c496a406536d17e5f8ab08b94b8fa187af12cba398ee9a92cd9ef000d356f904

Analysis

max time kernel
151s
max time network
157s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2024, 20:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

android-studio-ide-193.6514223-windows.exe
Size

871.7MB
MD5

2001691096d16091c21469509c2a2b85
SHA1

2985ab5be5736b8c4ba4e9d6aa821d78e287df8e
SHA256

c496a406536d17e5f8ab08b94b8fa187af12cba398ee9a92cd9ef000d356f904
SHA512

0e0ec7fd3dd6d3d12ecb305339a02e9b3707aa757c717308d30988beeae300e0e898eddfb0fe318ba5c14bbaff8fcc20a51799e0f6a1c4a7b172c1ea66758882
SSDEEP

25165824:7KzhqkpIU3Z1tWQVYNKXtsqlCFKnFGhzfBQ2QtNT5:7usk1XWQV7nlClhztQLT5

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\compiler\visitor.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\jre\jre\bin\java-rmi.exe	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\Kotlin\lib\kotlinx-coroutines-core-1.2.1.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\lib\proxy-vole-1.0.5-jb.2.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\lib\forms-1.1-preview.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\hotshot\__init__.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\jre\jre\lib\fonts\LICENSE.txt	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansMyanmarUI-Regular.ttf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\sampleData\avatars\avatar_2.xml	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\gradle-projects\NewAndroidAutomotiveModule\template.xml	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\firebase-testing\lib\google-api-services-toolresults-v1beta3-rev20151013-1.20.0.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\activities\AndroidTVActivity\root\src\app_package\Movie.java.ftl	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\_threading_local.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\python\lldb\formatters\cpp\__init__.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\lib\ant\README	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\firebase\lib\resources_en.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\pdb.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\encodings\utf_8.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\fragments\GoogleAdMobAdsFragment\globals.xml.ftl	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\msilib\__init__.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\Compose\lib\ant-antlr.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\Kotlin\lib\kotlin-script-runtime.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\activities\SettingsActivity\root\res\drawable\sync.xml	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\textmate\lib\resources_en.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\lib\built-in-server.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\lib\ant\lib\ant-javamail.pom	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\device-art-resources\wear_square\fore.png	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\google-samples\lib\resources_en.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\Kotlin\lib\kotlin-stdlib-jdk7.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansDevanagariUI-Regular.otf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansLao-Bold.ttf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\other\AppActionsResourceFile\globals.xml.ftl	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\SimpleXMLRPCServer.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\encodings\iso2022_jp_3.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\Kotlin\kotlinc\lib\ktor-network-1.0.1.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansTamilUI-Bold.ttf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\java\lib\plexus-utils-3.0.22.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\other\AppWidget\thumbs\template_widget_1x2_vh.png	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\resources\perfetto\arm64-v8a\traced	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\java\lib\jdkAnnotations.jar	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\gradle-projects\NewAndroidTVModule\root\res\mipmap-mdpi\ic_launcher.png	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\encodings\tis_620.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\plat-irix5\panel.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\license\libgtest_prod.txt	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\device-art-resources\wear_round\key.png	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\gradle-projects\NewInstantDynamicFeatureModule\template.xml	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\other\ValueResourceFile\recipe.xml.ftl	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\sampleData\backgrounds\scenic\Lost_in_a_Field.webp	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\studio64.exe	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\plat-aix3\regen	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\pydoc_data\__init__.