hxxps://eve2dworld[.]netlify[.]app/

Resubmissions

05/02/2023, 09:44

230205-lqytcsha79 7

05/02/2023, 09:41

230205-lnqpzaha74 7

Analysis

max time kernel
100s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2023, 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://eve2dworld.netlify.app/

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	eve-setup.exe

Loads dropped DLL 2 IoCs

pid	Process
4568	eve-setup.exe
4568	eve-setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eve-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	eve-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	eve-setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	eve-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	eve-setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	eve-setup.exe

Enumerates processes with tasklist 1 TTPs 17 IoCs

Process Discovery

T1057

pid	Process
6164	tasklist.exe
6648	tasklist.exe
6792	tasklist.exe
5372	tasklist.exe
4884	tasklist.exe
1392	tasklist.exe
5644	tasklist.exe
6108	tasklist.exe
3264	tasklist.exe
2248	tasklist.exe
6948	tasklist.exe
6124	tasklist.exe
5412	tasklist.exe
5364	tasklist.exe
5832	tasklist.exe
3480	tasklist.exe
5596	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2460	NETSTAT.EXE
4400	NETSTAT.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = e8baa059b9aed801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0d652fc4e39d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{DC4C4F67-D27A-4B65-9279-5874D1ED748B}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31013198"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4167577540"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc1cb26e42627543897680db7b556420000000000200000000001066000000010000200000003c956552ff117bd0846a9cbaa0e23bbc7c4d9f2b20d9ceebd28e6a24c06a60a8000000000e80000000020000200000008dbfe36fe82a9e9bfea11bd9f16e5d28aeb1ef679f90479fbf30f29a74c5aa65200000002ce2f499cbf8487c7086dc0321a4f58e3a252a669f13f37e672f30a998fc4af440000000d6f46bca94c3403598795cd1c5d3989b323c333fbee73228a1c222265c008cc89129e88267fa01621730bb71768a17ea7d5a5c8a169a0709f85c99504bedc7ec	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2214D7DE-A542-11ED-B696-CA2A13AD51D0} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20093bfc4e39d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc1cb26e42627543897680db7b5564200000000002000000000010660000000100002000000087c86255894b17b740693f05847e4352ab11dbd97cc01f91c1b92bccde09d7af000000000e80000000020000200000004ad3201992caebb7b6987c3b83da65ac3bddd2292cd017445514f1bb2a8684bb20000000718b5505f71ed7dd3012571807f9a5d6fe5f94e10987f39ea981bb1a6550762940000000c53bb6784751e9395cededffd6aa1c7f853ee3f3060d8810634c39f2cad632984a7ac0a14a7f12128bd8b57bcef2c8db06322e57c4a696f3e211c1aa8388b210	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4146327444"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31013198"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31013198"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4146327444"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
224	ping.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2584	powershell.exe
2584	powershell.exe
2584	powershell.exe
4568	eve-setup.exe
4568	eve-setup.exe
4568	eve-setup.exe
4568	eve-setup.exe
4568	eve-setup.exe
2708	powershell.exe
2708	powershell.exe
2708	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	4884	tasklist.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2476	iexplore.exe
2476	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2476	iexplore.exe
2476	iexplore.exe
4204	IEXPLORE.EXE
4204	IEXPLORE.EXE
4204	IEXPLORE.EXE
4204	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 4204	2476	iexplore.exe	80
PID 2476 wrote to memory of 4204	2476	iexplore.exe	80
PID 2476 wrote to memory of 4204	2476	iexplore.exe	80
PID 4568 wrote to memory of 3264	4568	eve-setup.exe	95
PID 4568 wrote to memory of 3264	4568	eve-setup.exe	95
PID 3264 wrote to memory of 2584	3264	cmd.exe	96
PID 3264 wrote to memory of 2584	3264	cmd.exe	96
PID 2584 wrote to memory of 440	2584	powershell.exe	97
PID 2584 wrote to memory of 440	2584	powershell.exe	97
PID 440 wrote to memory of 524	440	csc.exe	98
PID 440 wrote to memory of 524	440	csc.exe	98
PID 4568 wrote to memory of 1572	4568	eve-setup.exe	99
PID 4568 wrote to memory of 1572	4568	eve-setup.exe	99
PID 1572 wrote to memory of 4948	1572	cmd.exe	101
PID 1572 wrote to memory of 4948	1572	cmd.exe	101
PID 4568 wrote to memory of 4332	4568	eve-setup.exe	102
PID 4568 wrote to memory of 4332	4568	eve-setup.exe	102
PID 4332 wrote to memory of 4884	4332	cmd.exe	103
PID 4332 wrote to memory of 4884	4332	cmd.exe	103
PID 4568 wrote to memory of 4016	4568	eve-setup.exe	104
PID 4568 wrote to memory of 4016	4568	eve-setup.exe	104
PID 4016 wrote to memory of 2708	4016	cmd.exe	105
PID 4016 wrote to memory of 2708	4016	cmd.exe	105
PID 4568 wrote to memory of 3224	4568	eve-setup.exe	106
PID 4568 wrote to memory of 3224	4568	eve-setup.exe	106
PID 3224 wrote to memory of 4400	3224	cmd.exe	108
PID 3224 wrote to memory of 4400	3224	cmd.exe	108
PID 4400 wrote to memory of 4480	4400	NETSTAT.EXE	109
PID 4400 wrote to memory of 4480	4400	NETSTAT.EXE	109
PID 4480 wrote to memory of 3180	4480	cmd.exe	110
PID 4480 wrote to memory of 3180	4480	cmd.exe	110

