Malware Analysis Report

2025-03-15 03:46

Sample ID 241126-cv2ldayrav
Target fantafn.exe
SHA256 04b84b7755e757c899f54ca892ca9b9ea4933057628a9e30e945b1508ab24f88
Tags
exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04b84b7755e757c899f54ca892ca9b9ea4933057628a9e30e945b1508ab24f88

Threat Level: Known bad

The file fantafn.exe was found to be: Known bad.

Malicious Activity Summary

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer

Exelastealer family

Exela Stealer

Grants admin privileges

Modifies Windows Firewall

Clipboard Data

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

Launches sc.exe

Event Triggered Execution: Netsh Helper DLL

Permission Groups Discovery: Local Groups

Unsigned PE

System Network Connections Discovery

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Gathers network information

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Gathers system information

Suspicious use of AdjustPrivilegeToken

Collects information from the system

Runs net.exe

Suspicious use of WriteProcessMemory

Kills process with taskkill

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-26 02:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-26 02:24

Reported

2024-11-26 02:25

Platform

win10ltsc2021-20241023-en

Max time kernel

25s

Max time network

29s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord Update Service = "C:\\Users\\Admin\\AppData\\Local\\scriptkidUpdate\\scriptkid.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\fantafn.exe C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe
PID 4688 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\fantafn.exe C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe
PID 3756 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1920 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1788 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1788 wrote to memory of 5088 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4772 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4772 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3756 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3700 wrote to memory of 4304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3700 wrote to memory of 4304 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3056 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3056 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3068 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3068 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3756 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 680 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3756 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3024 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3024 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3756 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 1196 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1196 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3756 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3752 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3752 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3756 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3756 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2148 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4068 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 1736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1280 wrote to memory of 2228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2656 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2228 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2228 wrote to memory of 3868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fantafn.exe

"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe

"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""

C:\Windows\system32\taskkill.exe

taskkill /F /IM "taskmgr.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f"

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
DE 159.89.102.253:443 geolocation-db.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.244.186:443 checkappexec.microsoft.com tcp
N/A 127.0.0.1:49899 tcp
N/A 127.0.0.1:49904 tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:49916 tcp
N/A 127.0.0.1:49939 tcp
N/A 127.0.0.1:49943 tcp
N/A 127.0.0.1:49945 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\RuntimeBrokerVers.exe

MD5 4210339142ccd774ee8011ae1784cf71
SHA1 8ef93cf8ef23af2b0fa4350aecd262c46ec01c6c
SHA256 64d0d6f1b1755a040d9cd820bf0f8ab227ead7a1a9acea24481a04d44ba3014c
SHA512 3ea656a952f3fdd97bb5827d6de9cbb88edda9766d440a9ce0a82d2ca2198e06bfd9d51b209952c0f2955af307c62aad8139d2d55a3765ef6581f3151ca8a3d6

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\python311.dll

MD5 5a5dd7cad8028097842b0afef45bfbcf
SHA1 e247a2e460687c607253949c52ae2801ff35dc4a
SHA256 a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512 e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 bd36f7d64660d120c6fb98c8f536d369
SHA1 6829c9ce6091cb2b085eb3d5469337ac4782f927
SHA256 ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902
SHA512 bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

MD5 3859239ced9a45399b967ebce5a6ba23
SHA1 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6
SHA256 a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a
SHA512 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

MD5 d7b9ed5f37519b68750ecb5defb8e957
SHA1 661cf73707e02d2837f914adc149b61a120dda7d
SHA256 2ce63e16df518ae178de0940505ff1b11da97a5b175fe2a0d355b2ee351c55fd
SHA512 f04708c28feb54f355d977e462245b183a0b50f4db6926c767e8f1499e83e910b05a3023b84d398fb5dd87743fe6146dbbc3e1caaed5351c27396f16746c6d6b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 08d50fd2b635972dc84a6fb6fc581c06
SHA1 4bcfc96a1aad74f7ab11596788acb9a8d1126064
SHA256 bb5ac4945b43611c1821fa575af3152b2937b4bc1a77531136780cc4a28f82e9
SHA512 8ec536e97d7265f007ad0f99fc8b9eecc9355a63f131b96e8a04e4bd38d3c72e3b80e36e4b1923548bd77eb417c5e0ac6a01d09af23311784a328fbed3c41084

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

MD5 486085aac7bb246a173ceea0879230af
SHA1 ef1095843b2a9c6d8285c7d9e8e334a9ce812fae
SHA256 c3964fc08e4ca8bc193f131def6cc4b4724b18073aa0e12fed8b87c2e627dc83
SHA512 8a56774a08da0ab9dd561d21febeebc23a5dea6f63d5638ea1b608cd923b857df1f096262865e6ebd56b13efd3bba8d714ffdce8316293229974532c49136460

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_lzma.pyd

MD5 e5abc3a72996f8fde0bcf709e6577d9d
SHA1 15770bdcd06e171f0b868c803b8cf33a8581edd3
SHA256 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb
SHA512 b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 4255c44dc64f11f32c961bf275aab3a2
SHA1 c1631b2821a7e8a1783ecfe9a14db453be54c30a
SHA256 e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29
SHA512 7d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\libcrypto-1_1.dll

MD5 e94733523bcd9a1fb6ac47e10a267287
SHA1 94033b405386d04c75ffe6a424b9814b75c608ac
SHA256 f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44
SHA512 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 208b0108172e59542260934a2e7cfa85
SHA1 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a
SHA256 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69
SHA512 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_asyncio.pyd

