e66d7a22d95abdf72b17c3612978e29bae0a56ff4884bb15e020e68077a0b64d

Analysis

max time kernel
149s
max time network
127s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-01-2024 03:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NovaTest.exe
Size

139.5MB
MD5

d0e80afed36161fc5be2d69bf2b71642
SHA1

9573533154e1cd757d589a1e889e90f795a2b504
SHA256

3617f86ec8fe425e48eed873472e12c69a72f9abcfc9c28df3a9f478fab61b3f
SHA512

911780dfe27c73452373021f325d325324c83bc9ae8cfdcb7ac700d3b33799b5ce5d555ed90ce9662708a10636fe1288b457ed16947768d512e013876bf09a36
SSDEEP

786432:f14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:f14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
2076	NovaTest.exe
2076	NovaTest.exe
2076	NovaTest.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NovaTest.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	NovaTest.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NovaTest.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	NovaTest.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	NovaTest.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	NovaTest.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	NovaTest.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
6748	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
1992	tasklist.exe
5256	tasklist.exe
5364	tasklist.exe
3984	tasklist.exe
1688	tasklist.exe
5676	tasklist.exe
4024	tasklist.exe
5520	tasklist.exe
4016	tasklist.exe
2476	tasklist.exe
5404	tasklist.exe
5444	tasklist.exe
5668	tasklist.exe
5920	tasklist.exe
4800	tasklist.exe
4208	tasklist.exe
4128	tasklist.exe
3808	tasklist.exe
3636	tasklist.exe
1624	tasklist.exe
5948	tasklist.exe
2908	tasklist.exe
4776	tasklist.exe
4768	tasklist.exe
4032	tasklist.exe
3560	tasklist.exe
3148	tasklist.exe
2628	tasklist.exe
1264	tasklist.exe
2792	tasklist.exe
2180	tasklist.exe
1536	tasklist.exe
1776	tasklist.exe
1652	tasklist.exe
5424	tasklist.exe
1700	tasklist.exe
1548	tasklist.exe
4136	tasklist.exe
1480	tasklist.exe
5372	tasklist.exe
3180	tasklist.exe
4760	tasklist.exe
2640	tasklist.exe
3976	tasklist.exe
3568	tasklist.exe
932	tasklist.exe
4040	tasklist.exe
600	tasklist.exe
4784	tasklist.exe
4692	tasklist.exe
3308	tasklist.exe
3628	tasklist.exe
5500	tasklist.exe
2072	tasklist.exe
2920	tasklist.exe
2768	tasklist.exe
1748	tasklist.exe
2576	tasklist.exe
4904	tasklist.exe
3908	tasklist.exe
1532	tasklist.exe
5344	tasklist.exe
5396	tasklist.exe
5840	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2076	NovaTest.exe
2076	NovaTest.exe
6820	powershell.exe
6820	powershell.exe
2076	NovaTest.exe
2076	NovaTest.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeSecurityPrivilege	2592	WMIC.exe
Token: SeTakeOwnershipPrivilege	2592	WMIC.exe
Token: SeLoadDriverPrivilege	2592	WMIC.exe
Token: SeSystemProfilePrivilege	2592	WMIC.exe
Token: SeSystemtimePrivilege	2592	WMIC.exe
Token: SeProfSingleProcessPrivilege	2592	WMIC.exe
Token: SeIncBasePriorityPrivilege	2592	WMIC.exe
Token: SeCreatePagefilePrivilege	2592	WMIC.exe
Token: SeBackupPrivilege	2592	WMIC.exe
Token: SeRestorePrivilege	2592	WMIC.exe
Token: SeShutdownPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2592	WMIC.exe
Token: SeRemoteShutdownPrivilege	2592	WMIC.exe
Token: SeUndockPrivilege	2592	WMIC.exe
Token: SeManageVolumePrivilege	2592	WMIC.exe
Token: 33	2592	WMIC.exe
Token: 34	2592	WMIC.exe
Token: 35	2592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2592	WMIC.exe
Token: SeSecurityPrivilege	2592	WMIC.exe
Token: SeTakeOwnershipPrivilege	2592	WMIC.exe
Token: SeLoadDriverPrivilege	2592	WMIC.exe
