBC000-memory.dmp
memory/532-945-0x00007FFA12CC0000-0x00007FFA12CCB000-memory.dmp
memory/532-944-0x00007FFA12CD0000-0x00007FFA12CDB000-memory.dmp
memory/532-943-0x00007FFA14150000-0x00007FFA1415C000-memory.dmp
memory/532-942-0x00007FFA14160000-0x00007FFA1416E000-memory.dmp
memory/532-936-0x00007FFA14190000-0x00007FFA1419B000-memory.dmp
memory/532-935-0x00007FFA141A0000-0x00007FFA141AC000-memory.dmp
memory/532-934-0x00007FFA1A4D0000-0x00007FFA1A4DB000-memory.dmp
memory/532-933-0x00007FFA14270000-0x00007FFA1433E000-memory.dmp
memory/532-930-0x00007FFA22860000-0x00007FFA2286B000-memory.dmp
memory/532-929-0x00007FFA1CA30000-0x00007FFA1CA63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\Cryptodome\Cipher\_raw_cbc.pyd
| MD5 | e116f8c6a7376154e6610a6b9bbd7d87 |
| SHA1 | 482465fd942b06a3149149b0a16b9ebadcd19065 |
| SHA256 | 6a44880996aeba9b04acf3383e9a5acc93682fe66644a9e2bc3ea5defc08e09b |
| SHA512 | eb5297b05c18f1dabb3426928d8431a7113390398c5d135c0da1e21b8f9cde3b0a3925deceacb68ab488e85aceca31660b49ebd8e67c991891cc93bb235ff7d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI14842\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | 5ca4837fc45cd28f290b54bd2e0a67f5 |
| SHA1 | 8aaee26a61a0945ddaffdbf9fd2a87272eeb8822 |
| SHA256 | 77ece4effae2152c6b2e70945ce0779b95b5ca8ecd29b3a6e857b95461399534 |
| SHA512 | d6f0d2b572cc770d8c452d4d2df575c3b988dc6490a506c5602ab4599e88502e1555f5c1af33582295380c9e56d46ff9ccde9a5dba61776958173ece4c1c64c6 |
memory/532-925-0x00007FFA141B0000-0x00007FFA141D4000-memory.dmp
memory/532-924-0x00007FFA12CE0000-0x00007FFA12E5F000-memory.dmp
memory/532-959-0x00007FFA12420000-0x00007FFA12442000-memory.dmp
memory/532-923-0x00007FFA1D200000-0x00007FFA1D218000-memory.dmp
memory/532-922-0x00007FFA12F80000-0x00007FFA134B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI14842\psutil\_psutil_windows.pyd
| MD5 | 3adca2ff39adeb3567b73a4ca6d0253c |
| SHA1 | ae35dde2348c8490f484d1afd0648380090e74fc |
| SHA256 | 92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3 |
| SHA512 | 358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345 |
C:\Users\Admin\AppData\Local\Temp\R5tri3Wbvr\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
C:\Users\Admin\AppData\Local\Temp\R5tri3Wbvr\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
memory/532-985-0x00007FFA14170000-0x00007FFA1417D000-memory.dmp
memory/532-996-0x00007FFA23DE0000-0x00007FFA23DEF000-memory.dmp
memory/532-995-0x00007FFA235A0000-0x00007FFA235C5000-memory.dmp
memory/532-1021-0x00007FFA14180000-0x00007FFA1418C000-memory.dmp
memory/532-1052-0x00007FFA23510000-0x00007FFA2351B000-memory.dmp
memory/532-1051-0x00007FFA1AB80000-0x00007FFA1ABA7000-memory.dmp
memory/532-1050-0x00007FFA141E0000-0x00007FFA14267000-memory.dmp
memory/532-1049-0x00007FFA14E90000-0x00007FFA14EC6000-memory.dmp
memory/532-1048-0x00007FFA1DD40000-0x00007FFA1DD4C000-memory.dmp
memory/532-1047-0x00007FFA12BF0000-0x00007FFA12BFB000-memory.dmp
memory/532-1046-0x00007FFA12C60000-0x00007FFA12C6C000-memory.dmp
memory/532-1053-0x00007FFA10B90000-0x00007FFA11F37000-memory.dmp
memory/532-1056-0x00007FFA12C00000-0x00007FFA12C2F000-memory.dmp
memory/532-1055-0x00007FFA12420000-0x00007FFA12442000-memory.dmp
memory/532-1054-0x00007FFA127A0000-0x00007FFA12BC5000-memory.dmp
memory/532-1045-0x00007FFA12C70000-0x00007FFA12C82000-memory.dmp
memory/532-1044-0x00007FFA12C90000-0x00007FFA12C9D000-memory.dmp