MD5 79f71c92c850b2d0f5e39128a59054f1
SHA1 a773e62fa5df1373f08feaa1fb8fa1b6d5246252
SHA256 0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980
SHA512 3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\yarl\_quoting_c.pyd

MD5 0edc0f96b64523314788745fa2cc7ddd
SHA1 555a0423ce66c8b0fa5eea45caac08b317d27d68
SHA256 db5b421e09bf2985fbe4ef5cdf39fc16e2ff0bf88534e8ba86c6b8093da6413f
SHA512 bb0074169e1bd05691e1e39c2e3c8c5fae3a68c04d851c70028452012bb9cb8d19e49cdff34efb72e962ed0a03d418dfbad34b7c9ad032105cf5acd311c1f713

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd

MD5 a7b4711c5ba1866745485abe14101ac7
SHA1 c37158cbd0fe67f8acd61596f63cf62bd2985431
SHA256 6688f3dd5b7efa8008c5ba776f32cecf5b42887b1b9ee21555ae3e0d4f13d2e0
SHA512 f952ad3c21b649e13e64540713a61db6d49b394ca5d62add7a5fec2186a8d27131ba038d449561b77670d3deb2358a8254e4e205ef20228e27b1eb8234d0e843

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pycares\_cares.pyd

MD5 e611e5c516fe1c3670353e3427da42b9
SHA1 a946abdeebe7fa9ccd7ab256c927be5902784e4a
SHA256 b4f41659dc3002f70bc6578801aad771b45f106103441d1e9b4c553c1e50c939
SHA512 a1c057dbd4b618fdfdd75f70bfe85dbfc6d2a25fed8e74dd5fbf950a02d7470e1f4bfac8ed00a5cdef6a68b8737a156a5a0ea443e826c6b30c94554bd7326b99

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\charset_normalizer\md__mypyc.pyd

MD5 2d1f2ffd0fecf96a053043daad99a5df
SHA1 b03d5f889e55e802d3802d0f0caa4d29c538406b
SHA256 207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13
SHA512 4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\charset_normalizer\md.pyd

MD5 fa50d9f8bce6bd13652f5090e7b82c4d
SHA1 ee137da302a43c2f46d4323e98ffd46d92cf4bef
SHA256 fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb
SHA512 341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_uuid.pyd

MD5 46e9d7b5d9668c9db5caa48782ca71ba
SHA1 6bbc83a542053991b57f431dd377940418848131
SHA256 f6063622c0a0a34468679413d1b18d1f3be67e747696ab972361faed4b8d6735
SHA512 c5b171ebdb51b1755281c3180b30e88796db8aa96073489613dab96b6959a205846711187266a0ba30782102ce14fbfa4d9f413a2c018494597600482329ebf7

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\aiohttp\_websocket.pyd

MD5 aa40ac7a7d1d9a10da426701ea49508d
SHA1 bbd083535e20ea00bcc40de7b9e625ff5c74851e
SHA256 b892cbaf1a5b363fb66768194cd4d466916e81981bcb63c2989277114a4b0c10
SHA512 eaf14159f5f1b70dcb5e6416804f306ec5f4c235abf431a27bc421861117be8c6ec5326c8c703c4c3764b771e5dbac37e6b93ac05f9a632bc83788c476eed8e2

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_brotli.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\aiohttp\_http_writer.pyd

MD5 2f2a2b2343549e990419df0977e3fac9
SHA1 5724b63e32bda7d36285f79dc9ad57fc97ba5415
SHA256 9569b0b501a0235388d075baa4c84e5d571169ac6ce3ae9220cde31a5f208b94
SHA512 a1b99dcaf01666c3ab9755d55001f3a18344cd70c386ce1b2233b5c6b8248b59d95804b450f9ee9c2f51d6293c4e748b9347540ae3f247418a1673bbd6ef466a

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\aiohttp\_helpers.pyd

MD5 4b5dcc46170e4ac810a59ca5b7533462
SHA1 1eacf60fdfd427909b54f83518612a4638930225
SHA256 704cdcfca773ac658b8f84335f29630707c216f739f7fa5970b1be57f13a5b82
SHA512 c2e5b9b40f267f375234be9a562882faa1a0e82f32a951233464d27879d0b1620099bb800de3e96be277bb3bb44ff421a98a2f0c125f28652c2b6415d0fb4dea

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\unicodedata.pyd

MD5 aa13ee6770452af73828b55af5cd1a32
SHA1 c01ece61c7623e36a834d8b3c660e7f28c91177e
SHA256 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb
SHA512 b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\multidict\_multidict.pyd

MD5 b92f8efb672c383ab60b971b3c6c87de
SHA1 acb671089a01d7f1db235719c52e6265da0f708f
SHA256 b7376b5d729115a06b1cab60b251df3efc3051ebba31524ea82f0b8db5a49a72
SHA512 680663d6c6cd7b9d63160c282f6d38724bd8b8144d15f430b28b417dda0222bfff7afefcb671e863d1b4002b154804b1c8af2d8a28fff11fa94972b207df081b

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_overlapped.pyd

MD5 e5aceaf21e82253e300c0b78793887a8
SHA1 c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde
SHA256 d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a
SHA512 517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\libssl-1_1.dll