Token: SeSystemProfilePrivilege	2592	WMIC.exe
Token: SeSystemtimePrivilege	2592	WMIC.exe
Token: SeProfSingleProcessPrivilege	2592	WMIC.exe
Token: SeIncBasePriorityPrivilege	2592	WMIC.exe
Token: SeCreatePagefilePrivilege	2592	WMIC.exe
Token: SeBackupPrivilege	2592	WMIC.exe
Token: SeRestorePrivilege	2592	WMIC.exe
Token: SeShutdownPrivilege	2592	WMIC.exe
Token: SeDebugPrivilege	2592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2592	WMIC.exe
Token: SeRemoteShutdownPrivilege	2592	WMIC.exe
Token: SeUndockPrivilege	2592	WMIC.exe
Token: SeManageVolumePrivilege	2592	WMIC.exe
Token: 33	2592	WMIC.exe
Token: 34	2592	WMIC.exe
Token: 35	2592	WMIC.exe
Token: SeDebugPrivilege	1992	tasklist.exe
Token: SeDebugPrivilege	932	tasklist.exe
Token: SeDebugPrivilege	2576	tasklist.exe
Token: SeDebugPrivilege	2476	tasklist.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeDebugPrivilege	1536	tasklist.exe
Token: SeDebugPrivilege	984	tasklist.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	2560	tasklist.exe
Token: SeDebugPrivilege	1548	tasklist.exe
Token: SeDebugPrivilege	1376	tasklist.exe
Token: SeDebugPrivilege	1688	tasklist.exe
Token: SeShutdownPrivilege	2076	NovaTest.exe
Token: SeShutdownPrivilege	2076	NovaTest.exe
Token: SeDebugPrivilege	1624	tasklist.exe
Token: SeDebugPrivilege	1480	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	1748	tasklist.exe
Token: SeDebugPrivilege	1264	tasklist.exe
Token: SeDebugPrivilege	1700	tasklist.exe
Token: SeDebugPrivilege	2072	tasklist.exe
Token: SeDebugPrivilege	1600	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2740	2076	NovaTest.exe	29
PID 2076 wrote to memory of 2740	2076	NovaTest.exe	29
PID 2076 wrote to memory of 2740	2076	NovaTest.exe	29
PID 2740 wrote to memory of 2908	2740	cmd.exe	31
PID 2740 wrote to memory of 2908	2740	cmd.exe	31
PID 2740 wrote to memory of 2908	2740	cmd.exe	31
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2760	2076	NovaTest.exe	30
PID 2076 wrote to memory of 2268	2076	NovaTest.exe	299
PID 2076 wrote to memory of 2268	2076	NovaTest.exe	299
PID 2076 wrote to memory of 2268	2076	NovaTest.exe	299
PID 2268 wrote to memory of 2592	2268	cmd.exe	33
PID 2268 wrote to memory of 2592	2268	cmd.exe	33
PID 2268 wrote to memory of 2592	2268	cmd.exe	33
PID 2076 wrote to memory of 1680	2076	NovaTest.exe	297
PID 2076 wrote to memory of 1680	2076	NovaTest.exe	297
PID 2076 wrote to memory of 1680	2076	NovaTest.exe	297
PID 2076 wrote to memory of 1436	2076	NovaTest.exe	296
PID 2076 wrote to memory of 1436	2076	NovaTest.exe	296
PID 2076 wrote to memory of 1436	2076	NovaTest.exe	296
PID 2076 wrote to memory of 1568	2076	NovaTest.exe	295
PID 2076 wrote to memory of 1568	2076	NovaTest.exe	295
PID 2076 wrote to memory of 1568	2076	NovaTest.exe	295
PID 2076 wrote to memory of 1616	2076	NovaTest.exe	294
PID 2076 wrote to memory of 1616	2076	NovaTest.exe	294
PID 2076 wrote to memory of 1616	2076	NovaTest.exe	294
PID 2076 wrote to memory of 2692	2076	NovaTest.exe	293
PID 2076 wrote to memory of 2692	2076	NovaTest.exe	293
PID 2076 wrote to memory of 2692	2076	NovaTest.exe	293
PID 2076 wrote to memory of 2700	2076	NovaTest.exe	292
PID 2076 wrote to memory of 2700	2076	NovaTest.exe	292
PID 2076 wrote to memory of 2700	2076	NovaTest.exe	292
PID 2076 wrote to memory of 2840	2076	NovaTest.exe	291
PID 2076 wrote to memory of 2840	2076	NovaTest.exe	291
PID 2076 wrote to memory of 2840	2076	NovaTest.exe	291
PID 2076 wrote to memory of 784	2076	NovaTest.exe	290
PID 2076 wrote to memory of 784	2076	NovaTest.exe	290
PID 2076 wrote to memory of 784	2076	NovaTest.exe	290