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansOldTurkic-Regular.ttf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\activities\AndroidTVActivity\root\src\app_package\DetailsActivity.kt.ftl	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\plat-mac\Carbon\AppleEvents.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\device-art-resources\pixel_silver\port_shadow.webp	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansMyanmar-Bold.otf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\activities\SettingsActivity\root\res\drawable\messages.xml	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\gradle-projects\NewAndroidAutomotiveModule\car-module.png	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\activities\MasterDetailFlow\root\res\layout\item_list_content.xml.ftl	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\templates\other\AppWidget\thumbs\template_widget_4x3_vh.png	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\plugins\android\lib\layoutlib\data\fonts\NotoSansSharada-Regular.otf	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\curses\textpad.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\bin\lldb\lib\encodings\utf_7.py	android-studio-ide-193.6514223-windows.exe
File created	C:\Program Files\Android\Android Studio\jre\jre\lib\fonts\DroidSerif-Bold.ttf	android-studio-ide-193.6514223-windows.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe
4148	android-studio-ide-193.6514223-windows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 764	4148	android-studio-ide-193.6514223-windows.exe	80
PID 4148 wrote to memory of 764	4148	android-studio-ide-193.6514223-windows.exe	80
PID 764 wrote to memory of 1640	764	cmd.exe	82
PID 764 wrote to memory of 1640	764	cmd.exe	82
PID 764 wrote to memory of 4936	764	cmd.exe	83
PID 764 wrote to memory of 4936	764	cmd.exe	83
PID 4936 wrote to memory of 3552	4936	cmd.exe	84
PID 4936 wrote to memory of 3552	4936	cmd.exe	84
PID 764 wrote to memory of 4732	764	cmd.exe	85
PID 764 wrote to memory of 4732	764	cmd.exe	85
PID 764 wrote to memory of 2220	764	cmd.exe	86
PID 764 wrote to memory of 2220	764	cmd.exe	86
PID 764 wrote to memory of 5040	764	cmd.exe	87
PID 764 wrote to memory of 5040	764	cmd.exe	87
PID 764 wrote to memory of 4680	764	cmd.exe	88
PID 764 wrote to memory of 4680	764	cmd.exe	88
PID 764 wrote to memory of 3772	764	cmd.exe	89
PID 764 wrote to memory of 3772	764	cmd.exe	89
PID 764 wrote to memory of 5028	764	cmd.exe	90
PID 764 wrote to memory of 5028	764	cmd.exe	90
PID 764 wrote to memory of 2264	764	cmd.exe	91
PID 764 wrote to memory of 2264	764	cmd.exe	91
PID 764 wrote to memory of 2308	764	cmd.exe	92
PID 764 wrote to memory of 2308	764	cmd.exe	92
PID 764 wrote to memory of 4916	764	cmd.exe	93
PID 764 wrote to memory of 4916	764	cmd.exe	93
PID 764 wrote to memory of 1932	764	cmd.exe	94
PID 764 wrote to memory of 1932	764	cmd.exe	94
PID 764 wrote to memory of 420	764	cmd.exe	95
PID 764 wrote to memory of 420	764	cmd.exe	95
PID 764 wrote to memory of 5052	764	cmd.exe	96
PID 764 wrote to memory of 5052	764	cmd.exe	96
PID 764 wrote to memory of 4844	764	cmd.exe	97
PID 764 wrote to memory of 4844	764	cmd.exe	97
PID 764 wrote to memory of 4968	764	cmd.exe	98
PID 764 wrote to memory of 4968	764	cmd.exe	98
PID 764 wrote to memory of 4904	764	cmd.exe	99
PID 764 wrote to memory of 4904	764	cmd.exe	99
PID 764 wrote to memory of 5024	764	cmd.exe	100
PID 764 wrote to memory of 5024	764	cmd.exe	100
PID 764 wrote to memory of 3420	764	cmd.exe	101
PID 764 wrote to memory of 3420	764	cmd.exe	101
PID 764 wrote to memory of 4332	764	cmd.exe	102
PID 764 wrote to memory of 4332	764	cmd.exe	102
PID 764 wrote to memory of 2200	764	cmd.exe	103
PID 764 wrote to memory of 2200	764	cmd.exe	103
PID 764 wrote to memory of 1844	764	cmd.exe	104
PID 764 wrote to memory of 1844	764	cmd.exe	104
PID 764 wrote to memory of 2668	764	cmd.exe	105
PID 764 wrote to memory of 2668	764	cmd.exe	105
PID 764 wrote to memory of 4036	764	cmd.exe	106
PID 764 wrote to memory of 4036	764	cmd.exe	106
PID 764 wrote to memory of 1496	764	cmd.exe	107
PID 764 wrote to memory of 1496	764	cmd.exe	107
PID 764 wrote to memory of 3604	764	cmd.exe	108
PID 764 wrote to memory of 3604	764	cmd.exe	108
PID 764 wrote to memory of 4804	764	cmd.exe	109
PID 764 wrote to memory of 4804	764	cmd.exe	109
PID 764 wrote to memory of 2196	764	cmd.exe	110
PID 764 wrote to memory of 2196	764	cmd.exe	110
PID 764 wrote to memory of 2524	764	cmd.exe	111
PID 764 wrote to memory of 2524	764	cmd.exe	111
PID 764 wrote to memory of 3224	764	cmd.exe	112
PID 764 wrote to memory of 3224	764	cmd.exe	112