MD5 25bde25d332383d1228b2e66a4cb9f3e
SHA1 cd5b9c3dd6aab470d445e3956708a324e93a9160
SHA256 c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13
SHA512 ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\select.pyd

MD5 c97a587e19227d03a85e90a04d7937f6
SHA1 463703cf1cac4e2297b442654fc6169b70cfb9bf
SHA256 c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf
SHA512 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_socket.pyd

MD5 1eea9568d6fdef29b9963783827f5867
SHA1 a17760365094966220661ad87e57efe09cd85b84
SHA256 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117
SHA512 d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\_cffi_backend.pyd

MD5 fde9a1d6590026a13e81712cd2f23522
SHA1 ca99a48caea0dbaccf4485afd959581f014277ed
SHA256 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b
SHA512 a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

C:\Users\Admin\AppData\Local\Temp\onefile_4688_133770614874476058\python3.dll

MD5 b711598fc3ed0fe4cf2c7f3e0877979e
SHA1 299c799e5d697834aa2447d8a313588ab5c5e433
SHA256 520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a
SHA512 b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

memory/1816-115-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-114-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-113-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-125-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-124-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-123-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-122-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-121-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-120-0x0000024509170000-0x0000024509171000-memory.dmp

memory/1816-119-0x0000024509170000-0x0000024509171000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dmp4m53.zof.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/400-175-0x000001FA5BC30000-0x000001FA5BC52000-memory.dmp

memory/4256-183-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-184-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-182-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-191-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-190-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-189-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-188-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-187-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

memory/4256-186-0x0000029EF9290000-0x0000029EF9291000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-26 02:24

Reported

2024-11-26 02:27

Platform

win11-20241007-en

Max time kernel

103s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord Update Service = "C:\\Users\\Admin\\AppData\\Local\\scriptkidUpdate\\scriptkid.exe" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\fantafn.exe C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe
PID 2848 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\fantafn.exe C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe
PID 4188 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4956 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4956 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3012 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3012 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3008 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3008 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4188 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3800 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3800 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4188 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5088 wrote to memory of 3980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1596 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1596 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4188 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3764 wrote to memory of 3432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4188 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 2408 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2408 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4188 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 1656 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1656 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4188 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2080 wrote to memory of 4996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4996 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4996 wrote to memory of 2208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4004 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4004 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3300 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3300 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2984 wrote to memory of 3444 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3444 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4188 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe
PID 4188 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fantafn.exe

"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe

"C:\Users\Admin\AppData\Local\Temp\fantafn.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f"

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Discord Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\scriptkidUpdate\scriptkid.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 geolocation-db.com udp
DE 159.89.102.253:443 geolocation-db.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 253.102.89.159.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
N/A 127.0.0.1:49879 tcp
N/A 127.0.0.1:49884 tcp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:49893 tcp
N/A 127.0.0.1:49898 tcp
N/A 127.0.0.1:49902 tcp
N/A 127.0.0.1:49904 tcp
US 162.159.138.232:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
GB 23.62.195.195:443 cxcs.microsoft.net tcp
GB 2.18.27.82:443 www.bing.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:49978 tcp
US 185.199.109.133:443 raw.githubusercontent.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:49981 tcp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\RuntimeBrokerVers.exe

MD5 4210339142ccd774ee8011ae1784cf71
SHA1 8ef93cf8ef23af2b0fa4350aecd262c46ec01c6c
SHA256 64d0d6f1b1755a040d9cd820bf0f8ab227ead7a1a9acea24481a04d44ba3014c
SHA512 3ea656a952f3fdd97bb5827d6de9cbb88edda9766d440a9ce0a82d2ca2198e06bfd9d51b209952c0f2955af307c62aad8139d2d55a3765ef6581f3151ca8a3d6

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\python311.dll

MD5 5a5dd7cad8028097842b0afef45bfbcf
SHA1 e247a2e460687c607253949c52ae2801ff35dc4a
SHA256 a811c7516f531f1515d10743ae78004dd627eba0dc2d3bc0d2e033b2722043ce
SHA512 e6268e4fad2ce3ef16b68298a57498e16f0262bf3531539ad013a66f72df471569f94c6fcc48154b7c3049a3ad15cbfcbb6345dacb4f4ed7d528c74d589c9858

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\VCRUNTIME140.dll

MD5 4585a96cc4eef6aafd5e27ea09147dc6
SHA1 489cfff1b19abbec98fda26ac8958005e88dd0cb
SHA256 a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736
SHA512 d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 bd36f7d64660d120c6fb98c8f536d369
SHA1 6829c9ce6091cb2b085eb3d5469337ac4782f927
SHA256 ee543453ac1a2b9b52e80dc66207d3767012ca24ce2b44206804767f37443902
SHA512 bd15f6d4492ddbc89fcbadba07fc10aa6698b13030dd301340b5f1b02b74191faf9b3dcf66b72ecf96084656084b531034ea5cadc1dd333ef64afb69a1d1fd56

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 e5abc3a72996f8fde0bcf709e6577d9d
SHA1 15770bdcd06e171f0b868c803b8cf33a8581edd3
SHA256 1796038480754a680f33a4e37c8b5673cc86c49281a287dc0c5cae984d0cb4bb
SHA512 b347474dc071f2857e1e16965b43db6518e35915b8168bdeff1ead4dff710a1cc9f04ca0ced23a6de40d717eea375eedb0bf3714daf35de6a77f071db33dfae6

