Extract_MAS_1.2.cmd
This report is generated from a file or URL submitted to this webservice on January 17th 2020 18:38:11 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
System Security
-
Executes powershell requesting to bypass execution policy
- details
-
Process "powershell.exe" with commandline "powershell -nop -ep bypass -c "$f=[io.file]::ReadAllText('C:\Extract_MAS_1.2.cmd') -split \":Files\:.*`r`n\"; [io.file]::WriteAllText('%TEMP%\_test.1',$f[1].Trim()
[System.Text.Encoding]::ASCII);"" (Show Process)
Process "powershell.exe" with commandline "powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_test.1').Hash"" (Show Process)
Process "powershell.exe" with commandline "powershell -nop -ep bypass -c write-host -back Black -fore Red ==== ERROR ====" (Show Process) - source
- Monitored Target
- relevance
- 5/10
- ATT&CK ID
- T1086 (Show technique in the MITRE ATT&CK™ matrix)
-
Executes powershell requesting to bypass execution policy
-
Unusual Characteristics
-
Spawns a lot of processes
- details
-
Spawned process "cmd.exe" with commandline "/c ""C:\Extract_MAS_1.2.cmd" "" (Show Process)
Spawned process "mode.com" with commandline "mode con: cols=80 lines=15" (Show Process)
Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c "$f=[io.file]::ReadAllText('C:\Extract_MAS_1.2.cmd') -split \":Files\:.*`r`n\"; [io.file]::WriteAllText('%TEMP%\_test.1',$f[1].Trim()
[System.Text.Encoding]::ASCII);"" (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_test.1').Hash"" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_test.1').Hash"" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c write-host -back Black -fore Red ==== ERROR ====" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Spawns a lot of processes
-
Suspicious Indicators 5
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "bhxreiqq6bq@7ft.of"
Pattern match: "bl@9pu.zgn"
Pattern match: "m@2k.qjdz"
Pattern match: "d@e.7c"
Pattern match: "agfa@vnvc.ogdaj.om5lcti"
Pattern match: "l3r.@5u6hgevt.p"
Pattern match: "qzk@ljahirfi.su"
Pattern match: "mye1tfj@z.dry"
Pattern match: "e@ch__.rnt1wl"
Pattern match: "u@nth.m5if"
Pattern match: "f@tsk.imr"
Pattern match: "etp@l.1"
Pattern match: "tiyo-@bmdmnm.g"
Pattern match: "xu@gd.qfe"
Pattern match: "qu@skfc.8o"
Pattern match: "a8xaig@_.2"
Pattern match: "taa@cl8.1gz"
Pattern match: "ltx@6.7"
Pattern match: "lyh5a@8jbp..myi"
Pattern match: "xn@6.f" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "cmd.exe" allocated memory in "\Device\MountPointManager"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
- details
- "MODE.COM.5E220D79.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Writes data to a remote process
- details
-
"cmd.exe" wrote 32 bytes to a remote process "%WINDIR%\System32\mode.com" (Handle: 88)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 88)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\mode.com" (Handle: 88)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 96)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 96)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 96)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 108)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 108)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 108)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 80)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 80)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (Handle: 80) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Allocates virtual memory in a remote process
-
Unusual Characteristics
-
Reads information about supported languages
- details
- "mode.com" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
-
Informative 15
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/56 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Creates a writable file in a temporary directory
- details
- "powershell.exe" created file "%TEMP%\_test.1"
- source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\_SHuassist.mtx"
"_SHuassist.mtx" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "MODE.COM.5E220D79.bin" as clean (type is "PE32 executable (console) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads the .NET runtime environment