memory/532-1043-0x00007FFA12CA0000-0x00007FFA12CAB000-memory.dmp
memory/532-1042-0x00007FFA12CB0000-0x00007FFA12CBC000-memory.dmp
memory/532-1041-0x00007FFA12CC0000-0x00007FFA12CCB000-memory.dmp
memory/532-1040-0x00007FFA12CD0000-0x00007FFA12CDB000-memory.dmp
memory/532-1039-0x00007FFA14150000-0x00007FFA1415C000-memory.dmp
memory/532-1038-0x00007FFA14160000-0x00007FFA1416E000-memory.dmp
memory/532-1037-0x00007FFA12C30000-0x00007FFA12C5A000-memory.dmp
memory/532-1036-0x00007FFA12BD0000-0x00007FFA12BEC000-memory.dmp
memory/532-1035-0x00007FFA235D0000-0x00007FFA235DD000-memory.dmp
memory/532-1034-0x00007FFA22B10000-0x00007FFA22B29000-memory.dmp
memory/532-1033-0x00007FFA141B0000-0x00007FFA141D4000-memory.dmp
memory/532-1032-0x00007FFA23580000-0x00007FFA23594000-memory.dmp
memory/532-1031-0x00007FFA239D0000-0x00007FFA239DF000-memory.dmp
memory/532-1030-0x00007FFA23A40000-0x00007FFA23A4D000-memory.dmp
memory/532-1029-0x00007FFA235F0000-0x00007FFA2361D000-memory.dmp
memory/532-1028-0x00007FFA23620000-0x00007FFA2363A000-memory.dmp
memory/532-1027-0x00007FFA1A4D0000-0x00007FFA1A4DB000-memory.dmp
memory/532-1022-0x00007FFA14170000-0x00007FFA1417D000-memory.dmp
memory/532-1019-0x00007FFA141A0000-0x00007FFA141AC000-memory.dmp
memory/532-1020-0x00007FFA14190000-0x00007FFA1419B000-memory.dmp
memory/532-1016-0x00007FFA1EFB0000-0x00007FFA1EFBB000-memory.dmp
memory/532-1015-0x00007FFA22860000-0x00007FFA2286B000-memory.dmp
memory/532-1014-0x00007FFA12CE0000-0x00007FFA12E5F000-memory.dmp
memory/532-1012-0x00007FFA1D200000-0x00007FFA1D218000-memory.dmp
memory/532-1006-0x00007FFA14270000-0x00007FFA1433E000-memory.dmp
memory/532-1005-0x00007FFA1CA30000-0x00007FFA1CA63000-memory.dmp
memory/532-1011-0x00007FFA12E60000-0x00007FFA12F7A000-memory.dmp
memory/532-1002-0x00007FFA12F80000-0x00007FFA134B3000-memory.dmp
memory/532-994-0x00007FFA134C0000-0x00007FFA13B85000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-15 21:26
Reported
2024-10-15 21:29
Platform
win7-20241010-en
Max time kernel
103s
Max time network
19s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 2992 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3016 wrote to memory of 2992 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 3016 wrote to memory of 2992 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2992 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2992 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2992 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2992 wrote to memory of 2920 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\loader-o.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\loader-o.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\loader-o.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | e0bfe2254cb21ba149602b7aae2f2b2d |
| SHA1 | 9f80c3e4e9d51372226696927aea772a2eeecb5b |
| SHA256 | 41357852b0b273ff83b76ac6dc475f06a93096b737bfa70b43a1c744856837b8 |
| SHA512 | e3361ffb9227018996b1dfbef3d4ac49abe0a8533a38a8edf973c38efb1e4ef89bc4507f236f96dd60d9709c1fb0c2a7561b2414c9d569dd2df12139745fa535 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-15 21:26
Reported
2024-10-15 21:30
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
204s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\loader-o.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 24.173.189.20.in-addr.arpa | udp |