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

MD5 d7b9ed5f37519b68750ecb5defb8e957
SHA1 661cf73707e02d2837f914adc149b61a120dda7d
SHA256 2ce63e16df518ae178de0940505ff1b11da97a5b175fe2a0d355b2ee351c55fd
SHA512 f04708c28feb54f355d977e462245b183a0b50f4db6926c767e8f1499e83e910b05a3023b84d398fb5dd87743fe6146dbbc3e1caaed5351c27396f16746c6d6b

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

MD5 08d50fd2b635972dc84a6fb6fc581c06
SHA1 4bcfc96a1aad74f7ab11596788acb9a8d1126064
SHA256 bb5ac4945b43611c1821fa575af3152b2937b4bc1a77531136780cc4a28f82e9
SHA512 8ec536e97d7265f007ad0f99fc8b9eecc9355a63f131b96e8a04e4bd38d3c72e3b80e36e4b1923548bd77eb417c5e0ac6a01d09af23311784a328fbed3c41084

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

MD5 486085aac7bb246a173ceea0879230af
SHA1 ef1095843b2a9c6d8285c7d9e8e334a9ce812fae
SHA256 c3964fc08e4ca8bc193f131def6cc4b4724b18073aa0e12fed8b87c2e627dc83
SHA512 8a56774a08da0ab9dd561d21febeebc23a5dea6f63d5638ea1b608cd923b857df1f096262865e6ebd56b13efd3bba8d714ffdce8316293229974532c49136460

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_cffi_backend.pyd

MD5 fde9a1d6590026a13e81712cd2f23522
SHA1 ca99a48caea0dbaccf4485afd959581f014277ed
SHA256 16eccc4baf6cf4ab72acd53c72a1f2b04d952e07e385e9050a933e78074a7d5b
SHA512 a522661f5c3eeea89a39df8bbb4d23e6428c337aac1d231d32b39005ea8810fce26af18454586e0e94e51ea4ac0e034c88652c1c09b1ed588aeac461766981f4

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 4255c44dc64f11f32c961bf275aab3a2
SHA1 c1631b2821a7e8a1783ecfe9a14db453be54c30a
SHA256 e557873d5ad59fd6bd29d0f801ad0651dbb8d9ac21545defe508089e92a15e29
SHA512 7d3a306755a123b246f31994cd812e7922943cdbbc9db5a6e4d3372ea434a635ffd3945b5d2046de669e7983ef2845bd007a441d09cfe05cf346523c12bdad52

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

MD5 e94733523bcd9a1fb6ac47e10a267287
SHA1 94033b405386d04c75ffe6a424b9814b75c608ac
SHA256 f20eb4efd8647b5273fdaafceb8ccb2b8ba5329665878e01986cbfc1e6832c44
SHA512 07dd0eb86498497e693da0f9dd08de5b7b09052a2d6754cfbc2aa260e7f56790e6c0a968875f7803cb735609b1e9b9c91a91b84913059c561bffed5ab2cbb29f

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 1eea9568d6fdef29b9963783827f5867
SHA1 a17760365094966220661ad87e57efe09cd85b84
SHA256 74181072392a3727049ea3681fe9e59516373809ced53e08f6da7c496b76e117
SHA512 d9443b70fcdc4d0ea1cb93a88325012d3f99db88c36393a7ded6d04f590e582f7f1640d8b153fe3c5342fa93802a8374f03f6cd37dd40cdbb5ade2e07fad1e09

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

MD5 25bde25d332383d1228b2e66a4cb9f3e
SHA1 cd5b9c3dd6aab470d445e3956708a324e93a9160
SHA256 c8f7237e7040a73c2bea567acc9cec373aadd48654aaac6122416e160f08ca13
SHA512 ca2f2139bb456799c9f98ef8d89fd7c09d1972fa5dd8fc01b14b7af00bf8d2c2175fb2c0c41e49a6daf540e67943aad338e33c1556fd6040ef06e0f25bfa88fa

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

MD5 79f71c92c850b2d0f5e39128a59054f1
SHA1 a773e62fa5df1373f08feaa1fb8fa1b6d5246252
SHA256 0237739399db629fdd94de209f19ac3c8cd74d48bebe40ad8ea6ac7556a51980
SHA512 3fdef4c04e7d89d923182e3e48d4f3d866204e878abcaacff657256f054aeafafdd352b5a55ea3864a090d01169ec67b52c7f944e02247592417d78532cc5171

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\yarl\_quoting_c.pyd

MD5 0edc0f96b64523314788745fa2cc7ddd
SHA1 555a0423ce66c8b0fa5eea45caac08b317d27d68
SHA256 db5b421e09bf2985fbe4ef5cdf39fc16e2ff0bf88534e8ba86c6b8093da6413f
SHA512 bb0074169e1bd05691e1e39c2e3c8c5fae3a68c04d851c70028452012bb9cb8d19e49cdff34efb72e962ed0a03d418dfbad34b7c9ad032105cf5acd311c1f713

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_brotli.pyd

MD5 d9fc15caf72e5d7f9a09b675e309f71d
SHA1 cd2b2465c04c713bc58d1c5de5f8a2e13f900234
SHA256 1fcd75b03673904d9471ec03c0ef26978d25135a2026020e679174bdef976dcf
SHA512 84f705d52bd3e50ac412c8de4086c18100eac33e716954fbcb3519f4225be1f4e1c3643d5a777c76f7112fae30ce428e0ce4c05180a52842dacb1f5514460006