- details
-
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 6BD00000
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 6BEC0000
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll" at 65910000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "mode.com" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "powershell.exe" (Show Process) was launched with new environment variables: "_work="C:", nul="1>nul 2>nul", EchoRed="powershell -nop -ep bypass -c write-host -back Black -fore Red", EchoGreen="powershell -nop -ep bypass -c write-host -back Black -fore Green", ahash="658A1C806F0D271E84E5D2D04FA9C93031D5B7DE", ELine="echo: & powershell -nop -ep bypass -c write-host -back Black -fore Red ==== ERROR ==== &echo:", _psc="powershell -nop -ep bypass -c", Line="echo _________________________________________________________", _batp="C:\Extract_MAS_1.2.cmd", _batf="C:\Extract_MAS_1.2.cmd", winbuild="7601"" - source
- Monitored Target
- relevance
- 10/10
-
Spawns new processes
- details
-
Spawned process "mode.com" with commandline "mode con: cols=80 lines=15" (Show Process)
Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c "$f=[io.file]::ReadAllText('C:\Ex ..." (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\ ..." (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_t ..." (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c write-host -back Black -fore Red ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "mode.com" with commandline "mode con: cols=80 lines=15" (Show Process)
Spawned process "cmd.exe" with commandline "/c ver" (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c "$f=[io.file]::ReadAllText('C:\Ex ..." (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\ ..." (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_t ..." (Show Process)
Spawned process "powershell.exe" with commandline "powershell -nop -ep bypass -c write-host -back Black -fore Red ..." (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Creates a writable file in a temporary directory
-
Installation/Persistance
-
Creates new processes
- details
-
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\mode.com", Handle: 88)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 108)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 96)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\cmd.exe", Handle: 100)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 108)
"cmd.exe" is creating a new process (Name: "%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe", Handle: 80) - source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"MODE.COM.5E220D79.bin" has type "PE32 executable (console) Intel 80386 for MS Windows"
"IY7917FN85RR7U7839U6.temp" has type "data"
"WI2WNI2W18FOIG4M5KLV.temp" has type "data"
"_test.1" has type "ASCII text with CRLF line terminators"
"TC90G173NQ0NX5DYOJVH.temp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
-
"cmd.exe" opened "\Device\MountPointManager"
"powershell.exe" opened "\Device\MountPointManager" - source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"cmd.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"cmd.exe" touched file "C:\Windows\AppPatch\sysmain.sdb"
"cmd.exe" touched file "C:\Windows\System32\mode.com"
"powershell.exe" touched file "C:\Windows\System32\WindowsPowerShell\v1.0\en-US\powershell.exe.mui"
"powershell.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001b.db"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini"
"powershell.exe" touched file "C:\Windows\System32\en-US\shell32.dll.mui"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini"
"powershell.exe" touched file "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations"
"powershell.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms"
"powershell.exe" touched file "C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk"
"powershell.exe" touched file "C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk\desktop.ini"
"powershell.exe" touched file "C:\ProgramData\Microsoft\Windows\Start Menu\Programs" - source
- API Call
- relevance
- 7/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.nsaneforums.com/topic/316668-microsoft-activation-scripts/"
