f58ac6b991a503807a3a3fade41d5f6b45165652819ba658b35b9eea81e94865

Resubmissions

10/01/2024, 19:46

240110-yhag1sgae6 7

10/01/2024, 19:42

240110-yepsjafbgk 7

Analysis

max time kernel
46s
max time network
137s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

DuelistsOfEden.exe
Size

71.2MB
MD5

695aaf2e03fc507e468872cb8b641195
SHA1

40fad25eac232d5e3f085a313727a0e328b24b72
SHA256

f58ac6b991a503807a3a3fade41d5f6b45165652819ba658b35b9eea81e94865
SHA512

d5e81c11800dcf095ad2f49dddbd831fba47d6a8508a0a04b006ebf05faa137a8cf697ffa75b7644a1e261b06d516496da094255ff1b74aaa7619a806ab678ba
SSDEEP

1572864:m4/4rzOchPbj025MHh8F3kbIlyaSz3Ek+yvDuWjXMzbP0TvZluHdg0VwGF7:tkqcdbj0CwyejzvDHXMzQzZlQG27

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2212	DuelistsOfEden.exe

Loads dropped DLL 5 IoCs

pid	Process
2916	DuelistsOfEden.exe
2916	DuelistsOfEden.exe
2916	DuelistsOfEden.exe
2916	DuelistsOfEden.exe
2212	DuelistsOfEden.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1944	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
4696	tasklist.exe
400	tasklist.exe
6164	tasklist.exe
2816	tasklist.exe
3084	tasklist.exe
3332	tasklist.exe
3240	tasklist.exe
3124	tasklist.exe
5668	tasklist.exe
5156	tasklist.exe
4672	tasklist.exe
3216	tasklist.exe
2496	tasklist.exe
6172	tasklist.exe
5192	tasklist.exe
832	tasklist.exe
3108	tasklist.exe
4780	tasklist.exe
2408	tasklist.exe
3116	tasklist.exe
4016	tasklist.exe
4888	tasklist.exe
3272	tasklist.exe
1608	tasklist.exe
5608	tasklist.exe
3776	tasklist.exe
3512	tasklist.exe
3448	tasklist.exe
3296	tasklist.exe
3288	tasklist.exe
4280	tasklist.exe
4448	tasklist.exe
4908	tasklist.exe
4860	tasklist.exe
4772	tasklist.exe
3228	tasklist.exe
5252	tasklist.exe
6220	tasklist.exe
4900	tasklist.exe
3316	tasklist.exe
5108	tasklist.exe
5468	tasklist.exe
5332	tasklist.exe
6148	tasklist.exe
3572	tasklist.exe
3256	tasklist.exe
3912	tasklist.exe
5716	tasklist.exe
5316	tasklist.exe
4928	tasklist.exe
3624	tasklist.exe
1864	tasklist.exe
4440	tasklist.exe
4916	tasklist.exe
5124	tasklist.exe
6156	tasklist.exe
3364	tasklist.exe
4332	tasklist.exe
4508	tasklist.exe
5324	tasklist.exe
5288	tasklist.exe
1140	tasklist.exe
1308	tasklist.exe
936	tasklist.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2916	DuelistsOfEden.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2212	2916	DuelistsOfEden.exe	30
PID 2916 wrote to memory of 2212	2916	DuelistsOfEden.exe	30
PID 2916 wrote to memory of 2212	2916	DuelistsOfEden.exe	30
PID 2916 wrote to memory of 2212	2916	DuelistsOfEden.exe	30

C:\Users\Admin\AppData\Local\Temp\DuelistsOfEden.exe
"C:\Users\Admin\AppData\Local\Temp\DuelistsOfEden.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe
  C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2948
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2408
- - C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe
    "C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=980 --field-trial-handle=1104,13320161744010141794,3055889833786331363,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2916 get ExecutablePath"
    3⤵
    PID:856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=2916 get ExecutablePath
      4⤵
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2892
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3764
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:3868
  - - C:\Windows\system32\more.com
      more +1
      4⤵
      PID:3956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic OS get caption, osarchitecture
      4⤵
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:3856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5340
- - C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe
    "C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=3108 --field-trial-handle=1104,13320161744010141794,3055889833786331363,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:3824
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:5460
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:6184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3816
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3804
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3756
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3748
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3708
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:5476
- - C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe
    "C:\Users\Admin\AppData\Local\Temp\2alkexpeevDT4X9OxF1cLMxC6eL\DuelistsOfEden.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3040 --field-trial-handle=1104,13320161744010141794,3055889833786331363,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:5064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3052