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\charset_normalizer\md__mypyc.pyd

MD5 2d1f2ffd0fecf96a053043daad99a5df
SHA1 b03d5f889e55e802d3802d0f0caa4d29c538406b
SHA256 207bbae9ddf8bdd64e65a8d600fe1dd0465f2afcd6dc6e28d4d55887cd6cbd13
SHA512 4f7d68f241a7f581e143a010c78113154072c63adff5f200ef67eb34d766d14ce872d53183eb2b96b1895aa9c8d4ca82ee5e61e1c5e655ff5be56970be9ebe3e

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\pycares\_cares.pyd

MD5 e611e5c516fe1c3670353e3427da42b9
SHA1 a946abdeebe7fa9ccd7ab256c927be5902784e4a
SHA256 b4f41659dc3002f70bc6578801aad771b45f106103441d1e9b4c553c1e50c939
SHA512 a1c057dbd4b618fdfdd75f70bfe85dbfc6d2a25fed8e74dd5fbf950a02d7470e1f4bfac8ed00a5cdef6a68b8737a156a5a0ea443e826c6b30c94554bd7326b99

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\charset_normalizer\md.pyd

MD5 fa50d9f8bce6bd13652f5090e7b82c4d
SHA1 ee137da302a43c2f46d4323e98ffd46d92cf4bef
SHA256 fff69928dea1432e0c7cb1225ab96f94fd38d5d852de9a6bb8bf30b7d2bedceb
SHA512 341cec015e74348eab30d86ebb35c028519703006814a2ecd19b9fe5e6fcb05eda6dde0aaf4fe624d254b0d0180ec32adf3b93ee96295f8f0f4c9d4ed27a7c0c

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_uuid.pyd

MD5 46e9d7b5d9668c9db5caa48782ca71ba
SHA1 6bbc83a542053991b57f431dd377940418848131
SHA256 f6063622c0a0a34468679413d1b18d1f3be67e747696ab972361faed4b8d6735
SHA512 c5b171ebdb51b1755281c3180b30e88796db8aa96073489613dab96b6959a205846711187266a0ba30782102ce14fbfa4d9f413a2c018494597600482329ebf7

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_websocket.pyd

MD5 aa40ac7a7d1d9a10da426701ea49508d
SHA1 bbd083535e20ea00bcc40de7b9e625ff5c74851e
SHA256 b892cbaf1a5b363fb66768194cd4d466916e81981bcb63c2989277114a4b0c10
SHA512 eaf14159f5f1b70dcb5e6416804f306ec5f4c235abf431a27bc421861117be8c6ec5326c8c703c4c3764b771e5dbac37e6b93ac05f9a632bc83788c476eed8e2

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_http_parser.pyd

MD5 a7b4711c5ba1866745485abe14101ac7
SHA1 c37158cbd0fe67f8acd61596f63cf62bd2985431
SHA256 6688f3dd5b7efa8008c5ba776f32cecf5b42887b1b9ee21555ae3e0d4f13d2e0
SHA512 f952ad3c21b649e13e64540713a61db6d49b394ca5d62add7a5fec2186a8d27131ba038d449561b77670d3deb2358a8254e4e205ef20228e27b1eb8234d0e843

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_http_writer.pyd

MD5 2f2a2b2343549e990419df0977e3fac9
SHA1 5724b63e32bda7d36285f79dc9ad57fc97ba5415
SHA256 9569b0b501a0235388d075baa4c84e5d571169ac6ce3ae9220cde31a5f208b94
SHA512 a1b99dcaf01666c3ab9755d55001f3a18344cd70c386ce1b2233b5c6b8248b59d95804b450f9ee9c2f51d6293c4e748b9347540ae3f247418a1673bbd6ef466a

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\aiohttp\_helpers.pyd

MD5 4b5dcc46170e4ac810a59ca5b7533462
SHA1 1eacf60fdfd427909b54f83518612a4638930225
SHA256 704cdcfca773ac658b8f84335f29630707c216f739f7fa5970b1be57f13a5b82
SHA512 c2e5b9b40f267f375234be9a562882faa1a0e82f32a951233464d27879d0b1620099bb800de3e96be277bb3bb44ff421a98a2f0c125f28652c2b6415d0fb4dea

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\unicodedata.pyd

MD5 aa13ee6770452af73828b55af5cd1a32
SHA1 c01ece61c7623e36a834d8b3c660e7f28c91177e
SHA256 8fbed20e9225ff82132e97b4fefbb5ddbc10c062d9e3f920a6616ab27bb5b0fb
SHA512 b2eeb9a7d4a32e91084fdae302953aac57388a5390f9404d8dfe5c4a8f66ca2ab73253cf5ba4cc55350d8306230dd1114a61e22c23f42fbcc5c0098046e97e0f

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\multidict\_multidict.pyd

MD5 b92f8efb672c383ab60b971b3c6c87de
SHA1 acb671089a01d7f1db235719c52e6265da0f708f
SHA256 b7376b5d729115a06b1cab60b251df3efc3051ebba31524ea82f0b8db5a49a72
SHA512 680663d6c6cd7b9d63160c282f6d38724bd8b8144d15f430b28b417dda0222bfff7afefcb671e863d1b4002b154804b1c8af2d8a28fff11fa94972b207df081b