C:\Users\Admin\AppData\Local\Temp\android-studio-ide-193.6514223-windows.exe
"C:\Users\Admin\AppData\Local\Temp\android-studio-ide-193.6514223-windows.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\silent_install.bat" -c"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products"
    3⤵
    PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products"
      4⤵
      PID:3552
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109C80000000100000000F01FEC /s /v DisplayName
    3⤵
    PID:4732
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2220
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109C80090400100000000F01FEC /s /v DisplayName
    3⤵
    PID:5040
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4680
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109E70000000100000000F01FEC /s /v DisplayName
    3⤵
    PID:3772
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\048607A32882C32409BE3B51542ECBA7 /s /v DisplayName
    3⤵
    PID:2264
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2308
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\12B8D03ED28D112328CCF0A0D541598E /s /v DisplayName
    3⤵
    PID:4916
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1932
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1926E8D15D0BCE53481466615F760A7F /s /v DisplayName
    3⤵
    PID:420
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1D5E3C0FEDA1E123187686FED06E995A /s /v DisplayName
    3⤵
    PID:4844
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3BAEED67F2211324387CC05363D3209F /s /v DisplayName
    3⤵
    PID:4904
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:5024
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\44DB0475D85BA123FA0CD6D35465DDC6 /s /v DisplayName
    3⤵
    PID:3420
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4332
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4EA42977E9304AC4784BF2468130180F /s /v DisplayName
    3⤵
    PID:2200
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4F4A3A46297B6D117AA8000B0D813018 /s /v DisplayName
    3⤵
    PID:2668
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4036
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\5040806F8AF9AAC49928419ED5A1D3CA /s /v DisplayName
    3⤵
    PID:1496
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:3604
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\679E80FBE29B63345BF612177149674C /s /v DisplayName
    3⤵
    PID:4804
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2196
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\67D6ECF5CD5FBA732B8B22BAC8DE1B4D /s /v DisplayName
    3⤵
    PID:2524
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:3224
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\68AB67CA7DA73301B744CAF070E41400 /s /v DisplayName
    3⤵
    PID:5044
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:884
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\6E815EB96CCE9A53884E7857C57002F0 /s /v DisplayName
    3⤵
    PID:2052
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2540
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7C9F8B73BF303523781852719CD9C700 /s /v DisplayName
    3⤵
    PID:1868
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1532
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8520DAD7C5154DD39846DB1714990E7F /s /v DisplayName
    3⤵
    PID:2732
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2100
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8800A266DCF6DD54E97A86760485EA5D /s /v DisplayName
    3⤵
    PID:3220
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1688
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\888D68EA4041CC747ABBD8680C05E385 /s /v DisplayName
    3⤵
    PID:3204
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4476
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A22844D82CFCF24B8D1127A5897CF97 /s /v DisplayName
    3⤵
    PID:404
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:3288
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A567BD6FA501A947AD1F646E53EEC14 /s /v DisplayName
    3⤵
    PID:2828
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1664
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\99A1417CB29562244A9E7B761C0DBFFA /s /v DisplayName
    3⤵
    PID:1076
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\99E80CA9B0328e74791254777B1F42AE /s /v DisplayName
    3⤵
    PID:4628
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9B2F610EEF10AAF488E2CE4CF34A7915 /s /v DisplayName
    3⤵
    PID:2936
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2408
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C025571B2A687A53689168CD7369889B /s /v DisplayName
    3⤵
    PID:3180
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:1000
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C3AEB2FCAE628F23AAB933F1E743AB79 /s /v DisplayName
    3⤵
    PID:5032
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:988
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\CDA0C311DB9B59F46935F4B55C04DE30 /s /v DisplayName
    3⤵
    PID:2460
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:3336
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\CE6380BC270BD863282B3D74B09F7570 /s /v DisplayName
    3⤵
    PID:4352
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:756
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DC8A59DBF9D1DA5389A1E3975220E6BB /s /v DisplayName
    3⤵
    PID:2312
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:2932
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\EE2B4453F26E11D47BC9D3EDCA9ED45A /s /v DisplayName
    3⤵
    PID:716
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F60730A4A66673047777F5728467D401 /s /v DisplayName
    3⤵
    PID:2084
- - C:\Windows\system32\findstr.exe
    findstr /c:"Hardware Accelerated Execution Manager"
    3⤵
    PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Android\Android Studio\bin\lldb\lib\plat-freebsd8\regen