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://eve2dworld.netlify.app/
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2476 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2356

C:\Users\Admin\Downloads\EveInstaller\eve-setup.exe
"C:\Users\Admin\Downloads\EveInstaller\eve-setup.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA=="
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dcglvct2\dcglvct2.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:440
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5515.tmp" "c:\Users\Admin\AppData\Local\Temp\dcglvct2\CSC2CF345A4E74F43EA9C1DBEF310617DB7.TMP"
        5⤵
        
        PID:524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netstat -r"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\system32\NETSTAT.EXE
    netstat -r
    3⤵
    - Gathers network information
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4480
    - - C:\Windows\system32\ROUTE.EXE
        
        C:\Windows\system32\route.exe print
        5⤵
        
        PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netstat -nao"
  2⤵
  PID:3196
- - C:\Windows\system32\NETSTAT.EXE
    netstat -nao
    3⤵
    - Gathers network information
    PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:1676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:5076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:2092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:4300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:1392
- C:\Windows\system32\ping.exe
  ping 8.8.8.8 -n 1
  2⤵
  - Runs ping.exe
  PID:224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:3620
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show networks mode=Bssid
    3⤵
    PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5480
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:3428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6096
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5212
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:6268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:6640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:6948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:7084
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:7076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:372
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:5372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:5144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:4576

C:\Users\Admin\Downloads\EveInstaller\eve-setup.exe
"C:\Users\Admin\Downloads\EveInstaller\eve-setup.exe"
1⤵
PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA=="
  2⤵
  PID:3324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -NoLogo -NonInteractive -NoProfile -ExecutionPolicy Bypass -Encoded WwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACgAJwB7ACIAUwBjAHIAaQBwAHQAIgA6ACIAUQBXAFIAawBMAFYAUgA1AGMARwBVAGcATABVADUAaABiAFcAVQBnAFYAMgBsAHUAWgBHADkAMwBJAEMAMQBPAFkAVwAxAGwAYwAzAEIAaABZADIAVQBnAFEAMgA5AHUAYwAyADkAcwBaAFMAQQB0AFQAVwBWAHQAWQBtAFYAeQBSAEcAVgBtAGEAVwA1AHAAZABHAGwAdgBiAGkAQQBuAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkARgB0AEUAYgBHAHgASgBiAFgAQgB2AGMAbgBRAG8ASQBrAHQAbABjAG0ANQBsAGIARABNAHkATABtAFIAcwBiAEMASQBwAFgAUQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAHcAZABXAEoAcwBhAFcATQBnAGMAMwBSAGgAZABHAGwAagBJAEcAVgA0AGQARwBWAHkAYgBpAEIASgBiAG4AUgBRAGQASABJAGcAUgAyAFYAMABRADIAOQB1AGMAMgA5AHMAWgBWAGQAcABiAG0AUgB2AGQAeQBnAHAATwB3ADAASwBJAEMAQQBnAEkAQQAwAEsASQBDAEEAZwBJAEMAQQBnAEkAQwBCAGIAUgBHAHgAcwBTAFcAMQB3AGIAMwBKADAASwBDAEoAMQBjADIAVgB5AE0AegBJAHUAWgBHAHgAcwBJAGkAbABkAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkASABCADEAWQBtAHgAcABZAHkAQgB6AGQARwBGADAAYQBXAE0AZwBaAFgAaAAwAFoAWABKAHUASQBHAEoAdgBiADIAdwBnAFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBoAEoAYgBuAFIAUQBkAEgASQBnAGEARgBkAHUAWgBDAHcAZwBTAFcANQAwAE0AegBJAGcAYgBrAE4AdABaAEYATgBvAGIAMwBjAHAATwB3ADAASwBJAEMAQQBnAEkAQwBBAGcASQBDAEEAbgBEAFEAbwBnAEkAQwBBAGcARABRAG8AZwBJAEMAQQBnAEkAQwBBAGcASQBDAFIAagBiADIANQB6AGIAMgB4AGwAVQBIAFIAeQBJAEQAMABnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFIAMgBWADAAUQAyADkAdQBjADIAOQBzAFoAVgBkAHAAYgBtAFIAdgBkAHkAZwBwAEQAUQBvAGcASQBDAEEAZwBJAEMAQQBnAEkAQwBNAHcASQBHAGgAcABaAEcAVQBOAEMAaQBBAGcASQBDAEEAZwBJAEMAQQBnAFcAMABOAHYAYgBuAE4AdgBiAEcAVQB1AFYAMgBsAHUAWgBHADkAMwBYAFQAbwA2AFUAMgBoAHYAZAAxAGQAcABiAG0AUgB2AGQAeQBnAGsAWQAyADkAdQBjADIAOQBzAFoAVgBCADAAYwBpAHcAZwBNAEMAawBOAEMAZwA9AD0AIgB9ACcAIAB8ACAAQwBvAG4AdgBlAHIAdABGAHIAbwBtAC0ASgBzAG8AbgApAC4AUwBjAHIAaQBwAHQAKQApACAAfAAgAGkAZQB4AA==
    3⤵
    PID:4836
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\is2prf5k\is2prf5k.cmdline"
      4⤵
      PID:6536
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC023.tmp" "c:\Users\Admin\AppData\Local\Temp\is2prf5k\CSCA7AA3014AA6F4145B01658937F22A4B.TMP"
        5⤵
        