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_overlapped.pyd

MD5 e5aceaf21e82253e300c0b78793887a8
SHA1 c58f78fbbe8713cb00ccdfeb1d8d7359f58ebfde
SHA256 d950342686c959056ff43c9e5127554760fa20669d97166927dd6aae5494e02a
SHA512 517c29928d6623cf3b2bcdcd68551070d2894874893c0d115a0172d749b6fe102af6261c0fd1b65664f742fa96abbce2f8111a72e1a3c2f574b58b909205937f

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_ssl.pyd

MD5 208b0108172e59542260934a2e7cfa85
SHA1 1d7ffb1b1754b97448eb41e686c0c79194d2ab3a
SHA256 5160500474ec95d4f3af7e467cc70cb37bec1d12545f0299aab6d69cea106c69
SHA512 41abf6deab0f6c048967ca6060c337067f9f8125529925971be86681ec0d3592c72b9cc85dd8bdee5dd3e4e69e3bb629710d2d641078d5618b4f55b8a60cc69d

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\select.pyd

MD5 c97a587e19227d03a85e90a04d7937f6
SHA1 463703cf1cac4e2297b442654fc6169b70cfb9bf
SHA256 c4aa9a106381835cfb5f9badfb9d77df74338bc66e69183757a5a3774ccdaccf
SHA512 97784363f3b0b794d2f9fd6a2c862d64910c71591006a34eedff989ecca669ac245b3dfe68eaa6da621209a3ab61d36e9118ebb4be4c0e72ce80fab7b43bde12

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\python3.dll

MD5 b711598fc3ed0fe4cf2c7f3e0877979e
SHA1 299c799e5d697834aa2447d8a313588ab5c5e433
SHA256 520169aa6cf49d7ee724d1178de1be0e809e4bdcf671e06f3d422a0dd5fd294a
SHA512 b3d59eff5e38cef651c9603971bde77be7231ea8b7bdb444259390a8a9e452e107a0b6cb9cc93e37fd3b40afb2ba9e67217d648bfca52f7cdc4b60c7493b6b84

C:\Users\Admin\AppData\Local\Temp\onefile_2848_133770614863537897\_bz2.pyd

MD5 3859239ced9a45399b967ebce5a6ba23
SHA1 6f8ff3df90ac833c1eb69208db462cda8ca3f8d6
SHA256 a4dd883257a7ace84f96bcc6cd59e22d843d0db080606defae32923fc712c75a
SHA512 030e5ce81e36bd55f69d55cbb8385820eb7c1f95342c1a32058f49abeabb485b1c4a30877c07a56c9d909228e45a4196872e14ded4f87adaa8b6ad97463e5c69

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekttngc5.0en.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4692-158-0x0000023D4B330000-0x0000023D4B352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\InitializeClear.jpeg

MD5 427d866e57553238c38a12cb184329dd
SHA1 b0b0beddc7d3c6f0dc31214ec63b3b3fb4cbb121
SHA256 126d88d7b933251d15ddfc117d97998fecd5a4b81444c68ad20f770e3dd35a48
SHA512 7a5fa5072f1e0a46d07c2320d1a04e0297db3359968a07ecfb6546ae7625cc5da72c0c3a5285a8b826ac3f039639ba4afb01eb14a1147e65b87ce71d7702c50e

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\MergeOptimize.docx

MD5 38e9f413f294920c7090b0b3293a8f77
SHA1 30b2b206e1fee77218fd0ae8f39644368152ea2b
SHA256 de9cfd2c0b62cc26e2be03c4bd69409bcb6251341f633d8814985a7595663948
SHA512 2d95d8757d93283e648a5a4b041722f251109a87215842c4110bcc7c499874865b8f53ebf299e0e0397d2e482ad8e4dd921c4afb256f459cf01dacfb87a51f8a

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\SaveResolve.docx

MD5 0dde131aadd76df4a0d268243506f436
SHA1 ceb2cb0914ae0d5108bdf7f547b26042b47477c4
SHA256 52684dd4b9dd20d8e12f3e85269305b73ce69782d0f535b5886bd131caa76d27
SHA512 464db2b8062d58f3c60e8b63a5b37c8560ed590a784d78d8c678dc482c31d6b04eac71c52d06e2e939ec7af5dc25f9472c769a0468341e06794dd81bd6fe9e55

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\SendBackup.mpeg

MD5 21644add8ba5de790a09de922472aa8d
SHA1 9be64e7f6f69a4fb699bc548ee142949bea7bf83
SHA256 c49c0b85251f1400c7500d6aaa1eca453e55445560ea03f68cdfbed278623d10
SHA512 3f458a03fad2df9386e1345eaba3e3605a3c9727208b86b91e6be1eef2e4ea2f341618da17508fd9844ffad5f4e7211dded571a168774b3ed08a02f30d29522a

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\WatchBackup.ps1xml

MD5 f1fb69e65108a96409a64a3f4737fe47
SHA1 3c3c34dcd9d35daf3639b1548b6862eeb5209b7c
SHA256 1297029f3e59f53b959382a0f103c223dbdae51b61de49e5b7c75c659457b331
SHA512 dc2daa9abc5ba7b425b3af9ed9bffac18ed57ddbd32e4f6c6814e44e50a56f7480eb94965620283356d93eaf0383eb4ceba3c05354d4e7f806818dbb571c9d7a