C:\Users\Admin\AppData\Local\Temp\NovaTest.exe
"C:\Users\Admin\AppData\Local\Temp\NovaTest.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\NovaTest.exe
  "C:\Users\Admin\AppData\Local\Temp\NovaTest.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=976 --field-trial-handle=1188,1880356648581275793,868042866137759177,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1608
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2516
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3280
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:3620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3744
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:4400
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:5544
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:4680
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:5456
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:5464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:4672
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:5908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4376
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4296
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4272
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4256
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4248
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4216
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4196
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3468
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3652
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3460
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2076 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:6656
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:6676
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:6684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:6720
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:6760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:6748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:6796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6820

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2076 get ExecutablePath
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2792

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2920

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2180

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3180

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4800

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4816

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4904

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4884

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4876

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4792

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4784

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4776

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4768

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4760

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4752

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4692

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4232

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4208

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4136

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4128

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3952

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3308

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4076

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4040

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4032

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4024

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:4016

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:4008

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3996

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3984

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3976

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3968

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3908

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3888

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3788

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3636

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3628

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3568

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3560

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3172

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:3156

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2640

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2628

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:2768

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:2096

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:1720

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\0c0996ea-7e81-49d2-820f-6c66379b7314.tmp.node

Filesize
395KB

MD5
15133e2732d84b91a87831f3a4083445

SHA1
623e1809ae8c01b5001d040392b1ccab46ac74b9

SHA256
6f5b814f5492057a4cbbd695619a8c27b5bfdfb3c78a8dda23c9b2eb3e5330bd

SHA512
375822a74d839ab39430851d78f02e37836359d0fab5011493717fbf5c5501aa843ff00a9d49acb2617c44da35c46bab7aede7dec81811e45e2a18986699ca0d

Download Submit
\Users\Admin\AppData\Local\Temp\dd3a961d-a1d4-4f3d-b033-f0f43fc70de3.tmp.node

Filesize
1024KB

MD5
f8e0d5d4978795e0b5c52825453750c5

SHA1
6aa5202c2b39c1c9960998707e8c771bfb3a49a8

SHA256
89bb08902d9d15b1848e190a65020548ee2eea8b710f7093b60e8a65241853ce

SHA512
7b5975b83a43568843f5004809294246422e6bf157904378418d793c26c70570d4d671bd8d7cfa432ada5b014b2db44105bc1031485709cb9b0db0d94e66244e

Download Submit
\Users\Admin\AppData\Local\Temp\dd8f2975-fdfc-48bd-9bfd-7a24727ada46.tmp.node

Filesize
663KB

MD5
9f48ffeb85e4cbe4c86e6debbd3e7d4b

SHA1
baf455abf30872cfdd72d59edfc6f9f411ab63d2

SHA256
b6a81329ab2564ecfdb2b2cfe645b1ed094cea6eee8941f6cb81542ba24355a4

SHA512
3da86de6bdeb8de1b47fddaf9ed1577e8caad71ea1488e113845167a1b4048a97e715f717835345440a23aadc9b883e760f4131f8d5db688e40b413146eedcf0

Download Submit
memory/2760-13-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/6820-70-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/6820-67-0x00000000020D0000-0x00000000020D8000-memory.dmp

Filesize
32KB

Download
memory/6820-68-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/6820-69-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-66-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/6820-72-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-71-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-73-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-160-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp

Filesize
9.6MB

Download
memory/6820-164-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-165-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-166-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download
memory/6820-167-0x0000000002B20000-0x0000000002BA0000-memory.dmp

Filesize
512KB

Download