        PID:6628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  PID:6212
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:5168

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3264

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:6612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:6940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:7108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:5156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
8a7207e4856d7203b09f88754603c2a0

SHA1
05fc6b1d3b6f392d5b4d5c30bf4625ecb9a6167a

SHA256
11233063afbe9a4dd8dd99bc27cc126ffb19a5db3f50f4834127c40900e5b6f0

SHA512
095f97025cc8567dd07c91862906e9e0bfe3aafd99cd7f45f3e1dbd326ee3f2f5156406e3cd8b281900ce51a7bbee151c0a8b380310a9542a82eb24a25fc40c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
1b9329badd16eca0b5b9e264baa90fab

SHA1
6489b9786c585898165a141c49e6502fc3963697

SHA256
7e2e338f05004997417235e7ed4617f95f54984efd1c1d1b1b4604874f65f264

SHA512
bcbbb5ca2178a6d9e7ee6cd641ba28f7609008c5ad9e2014aba4187a5ac74548f69471e2b727e452f4fc93085934d83ab54a08af1e6e5d29c4d1adc761997e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
eb84cf3992100584ad60675ff8fc1867

SHA1
ebae74210a6d72320fd424f4da9328967f6ded48

SHA256
27983f75d9518ed67a5a274c97cbecbf881d4e5d766e6019f53eed0ea7fa5486

SHA512
8722b9df8114f19f64cf7ba266991fe7a3056183006ebedbdfa9fb4d49398e5626093006648cb5685b3f84bd44f3fd0d9c8a487e9d1fc4fe6d55dd000b2ce55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\dqptnfu\imagestore.dat

Filesize
60KB

MD5
ee846c9748385f67c2158cbdabe1e5d0

SHA1
854efff58f3c9e2ef3559d46b9e316a70748962a

SHA256
f847473fef762037bfce04c0fae930e3ef3caafe0d6307a6054023db6333a640

SHA512
c5507293cd655b0b7c86976135b1fc9b7022beec1afa6b86edf6d9b0f730bcb38466b86c85367b0a512691402f569d81f731cfc87d012317aa607b5283c8c47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
712dac37d4ef92bc462564120619591b

SHA1
1cadf2d6826eb4119a9ce9667987e2a4e21d88eb

SHA256
986f6a7d2ad142c3a596143e2a31acb9dc9bd523969b5693eb6df09b5fbc0c2a

SHA512
0f35ccf15b328d60ee5177b6988261180f7d0156a174a700a8f2a527d80f7c39fb0fa75289bef8e4ff8372b917c1d3bdca546a119608c5b7b532be5b88b377e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
28c65370f12e84b734af87ad491ea257