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\ImportLock.pdf

MD5 4631c1742a38cf7b42edfc55e51c0300
SHA1 c4b9d8796f28ef69b2e73fff8a35f1d2b2fcaca7
SHA256 c9bd4139b04b7f97918a9d7d71a52318462cfd43864dfce176bdd3b36df5df10
SHA512 02161048d68190a97b969c7dec7dc3d33b604dcb4c7835620582aa04493a0ddffc0ef30be38c4cfa20ff4e7839e4a0a950bd7abc02db5d0099aa0f5d3dd55e2b

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\ConvertAdd.pdf

MD5 b6a25400cbf8db7046a104d0257dd658
SHA1 dd1cf34832d6900c68acb8401c8ed45f55693b21
SHA256 5b5052d7f08ec45c7157678759bdb1266b6aebc60c46907922006ee00fddcc9b
SHA512 1af97159ade12c0cb2816f3e49cf5a8c3e4a8e9b7a78c72aaa48551c19f059b6ab4fbe235438e917ee2565379dc320badb1ca00f12faa3edced841eda2aff1d8

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\CompareConvertTo.docx

MD5 4c572de5d93d212501027733fa4e77ba
SHA1 4cf8b572a4010f3b63449492f506a98c49310827
SHA256 8209aae41b56474831278052dbec866d9de72b04fe53d45f66195ea0fd357dc7
SHA512 fcdbdb2a6d495a2eee29371b5157ccdc03042958b43a87d3b40a4aa0fe09ad3bdb015bd0a1ec39e0a82630bb5a42d8bf55ddadf0c00cd7636fcc657dff0d3fd5

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\BlockSelect.xlsx

MD5 563ccb484071798d1c255a4caa16fe55
SHA1 ca8d32259cea18a45a9c0b464608199e8137146e
SHA256 f859d995398e96c6351b413931d70ea6e9e6bcd8b4c2d2f57c35a401162cb68b
SHA512 2a31902b73389cc55b35cc657fe0cbaf51454004a6b9641facb4d6b05f7b04a0db1d64ea174bdc9014515b07acd012c54804a709769884d045f12dfb036178a2

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Desktop\StopImport.docx

MD5 2a096a888f4e7cc5f81b934aaae49270
SHA1 24c8877adea73f6de18d5c1302d97a232af15b1a
SHA256 b013168f8cadcc21e6adc70c07eef3b66eccf2fb4d6e0f0a657796d0040ebfc0
SHA512 53cbd42f5e6b1e157edd82bf2bf0682b387b17e06a7e2a4d7c4cd074fb6833d74eef3bcfeaf6e33696c9f968e5f9f1b9942b6311cc29c426239963caff9c5132

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\LockWrite.pdf

MD5 25a8faa957eb31516e73fde21eba32bb
SHA1 0a328ddfc6424831dbbcdefc87b611a94fe5b824
SHA256 0f4e70cc16f3d17e01c4cff750e36c09d49f9bc53332f9735ea7769ebdb18672
SHA512 70f56b2be38273bf893405bb23af371eba98df2fb386ac4dfd54cc1f5f5f9e5e533b973ac88bfa9a3eeab7f19a5508cc0cb5b3ae73c2110b96ab010cf8dd2f86

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\LimitPop.xlsx

MD5 e78c1bfc78e0ee6f249ee8c12c89d9f2
SHA1 c4ef95a903fb44dec95e57d9490eb250868754eb
SHA256 12ce933d1b06db0ac5a2a074ae577a1ce3a981f7d43a02004bf47c7268dfb139
SHA512 ae3540d3cff08dd1ad7221833d77f9b20bfc0acd80aa98525fb5e8de182e1f8a0ed0b0fedea3625c7600cbfaf92284f22cb054250749150b69bc24421653a1e3

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\UnblockApprove.docx

MD5 2b4b4f392cd67dae280aa9783eef4c1d
SHA1 1714871a548d6b499d4df751be54e382aef49972
SHA256 cb53c079ce0715ac12b4eca8bcd65f0309be9eecb6cd744c170434b05fa26a90
SHA512 eee4139ad700a28323965ed5358fc11d06c98a16ffd1db6b68ecce0d753e108e1bce1b0f7974d44c31bc585ad6729708adf3ca08b4e2d139cd96ed606b8d43ae

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\RedoRename.docx

MD5 ca9daacb2f3eabcb60d5a58e544589b0
SHA1 346d9727b311bbf86999bcd6484cd17d7e12a92f
SHA256 2167a44a552f9d0bc94cd858f9a4f024daf865ef70ceea75687aed5c284e0c75
SHA512 8ca7ae8db9620e245db017872addb0472e824dadd49ba1987c8ee0d850130e016c1398ba9233a063ad3c02779099f335f343eb5ecc7ef3d4a8aa607bad7b5be2

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Downloads\CloseGroup.jpeg

MD5 af80e230e915fb8a2d1bb2bd34c67479
SHA1 b1478fd8581af60666dae191af5fb318e294692c
SHA256 79ec6661122aa6cd9b345577691cf75aac119754a3e074e03a1b0081ecee2e97
SHA512 41869cfe179815a09a3c7491e46ab337101092484029ed1652833d411f652c7b50d1b22a2f4c2d7e9b0ec2096066e4c46b42340b8335a2387394060797213351