Pattern match: "https://github.com/gurnec/HashCheck/releases/latest"
Pattern match: "https://github.com/AveYo/Compressed2TXT"
Pattern match: "ZCuHcxNRdxU.xeK/IP"
Pattern match: "FH.mb/NozeV7BKp@Xb9Xm@|9fUa2WQDz=bM0D-|dqBMwRhf~6|"
Heuristic match: "::O.mL.{$;eJ[3u|xmV~F;aSBaBlyBoN|Es/,8d!6J#;zV/4xKUPlxm6@Q+xKsI{he[ZZtl|#h2qL9vwtCv-Iqr$/G_,RlG/J?lSQtsE,4}8.pn7dKS5in__wBIx.ki"
Pattern match: "NTLWAF7CA.Iw/+]Nrqc6{=UF.r.eLl|1NRjY]iyr^Q+-@Ej.LkwN#?I"
Pattern match: "v.QvV/G-Z]wBfGv!~eH&r2"
Pattern match: "7.uEg/1MwTDZ-+}zASLa/cBzdG(X_i&JJ)jGWE|[A"
Pattern match: "Pmw.Fuoj/,zXJuV@ZhP{y"
Pattern match: "T.OtO/Ora2-(y_y)A"
Pattern match: "Xak.rRW/Kf]/ji!!.OF[PhR@"
Pattern match: "laep.Xb/9.xz-b5_GEyFmvor;mx"
Pattern match: "O.IfD/FQdBF"
Pattern match: "8XB.JH/p6J5K/IB"
Pattern match: "gZye.ja/+D]@?@{X"
Pattern match: "0s.MeO/kyrk9oLAB[PZ45AXRz283Aqq/"
Pattern match: "jm.HF/bU[zRgjnTqEdGKT]YgLiJitUzu?j!|oI!l^iFWD/xe9"
Pattern match: "Xy.bP/H/|7~D=wBJ&F--D5FjQ3mVqS.$#[Tl&$fEjri4lMB5@uEbHSuyA"
Heuristic match: "::jn2pOqU~fYv3b3gyBcb)5leau_;hJ[kp3}}gwaPxngC;Et|;_o12Rs3!JXi0bFXV~6~&yS_IAyC9WRw9/n+RR6^-+GL+YJyP)@VDhqPU^day,qb2E7J[POn2u#.gM"
Pattern match: "NZ..ea/f2Pks;sP,[CEj[oxaRY&q0olfYrkrfyjZ!N7!MFp;B@0kp&eq()oXCd}HzO&zX9qA-$J3hcucRr~@x+D,!p"
Heuristic match: "::!p1v9+}lqy;Nq$ObG@@6{(|~nEYkmS0/$+11N8Zac[?Yp2kp_--kX?ee?&7.W24fD9ysCWi]cg/cn0oIIJ;,NlAGPflB5Tu]hVU~=@v5UW/m?=J/UPO7a#AxVE.cM"
Pattern match: "dMyD2hVH.iGY/0u5L32;phJS7+{2kKwq!Pnw#^I&LLveLqo/97HhC@fv"
Heuristic match: "::!Wyf6$h@g[{JYC1GoXj{i4s(-Pg7ghbV7Ylk@nM;J--P)xrB8Qxct5JEZk~rKQWGhNA.!eOYz!9Cp6spkAzDfz#d;4YwTg0&3YX9sl@AyIqI&LZ9/m6m(PxY4v.cR"
Heuristic match: "::o4vv.vVR0ZK^GQ]@y4gJsAx++xs.U~k/7}nVPb2H&Wx4HaTAnb_ciVaO+1n~;X3gv$;5w#.@aVEp_|0xy-C]n)v59-c?(,X/d7+pu;pni+jHcWD$H3MZY6Z|!x.gT"
Heuristic match: "::i,kJg#?H68|0k3ePi=ElrFRI;OtAG8v6-a8$@#PhB^pEsI3nSi6-$uu7B;wKhI~]uVVjT#llub+&iOeN-dyT?dNb+j6;y|T.@-53Cy_5Czi@ci9OvtByZ=&4Iz.Cd"
Heuristic match: "::D(uitj}~IbC=0oU)c(&E71{3at.2U!E_P#]@(,6{#~&{mYoU|tk5k{)-ij(E(^[WsAFw7N]IfR;[t#ElIL[fgV{xl^F,tiYC2Xli==F{4W4w]8DS=enY9]xtZA.MK"
Pattern match: "Pm.gEiK/EOn&r(FbU!oW}&oJo/5)0X]Is"
Pattern match: "Wqh3.dE/dzgd&CitAj3B.dlr,hN$,AOUIrl"
Pattern match: "or.iJ/lr09K5TV" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"powershell.exe" wrote bytes "d055057664730e760000000051c1307794983077ee9c307775dc3277273e32770fb3367700000000acdc43751bf74375c1084575c0d94375152e437536da4375d5d9437530c64375e0c2437542c643751bc6437586c4437572c6437500000000" to virtual address "0x71951000" (part of module "SHFOLDER.DLL")
"powershell.exe" wrote bytes "bcf09967" to virtual address "0x6C8A1FFC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "c04e1a7720541b77e0651b77b5381c770000000000d0437500000000c5ea43750000000088ea437500000000e968247582281c77ee291c7700000000d2692475000000007dbb43750000000009be247500000000ba18437500000000" to virtual address "0x773B1000" (part of module "NSI.DLL")
"powershell.exe" wrote bytes "3ca3e2b5" to virtual address "0x6C9C1FFC" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "d055057664730e760000000051c1307794983077ee9c307775dc3277273e32770fb3367700000000acdc43751bf74375c1084575c0d94375152e437536da4375d5d9437530c64375e0c2437542c643751bc6437586c4437572c6437500000000" to virtual address "0x734F1000" (part of module "SHFOLDER.DLL")
"powershell.exe" wrote bytes "d055057664730e760000000051c1307794983077ee9c307775dc3277273e32770fb3367700000000acdc43751bf74375c1084575c0d94375152e437536da4375d5d9437530c64375e0c2437542c643751bc6437586c4437572c6437500000000" to virtual address "0x71991000" (part of module "SHFOLDER.DLL")
"powershell.exe" wrote bytes "bb80eeaa" to virtual address "0x6C411FFC" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Extract_MAS_1.2.cmd
- Filename
- Extract_MAS_1.2.cmd
- Size
- 4.1MiB (4313560 bytes)
- Type
- script cmd
- Description
- ASCII text, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- e3ea90dac2880ba52d1bedfbdc29d03604831b27dbcd4d8236b742c59968e127
- MD5
- 57262f51ea31c066acadc1281142fa59
- SHA1
- 7e3fc72dc395a945496f8e7dc88c5cb55cbd8328
- ssdeep
- 49152:WMAAVwMfa3pfAdmNLeEto2alCZK2ZYrSBkpmH4YWwTr6zZ8j8OXJFkMO1h/bUGtS:uAV5ydtqEjoCkPu4mxTr/5LN
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 7 processes in total.
