Malware Analysis Report

2024-12-07 16:03

Sample ID 241113-p6vy7asepp
Target FZ_Marauder_v2.8.zip
SHA256 16fbeadcbf09c6e4dc1dbbd500271e4c44be1deedd1ccbbe8eb0b129730d2a15
Tags
pyinstaller execution
score
4/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
4/10

SHA256

16fbeadcbf09c6e4dc1dbbd500271e4c44be1deedd1ccbbe8eb0b129730d2a15

Threat Level: Likely benign

The file FZ_Marauder_v2.8.zip was found to be: Likely benign.

Malicious Activity Summary

pyinstaller execution

Loads dropped DLL

Detects Pyinstaller

Command and Scripting Interpreter: JavaScript

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 12:57

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win7-20241010-en

Max time kernel

119s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\flash.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2736 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2736 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2736 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2736 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2736 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2736 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1700 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1700 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2708 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2708 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2708 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2708 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\flash.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_303A

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_SerialPort get DeviceID,PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /i VID_303A

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_10C4

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_SerialPort get DeviceID,PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /i VID_10C4

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Marauder\esp32_marauder_v1_0_0_20240626_flipper.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Marauder\esp32_marauder_v1_0_0_20240626_flipper.js

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

143s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\Marauder\esp32_marauder_v1_0_0_20240626_flipper.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\Marauder\esp32_marauder_v1_0_0_20240626_flipper.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\WROOM\esp32_marauder_v1_0_0_20240626_old_hardware.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\WROOM\esp32_marauder_v1_0_0_20240626_old_hardware.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

144s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\WROOM\esp32_marauder_v1_0_0_20240626_old_hardware.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\WROOM\esp32_marauder_v1_0_0_20240626_old_hardware.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\esptool.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\esptool.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\esptool.exe

"C:\Users\Admin\AppData\Local\Temp\esptool.exe"

C:\Users\Admin\AppData\Local\Temp\esptool.exe

"C:\Users\Admin\AppData\Local\Temp\esptool.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21122\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-localization-l1-2-0.dll

MD5 de5695f26a0bcb54f59a8bc3f9a4ecef
SHA1 99c32595f3edc2c58bdb138c3384194831e901d6
SHA256 e9539fce90ad8be582b25ab2d5645772c2a5fb195e602ecdbf12b980656e436a
SHA512 df635d5d51cdea24885ae9f0406f317ddcf04ecb6bfa26579bb2e256c457057607844ded4b52ff1f5ca25abe29d1eb2b20f1709cf19035d3829f36bbe31f550f

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-processthreads-l1-1-1.dll

MD5 74c264cffc09d183fcb1555b16ea7e4b
SHA1 0b5b08cdf6e749b48254ac811ca09ba95473d47c
SHA256 a8e2fc077d9a7d2faa85e1e6833047c90b22c6086487b98fc0e6a86b7bf8bf09
SHA512 285afbcc39717510ced2ed096d9f77fc438268ecaa59cff3cf167fcc538e90c73c67652046b0ee379e0507d6e346af79d43c51a571c6dd66034f9385a73d00d1

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-file-l1-2-0.dll

MD5 d92e6a007fc22a1e218552ebfb65da93
SHA1 3c9909332e94f7b7386664a90f52730f4027a75a
SHA256 03bd3217eae0ef68521b39556e7491292db540f615da873dd8da538693b81862
SHA512 b8b0e6052e68c08e558e72c168e4ff318b1907c4dc5fc1cd1104f5cae7cc418293013dabbb30c835a5c35a456e1cb22cc352b7ae40f82b9b7311bb7419d854c7

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-timezone-l1-1-0.dll

MD5 cb39eea2ef9ed3674c597d5f0667b5b4
SHA1 c133dc6416b3346fa5b0f449d7cc6f7dbf580432
SHA256 1627b921934053f1f7d2a19948aee06fac5db8ee8d4182e6f071718d0681f235
SHA512 2c65014dc045a2c1e5f52f3fea4967d2169e4a78d41fe56617ce9a4d5b30ebf25043112917ff3d7d152744ddef70475937ae0a7f96785f97dcefafe8e6f14d9c

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI21122\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

C:\Users\Admin\AppData\Local\Temp\_MEI21122\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-runtime-l1-1-0.dll

MD5 27c4a3bcc0f1dba2de4c2242cd489f3b
SHA1 a704fd91e3c67108b1f02fd5e9f1223c7154a9cc
SHA256 315ded39d9e157cec05d83711c09858c23602857c9d8c88beef121c24c43be84
SHA512 793e74dfb1052c06ab4c29e7b622c795cc3122a722382b103940b94e9dac1e6ca8039df48c558efcc5d952a0660393ae2b11ced5ade4dc8d5dd31a9f5bb9f807