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Downloads\ApproveExpand.xlsx

MD5 8e3eeb1361e2cdf15988defce7b5cc3f
SHA1 968631c171bdfe7614552b7c1ab491e67b25c2ec
SHA256 74a46a5a91df82b67c604bd79dc7884a5e94bf6a9ae07ed866c3e930938ebe7d
SHA512 03aca448e8772190bb41a683234837cfd49349c4d4aadadc97e4ea5c27898843c4e07a41716790e256e32575fbb95a1bd5c64fcf9dea6fbdb9d42e7a318e5960

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Documents\UpdateSplit.xlsx

MD5 a9ab1e5d9f41c14dc541f22f0a141ed4
SHA1 b0ee6b45876c428d81d345aa3bd3ed53302bc14b
SHA256 d9a6f2587412c39f6f40cadf720a839bc864781320b4b7e5fa1e0eb7a8f9c66f
SHA512 cb59a1387b79be1b91c7cd713815fd96e4a353a9a11667eefe614abf1671aa4397af7b39f7b3517ca34066b8597e43cdc145552ef445844f348b1b7113a821c7

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\OpenInvoke.zip

MD5 826d9ad28a5f1516938fd59e30d60c48
SHA1 92bc3499268c50378c51e15e8c7923db1046850f
SHA256 df32fb8fc6f5a40e045ca8f0a2fea9e024fc167ee468897e56e0ecc92605ded3
SHA512 45f44bdcff76e0a02ed35f3c5986924aecf7ed42adfb94bb47b8baa4c2f126b6b24be51adcfd66a9dd65a9fa51833c6bb5a85f72b81ac6c52123b5053e45f87c

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\StepConvertFrom.jpeg

MD5 9eb3e1fb9470f618658aba69b49514de
SHA1 1f91bc4e7efaddb47dfe5a0dbbfe28a709762642
SHA256 49a2b68f65cc0a3e1cecd3b0ced349d31766430219f569cd47a364265e23f196
SHA512 45d62463e6b2473be0829d5a86c79bcceabb2adc1f8163fff21cf975cb7cdbc3b306a2bba22858bd03c1de069970da91f7db1de5a26d62eeb70775eb96956044

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Pictures\ResizeImport.jpg

MD5 b9c7031ad7bfb7c59d84b7fddd44a6ab
SHA1 f6ed8fc53b60ca57203a22078e419487b90c8212
SHA256 27f8514da0eb8325cb0186654dfd24f324130ba68c9dc72b9c90ff76c234acbc
SHA512 253f6de8d23a391ec83390631c23aaf237973874c9077d0ef496c60d1073555cf0626e753587b24ece78db6f5cb87cf91b92eec9c34b0c552ef20862272dfa38

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\TestClear.jpeg

MD5 3b51b24baaef1c5b5d22b8209fc2b9e0
SHA1 e0e3f8fab8e1855526c9b8129da05b290cdec128
SHA256 03ca8f16774674744056edc7f5ca56aeac4220158e111e38917e7526f533e7df
SHA512 c01f2543a0f33c3a1f1c697b3f944d070e933d1d396c225844a40d78c54838e1fc129a872149bb9472ff75ffc925508582b30be7a51e5b70255b102eb9010417

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Pictures\UpdateCheckpoint.png

MD5 b1267755da4b01cc53c1a57d91e4552c
SHA1 7bc9581655b0d671713078133e9c0a22fb1c7f8a
SHA256 3a8348b78358c51651de2c1277285935690db524cc80bd3b06fbf12a1fbf00d0
SHA512 4971bd3f6b13bf181ee96a7f13a021652b822e34bd3e45c535e4f673e40e9bf0bfe2427d4eafe9f76548efb02447a5d6a61f63b457add4a2dd822459e1334580

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\BackupStop.MTS

MD5 c74964443328fc14cd643c6728d2579a
SHA1 47ca3431ddf916f84ecf611709e1a26851b55602
SHA256 e0112b51c56ccfb85798e6757af184c05050883118223d863eda5f0d69e2786b
SHA512 a1a99d4e9c59c6796265a737834d657e967f36e56f6c15385a0b63ca713db772297a15d8243b74b5f2b0aa865fccc288dcf3ba572b4acbe62ddca3e81c3df137

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Music\AssertMove.doc

MD5 965d90818d247eeadfb7e16adc7c9269
SHA1 f3982ca6dea8eba9a21c73c9dafa8ecb6736c36e
SHA256 8a1a9462236341e6b79ac6fe84fd3cafc896752a4b2b6d5e05480f185cc86849
SHA512 6f3f5408ca90733692d95b1c159648d77253fbbfefd06a302337d7c82761df1294fbd191bfac1a5fe4f40ecb4aa65ac9598e83335b478ac49fdb38a50c5569b2

C:\Users\Admin\AppData\Local\Temp\scriptkidFILES\Downloads\WaitConvertFrom.xls

MD5 0e48c57da2b1dcb1cf6aee36b94eddf7
SHA1 2d3aeb9dbd14b2b3064ec74c34cb82888e04d2a3
SHA256 82a31af549084221078ba5ad1e15b06d86e3ea5bab066b0c3adb65136b4d4454
SHA512 08b1051db46e1205c32cfdd2c8868681be945cc6cf0777b5ae9cab6b416288c514cf7903346ebffa5f0a62a233682f98cb66317bdfa32a649581608a77e7dc8e