-
cmd.exe
/c ""C:\Extract_MAS_1.2.cmd" "
(PID: 4528)
- mode.com mode con: cols=80 lines=15 (PID: 3932)
- cmd.exe /c ver (PID: 4040)
- powershell.exe powershell -nop -ep bypass -c "$f=[io.file]::ReadAllText('C:\Extract_MAS_1.2.cmd') -split \":Files\:.*`r`n\"; [io.file]::WriteAllText('%TEMP%\_test.1',$f[1].Trim(),[System.Text.Encoding]::ASCII);" (PID: 4412)
-
cmd.exe
/c powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_test.1').Hash"
(PID: 4584)
- powershell.exe powershell -nop -ep bypass -c "(Get-FileHash -a SHA1 '%TEMP%\_test.1').Hash" (PID: 4452)
- powershell.exe powershell -nop -ep bypass -c write-host -back Black -fore Red ==== ERROR ==== (PID: 2248)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Clean 1
-
-
MODE.COM.5E220D79.bin
- Size
- 25KiB (25088 bytes)
- Type
- peexe executable
- Description
- PE32 executable (console) Intel 80386, for MS Windows
- AV Scan Result
- 0/84
- MD5
- f015208f1f8473ba2e4bc229e0d38efd
- SHA1
- 1b959d6c227e41ab4eb2b381ea69358a2e04febb
- SHA256
- efc11f8fcdd0a8649ebee758b105db10536e895ea6d586a07b61f68b1e5dbd20
-
-
Informative Selection 3
-
-
TC90G173NQ0NX5DYOJVH.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 4412)
- MD5
- 48b4244a8aa0011d620aa4580733b009
- SHA1
- d8b8559501f63b9af8cb5fc31ed6601337acfab2
- SHA256
- c08f3ff1fc4d23ad8c84569dfe27e836612495a6d4f71226cc8a1766cf736b97
-
WI2WNI2W18FOIG4M5KLV.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 2248)
- MD5
- 48b4244a8aa0011d620aa4580733b009
- SHA1
- d8b8559501f63b9af8cb5fc31ed6601337acfab2
- SHA256
- c08f3ff1fc4d23ad8c84569dfe27e836612495a6d4f71226cc8a1766cf736b97
-
_test.1
- Size
- 4.1MiB (4303915 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- powershell.exe (PID: 4412)
- MD5
- 6313e11ad75e65104d8bf7e77a35ef68
- SHA1
- 658a1c806f0d271e84e5d2d04fa9c93031d5b7de
- SHA256
- e66270bd0aab318026b298aa9e3b6454f22247ffadb4ef3f4c563e8a40ac45c5
-
-
Informative 1
-
-
IY7917FN85RR7U7839U6.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 4452)
- MD5
- 48b4244a8aa0011d620aa4580733b009
- SHA1
- d8b8559501f63b9af8cb5fc31ed6601337acfab2
- SHA256
- c08f3ff1fc4d23ad8c84569dfe27e836612495a6d4f71226cc8a1766cf736b97
-
Notifications
-
Runtime
- Not all Falcon MalQuery lookups completed in time
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)