Filesize
93B

MD5
f38762de7858b6bfafb96a6a88e91ef6

SHA1
b5db6f9c59526ddd54f04683795630f5f8c03ce8

SHA256
0534a0c24c109b17aa517076ccac81fcfe711fb10b8370b51b3c8b1ecd387c3b

SHA512
d75668aaa6035d27a2aade43fd4d1425d358265d860d10350610a52a97efe9d2104bda5b5e3d2686be7fda8bd34063fe6e270b3e533990eb88b4a7c93ee5368a

Download Submit
C:\Program Files\Android\Android Studio\license\google-api-services-analytics.jar-NOTICE

Filesize
10KB

MD5
ebbb25615c2c34e06d83a7f96c912635

SHA1
a77161aaba1e72e666e5e2c5373e2a5c7628f726

SHA256
cd19fcfd7ecf31a740ce81dadaf080fa8356c2a47927dac1c2d52a7335665e2d

SHA512
13920d50dbf26b8db3b2922d4c929f4fa669cd3d72596b4ecb56c39a53e839978327227dc04e48e395a04c174c07bbc65ee0ea613c912a1521de66ae46620360

Download Submit
C:\Program Files\Android\Android Studio\license\libhwui.txt

Filesize
10KB

MD5
9645f39e9db895a4aa6e02cb57294595

SHA1
99f19b0797783be8eaa32d67553b20ab343a2085

SHA256
38751245389e1e23f73e6f5384b5cbe7fa972cc4410c5adc9c04b082a0b9561a

SHA512
af15f175fae59c230152639d481c2960f9122d7494b7b687499e1ae1c98a9df2f347e410724895c1bb3ff18edc3b2f9035b56e876a98ba97cbb3bab674d0c65e

Download Submit
C:\Program Files\Android\Android Studio\plugins\android\lib\templates\fragments\ScrollFragment\globals.xml.ftl

Filesize
109B

MD5
6e3cc3988cb2c7a1bdd5f6fdccb0b2d4

SHA1
194561ea5359bc2217ca577db4726ef17dfc4fd4

SHA256
56fe9661c50a0b9afd5a304210262091e4569a21a1059dd010a5cedc11785e2b

SHA512
0ea98791811e8d9ed29a122e27856ef9f79f9649499f5a03f68d65e0efbdd067c569de54e482f5e3358971bde4642f7958fc66919958255ed0951b45f32cb07c

Download Submit
C:\Program Files\Android\Android Studio\plugins\android\lib\templates\gradle-projects\NewAndroidThingsModule\root\res\values\strings.xml.ftl

Filesize
91B

MD5
31fac6a5a1015efcc137cdc0446202c2

SHA1
b21ab6b228c455f73b227d55ac8c1d74e8e67cec

SHA256
c298377f9eeb1afa231a3924defacab11b0b85e0d068c06e804dd3575109507d

SHA512
51485242b0526a35fd03058bc1360110041ca82508abeba7fd6d8b888c60ad08d761d43f688ae4a5758812191f38445d336de4881ca023de6344f534f49db75c

Download Submit
C:\Program Files\Android\Android Studio\plugins\android\lib\templates\other\Service\globals.xml.ftl

Filesize
155B

MD5
e38c7ec64d0bb4c3928a57888830123c

SHA1
7c69cf76c4c04405e7e68d95f9ebf8a00693bc25

SHA256
4a0e05fa85f24e3d6cbce43d2eeebb9acf6a2a579e9c3c16bf8a96fa38a8c5fa

SHA512
e767e351ca1bee0b71c3fdf2da3578855f9c011914b65615beeb858056d090dbd84684bc25f9003b343f647cb207000f5657354bafab73d4f48d2bdddeb44ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\FindProcDLL.dll