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3316

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3412

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3592

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3912

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3124

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4280

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4332

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4448

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4440

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4508

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4500

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4696

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4728

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4828

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4916

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4964

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5108

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5124

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5252

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5576

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5716

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5416

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5392

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5332

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5316

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:6192

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6220

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6172

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6164

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6156

C:\Windows\system32\more.com
more +1
1⤵
PID:6400

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
1⤵
PID:324

C:\Windows\system32\more.com
more +1
1⤵
PID:2704

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
1⤵
PID:1864

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3116

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5288

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5192

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5156

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2816

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3776

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:1140

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3084

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:832

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3108

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4016

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4928

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4908

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4900

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4888

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4880

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4872

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4860

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4780

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4772

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4736

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4720

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4712

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4680

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4672

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3632

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3572

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3564

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3512

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3448

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3440

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3424

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3396

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3388

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3364

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3356

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3348

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3332

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3324

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3296

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3288

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3272

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3256

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3240

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3228

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3216

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:1308

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2496

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:2432

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:1864

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:1608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\DuelistsOfEden.exe

Filesize
64KB

MD5
8521c5a833d91bed62ca9a045b0137a7

SHA1
81779d2498279a304c6a0244d029150c20547051

SHA256
addd347ffb8af69ab5ea3f5339906590ea5d22b4b479c5ff409cfcd22e80804f

SHA512
38d5987c5d7e0651c19d5406bb1df950e0b8bc1b1957dee79250060798a1cbc888bb51a2f3c3a015db248c855211052c1335f6e5c02767029a44d4e0c6e80766

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\LICENSES.chromium.html

Filesize
92KB

MD5
984d548137c4e646ea761aaee0d14b81

SHA1
ef041badd7553898d5f16932e1a09f8d67dee3e3

SHA256
2ff99013976b7c86faf3ca716af2cc61d81ec5b3042751fbc215635af299aa40

SHA512
d5d6a03a100c7fbc5c2ed71c46a9fc018ec8f48fb1a72f33c5264d4b4c4865f506f34f44b839ea7ea67f69fa7c3bba7f340ff3cb6bc88c49befde8aacbde10fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\d3dcompiler_47.dll

Filesize
2.6MB

MD5
bd734535fc34e77a5ab128b49da1b485

SHA1
e793c5d37e3bfe50946da9819414377fac1bd51c

SHA256
a6d06723d1860ddd8994af360f94d5a12e720a279330768081ea8bcc05b997a9

SHA512
5164bebd6fa64adb966cd534ebd4d0996bf8ec34055a523cf0100587a8476123bb9197d3bf0ea277fb5ebd7dd07c4348c2a0a0013ee7e90baba17cbb9bb9a82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\ffmpeg.dll

Filesize
931KB

MD5
3ec439079b4cbba37fb696c14c9fd1fd

SHA1
11fa1bad11a6cd041c62896d5d7c4c14ab42c739

SHA256
a36b0a7ecd0255f7dcfbd7aa271271061b1263c7652f4bee48e0464d4e1a4504

SHA512
b0f44b9e38454310df48a59d88fc75112a3d77083077a98c06e9898fc654dd7cd64270bd9927f343723d025d805cefd52850b63423445087e4580008abfd45ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\icudtl.dat

Filesize
193KB

MD5
31cb0e5d642033ba6a1f8d943619d9e7

SHA1
f64f7d793df5805f20a3b80f750537302b1169ff

SHA256
122ecde8404a93810283baea9080bea8882d6cd1b9c0c0b3521f214fa226365a

SHA512
5f97fe7ca94f56e2b1c231e0b3296a1fe8bb4733f3a33d07d49a983eb9f6930a3ecdc4091a046f8750d33d9b3bc9b7f7f24981e0045e59b084ecd1c43ff9767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj9906.tmp\7z-out\libGLESv2.dll

Filesize
93KB

MD5
d3b5aa809e321dc7811ff64d4084b572

SHA1
0be5ef7dc3975d702219dae80cdd599156a580cd

SHA256
7e91c4badacf6da0d66839327242200e58321297fe620fe771608131b237ce5b

SHA512
ef9ba55c0f8b5567558eabeef9bbd13d1bcfed47e92fbcbf74ee13aaff65f06c389de5fdfbc953cd6116094ac4f93bb0832bc20d0f5b0782a9c35ee99b71ff4f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9906.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj9906.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/1028-590-0x0000000077460000-0x0000000077461000-memory.dmp

Filesize
4KB

Download
memory/1028-556-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1864-688-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-684-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1864-686-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-685-0x000007FEF2F40000-0x000007FEF38DD000-memory.dmp

Filesize
9.6MB

Download
memory/1864-689-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-683-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/1864-687-0x000007FEF2F40000-0x000007FEF38DD000-memory.dmp

Filesize
9.6MB

Download
memory/1864-690-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-773-0x000007FEF2F40000-0x000007FEF38DD000-memory.dmp

Filesize
9.6MB

Download
memory/1864-774-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-775-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-777-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download
memory/1864-778-0x00000000029C0000-0x0000000002A40000-memory.dmp

Filesize
512KB

Download