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-heap-l1-1-0.dll

MD5 9151e83b4fdfa88353b7a97ae7792678
SHA1 b46152e70d5d3d75d61d4ccdb50403bd08bb9354
SHA256 6c0e0d22b65329f4948fcf36c8048a54ccccbf6c05b330b2c1a686f3e686eed0
SHA512 4d4210474957e656d821e1dc5934a4bfbf7e73dd61d696a1ab39914f887810c8fbe500dbb1e23782b40807f25820f35c9665e04dcdc2fd0f6c83046a4aecb86b

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-string-l1-1-0.dll

MD5 ec1381c9fda84228441459151e7badea
SHA1 db2d37f3c04a2c2d4b6f9b3fd82c1be091e85d2c
SHA256 44ddab31c182235ac5405d31c1cba048316cc230698e392a732ac941ec683bad
SHA512 ee9ebbdc23e7c945f2b291fde5eb68a42c11988182e6c78c0ab8fa9cb003b24910974a3291bcdaa0c8d1f9dfa8df40293848fb9a16c4be1425253bed0511a712

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-stdio-l1-1-0.dll

MD5 306608a878089cb38602af693ba0485b
SHA1 59753556f471c5bf1dfef46806cb02cf87590c5c
SHA256 3b59a50457f6b6eaa6d35e42722d4562e88bcd716bae113be1271ead0feb7af3
SHA512 21b626e619aaf4eda861a9c5edf02133c63adc9e893f38fede72d90a6e8be0e566c117a8a24ca4bab77928083ae4a859034417b035e8553cc7ccfb88cb4cbd9c

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-convert-l1-1-0.dll

MD5 0e35e369165875d3a593d68324e2b162
SHA1 6a1ff3405277250a892b79faed01dcdc9dbf864a
SHA256 14694879f9c3c52fbd7dde96bf5d67b9768b067c80d5567be55b37262e9dbd54
SHA512 d496f0c38300d0eed62b26a59c57463a1444a0c77a75c463014c5791371deca93d1d5dd0090e8e324c6a09bd9cff328f94947272ca49018c191c12732e805ee8

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-math-l1-1-0.dll

MD5 7a235962dbab1e807c6ec7609fc76077
SHA1 148ddd11a0d366313f75871007057b3f0485ab33
SHA256 f7c5d7394643c95fe14c07773a8a206e74a28db125f9b3976f9e1c8c599f2af1
SHA512 25b21ee7bb333e5e34d2b4a32d631a50b8ffaf1f1320d47c97c2a4dff59fa2a2703cdf30638b46c800d3150efaa4a2518c55e7b2a3b2e4273f43dd5ca83ae940

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-locale-l1-1-0.dll

MD5 ebc168d7d3ea7c6192935359b6327627
SHA1 aeceb7c071cf1bb000758b6ceebefeec91ad22bd
SHA256 c048a3d7ab951dce1d6d3f5f497b50353f640a1787c6c65677a13c55c8e99983
SHA512 891d252ecd50bded4614547758d5e301bdf8e71fbb1023ff89f8de2f81927cc7cc84b98985d99e8fa8dcbf361e5117d9c625dc0d36983afc3f2aa48a54ce3d48

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-time-l1-1-0.dll

MD5 4cf70855444f38e1eb71f9c3cd1c6e86
SHA1 d06aec4008d397756ee841f0e7a435d1c05b5f07
SHA256 a409e25a9d3c252cc0a5af9df85d3733e946087b06cd1fb2cf1bf640eb0d49ba
SHA512 a13a80645e679343ac5638e8aa6a03012f16200cb3a4637be52a01aa3bef854324a8ed1882ca91b304b9c47b6351b1fc1671f4dede5be77bc208a71fe6029064

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-environment-l1-1-0.dll

MD5 dacf383a06480ca5ab70d7156aecab43
SHA1 9e48d096c2e81a7d979f3c6b94315671157206a1
SHA256 00f84c438aab40500a2f2df22c7a4ec147a50509c8d0cdac6a83e4269e387478
SHA512 5d4146a669ddb963cf677257ec7865e2cfcb7960e41a38bbd60f9a7017474ed2f3291505fa407e25881cbf9e5e6b8055ff3bd891043284a0a04e3fe9cfad9817

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-process-l1-1-0.dll

MD5 55463244172161b76546dc2de37f42bd
SHA1 c10a5360ad5e340d59c814e159ea1efcbf5bf3ee
SHA256 4166a32551989f960dac7c0e296ffb28092f45f6539e7c450fa04bf17612be73
SHA512 eacec78ff95f60def6f7f27bda4a84f1dd2dfa386efc4f6da770c37268df83c5b402693ea5c29f54d48026579f3843db26add4d6448ea10cbf7f14d4d14a72fd