Filesize
3KB

MD5
b4faf654de4284a89eaf7d073e4e1e63

SHA1
8efcfd1ca648e942cbffd27af429784b7fcf514b

SHA256
c0948b2ec36a69f82c08935fac4b212238b6792694f009b93b4bdb478c4f26e3

SHA512
eef31e332be859cf2a64c928bf3b96442f36fe51f1a372c5628264a0d4b2fc7b3e670323c8fb5ffa72db995b8924da2555198e7de7b4f549d9e0f9e6dbb6b388

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\StartMenu.dll

Filesize
9KB

MD5
441ccad26668d5ee10f9ef7ef743a8d0

SHA1
1c9ba14c9036f4282e6e7dddce5e051192f9f26b

SHA256
1fc346e5f6803f41a763002ec4bb4667514091d3be6aae5257c168b0f882b986

SHA512
cd4519678512ba052dfc327681f09ad0e2390688e435698224a34cbcffb794b27b5d738d1c305f3f6f6e24afe7b0427592abe46e36e35817a3c3627fa5839fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\System.dll

Filesize
16KB

MD5
b898f639f43ab2dddb5a81f32ef4b72c

SHA1
92f62f92ca972cb7d387c2432ce8cd640855e427

SHA256
413fb6e2fe4d2b4074f4220c7c8cd299636aacdc04144442f828243b8fd81067

SHA512
70876761b8afcaa2747b840823b9c47bb0b65c60983bdde751ad53bd59c5a5b9076b3e3090baff8467568540a71c40540d7d206b9189964b92ea44fc8dd73360

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\UAC.dll

Filesize
13KB

MD5
09809c8d905a557be3b7ac0cd54cae22

SHA1
9a7b5f9bf4d35d6041620120735d3df6d588846b

SHA256
729f8f2a5c0720d3150e5551dd71aa41052f9747687449fbd047d57f1c65d213

SHA512
34baf2caba3082ed1e4103ce4aff2dfca98bfacaf5bab4ac4262e67918ac8f1ef408b7d1341bbe5f2488089474952bc5dc0ad3fe3ae6a872c9435b43450056f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\nsDialogs.dll

Filesize
11KB

MD5
50345d07b96ccfa6c590e4d7e506472d

SHA1
767ae563a88551e41e8888a93bb7a915a5572a67

SHA256
994885c79be0782d04e96f11509c29d2234fffeea8d467e7b60c0f44b039d145

SHA512
f88cf8f419893a040f3b17c116a50ae0f647880a2b9d0f71a8abf453e8ec2b6ac8f5a0904d0fdf813d27f6f406794737f4c1ab67be92518e7a0e0ba275eac2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\nsExec.dll

Filesize
9KB

MD5
67d1faa23afff8c9bc6588c82f65882d

SHA1
dfdc81ee4634050ad19e3f73ce2ad284576ed3ef

SHA256
4f96b30439f4934e27a867566e09bdb38aa90d4f8813849b6336c8de15b9a8bc

SHA512
008250c572284bb5f873797104ede27cfccfee36ab9b18bb50f8eaa744db011e45dac88248173302f118b0427f245092d8c6c4a8b32be15bde0d1cd0b3f52df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspACEA.tmp\silent_install.bat

Filesize
8KB

MD5
b6532ed08076d9600237fe480b2628b7

SHA1
cd06586dc8639a007571f7ceba72af1013b58f7f

SHA256
3aa634cc9dabb568cd2a812d7020b3d5bf51975aed5e9c8c8b632d2ae20c13fc

SHA512
fb0ac30a95d712112f6443d9d3dbb74bf64aa93ef907c1f635f08ffcdba1462a3f91228f1d0979138587651c1648e1e9eef222b153bd3ed0ca53aec17fa4cb6e

Download Submit
memory/4148-34-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download
memory/4148-1132-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4148-1143-0x000000006A940000-0x000000006A94B000-memory.dmp

Filesize
44KB

Download
memory/4148-1142-0x0000000063140000-0x000000006314B000-memory.dmp

Filesize
44KB

Download
memory/4148-1138-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download
memory/4148-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4148-35-0x0000000063140000-0x000000006314B000-memory.dmp

Filesize
44KB

Download
memory/4148-38-0x0000000063140000-0x000000006314B000-memory.dmp

Filesize
44KB

Download
memory/4148-37-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download
memory/4148-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4148-3083-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4148-3285-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/4148-3286-0x0000000064540000-0x000000006454A000-memory.dmp

Filesize
40KB

Download