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-conio-l1-1-0.dll

MD5 a68d15cab300774d2a20a986ee57f9f4
SHA1 bb69665b3c8714d935ee63791181491b819795cb
SHA256 966ddbf59e1d6c2a80b8abbf4a30d37475de097bf13fb72ba78684d65975cd97
SHA512 ac040f92560631ca5162c7559173bdfe858e282225967ab1adc0a038d34943b00db140d44319cd2cdc2864295a098ab0ba634dfaa443e1d1782fa143ae4c217d

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 d725d87a331e3073bf289d4ec85bd04d
SHA1 c9d36103be794a802957d0a8243b066fa22f2e43
SHA256 30bcf934cbcc9ed72ff364b6e352a70a9e2afa46eceadea5c47183cb46cfd16e
SHA512 6713ff954221c5dd835c15556e5fa6b8684fa7e19ce4f527a5892e77f322b3dae7199a232040b89ad4a9575c8d9788d771892d2294f3c18da45e643eb25fdb08

C:\Users\Admin\AppData\Local\Temp\_MEI21122\base_library.zip

MD5 63852f437aeb3c9c380e6e2c049f0528
SHA1 48fbe992cf7869c7aa80ebce1d9af2bfcd263624
SHA256 5bad30ad6f9537afefa2bbfccc180ac427c9b793f13e3ca703341efb2c93a812
SHA512 f6ea3b984f349fbdb2d912a8417c8d99e82162e0faa7b0332025f616c4b03d488854db9b93b0498a6c4805ad4715f27f44d78e6cb49a1b0a460e815fd8d5130d

C:\Users\Admin\AppData\Local\Temp\_MEI21122\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI21122\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI21122\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

C:\Users\Admin\AppData\Local\Temp\_MEI21122\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI21122\_hashlib.pyd

MD5 5e5af52f42eaf007e3ac73fd2211f048
SHA1 1a981e66ab5b03f4a74a6bac6227cd45df78010b
SHA256 a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b
SHA512 bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

C:\Users\Admin\AppData\Local\Temp\_MEI21122\libcrypto-1_1.dll

MD5 89511df61678befa2f62f5025c8c8448
SHA1 df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA512 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

C:\Users\Admin\AppData\Local\Temp\_MEI21122\api-ms-win-crt-utility-l1-1-0.dll

MD5 fcd6b29932d6fb307964b2d3f94e6b48
SHA1 be560f8a63c8e36a7b3fa48ff384f99f69a5d4f7
SHA256 cfb2ee4e426bb00b76163c1a66cf8cfef8d7450cbf9bbce3bc9eb2053f51e0e5
SHA512 3edfcf559f1e21870277358e6d266a1a0cea68b163b11c73108f3b6a56006d20b51410a3b4ea39bf80906bf6c9d573e1072697cfcd6a3d37e3679ea54757c69f

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\esptool.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\esptool.exe

"C:\Users\Admin\AppData\Local\Temp\esptool.exe"

C:\Users\Admin\AppData\Local\Temp\esptool.exe

"C:\Users\Admin\AppData\Local\Temp\esptool.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26282\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI26282\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

C:\Users\Admin\AppData\Local\Temp\_MEI26282\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI26282\base_library.zip

MD5 63852f437aeb3c9c380e6e2c049f0528
SHA1 48fbe992cf7869c7aa80ebce1d9af2bfcd263624
SHA256 5bad30ad6f9537afefa2bbfccc180ac427c9b793f13e3ca703341efb2c93a812
SHA512 f6ea3b984f349fbdb2d912a8417c8d99e82162e0faa7b0332025f616c4b03d488854db9b93b0498a6c4805ad4715f27f44d78e6cb49a1b0a460e815fd8d5130d

C:\Users\Admin\AppData\Local\Temp\_MEI26282\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI26282\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI26282\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

C:\Users\Admin\AppData\Local\Temp\_MEI26282\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI26282\_hashlib.pyd

MD5 5e5af52f42eaf007e3ac73fd2211f048
SHA1 1a981e66ab5b03f4a74a6bac6227cd45df78010b
SHA256 a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b
SHA512 bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

C:\Users\Admin\AppData\Local\Temp\_MEI26282\libcrypto-1_1.dll

MD5 89511df61678befa2f62f5025c8c8448
SHA1 df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA512 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-13 12:56

Reported

2024-11-13 12:59

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

139s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\flash.bat"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1536 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1536 wrote to memory of 4828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4828 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4828 wrote to memory of 2964 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4828 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4828 wrote to memory of 3592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1536 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1536 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4732 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4732 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4732 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4732 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\flash.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_303A

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_SerialPort get DeviceID,PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /i VID_303A

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic path Win32_SerialPort get DeviceID,PNPDeviceID|findstr /i VID_10C4

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_SerialPort get DeviceID,PNPDeviceID

C:\Windows\system32\findstr.exe

findstr /i VID_10C4

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A