SHA1
402d3a8203115f1365d48fa72daf0a56e14d8a08

SHA256
4ea873fb3d77a2f8eefae82c943f621f16723516e181bde133568f8f0c91290c

SHA512
56eb34162b0a39da4aaf66aad35ef355a7709982b5060792e3b4849c36650725176e927815537ec58e7ddf0fb1763066b203d6b7f9d1b3dd2c8bc091c0c850cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8c4d318261f7d823af5fb1da5441eacd

SHA1
01a5bb7d1eea93f964a8764fabb875f7af6c5397

SHA256
41b212c0539dbb9f3f6bff7574096a7fc76561900488a7a65835d730b1c9c481

SHA512
30b458a65536c869bff055eb10c83420717698794db29c237ef6ff3a53104a707621f450469ba5d7494945c3ee45ed8c1a1ee2be313b4a17801068439fabb39f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d9fbd004c6ef009dc296538cdd0062a6

SHA1
b805fe342d545a92c2a92f9f0867a104fd78c275

SHA256
053ce5ffa45ec806bddb8865aabbf20315a598cb53022eeeab1e7ffc53b5c6ac

SHA512
78457addba78fb3c99015a776fd715fec2e4e4e3fe6df8b534490d40af3666536b3eb0cf59768f6ea70e3e5a511edaf6c8a8cc295f6f59c1b7ee0917700c3cf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5515.tmp

Filesize
1KB

MD5
58c44a3b24afbf867e1798e23c7b9b3e

SHA1
76956e1fab1403950f5489b2db256bd6a598c4fd

SHA256
97ee47ceb43dc05dad49c3ea53f8082f8662f2b1660e5fbb04c40246ec474928

SHA512
ae01b22d1e86767cb70dac7de13d6a4c85f780232a5f733300716f64ca916ae2191d2506e828e92774e5cc9ff3ef7009b63088e7e27b63e0790ee5d517301094

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC023.tmp

Filesize
1KB

MD5
0dfad984379f45863b4f12eaab760279

SHA1
f40ff2d71dbd293d48b5f0a2104ea3013da5a84d

SHA256
fbf76e1f41a8fd0b4b859ac729923e67f4c489259fe2d774c59892301f5a4919

SHA512
1e16e944da123d9a706ff249f10ac9fbd1b215cdb7e69d642e67c3aea9fbf90e041239974add2e86484e867a00764d5e7869a6de089a9bf044faaa7cfc83ab82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcglvct2\dcglvct2.dll

Filesize
3KB

MD5
72dd1be94ea21ba38c515bc50700846f

SHA1
e4594452020ed4400a5da78ef94a7478fc9d3031

SHA256
d6ea18a23c860754166537398df1f6fe30eb44f14bb2c309afb2edd5da904353

SHA512
f762a04a1f7c54f3d3ea9643a1d6f1651e7920d4f748ddc1b7c8bfc185ca3168cc75ef99307e91c58caebdafc58ac716b8af72659c4b708c6d4a35db43e7848b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is2prf5k\is2prf5k.dll

Filesize
3KB

MD5
185aeed4e9c3cf07df167f03a3760261

SHA1
b6707dec69c18fa4f3d77cf6d027272ceb77adce

SHA256
f277ac3795260b6e86afb37817488b50fe72089470658ac6df23697dae0ba2b4

SHA512
584992e2750e7f2714d18e6ee9f33f08b6c6720b64c52b53ae48a75bab7df5072ea9e644b23387591fa4da8003db366b1972393d7916e46fe6b1e0b6c331d16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

Filesize
1.6MB

MD5
d5d477af6910a4856d5457b8e667f84b

SHA1
80e99d5b15c1c65ffa7e44c52c14056691ee3295

SHA256
152ddddf0ebc8fd9fdd0143778b6765e49678532a2b1e33e66adc235fa88b7a7

SHA512
435bc0f5b6af33549e59b5c50c43bd62ef5faf6acad85ad9d79f5ee80c82fed86f45391f20a35c0114d92aa80cc8c68aef0420501f4d5f5e2eed701c830013f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\17a825d14ebf7eb194f09560409f33edefe070b6541c3956757bf40f34a2cfee\win-dpapi\build\Release\node-dpapi.node

Filesize
141KB

MD5
02e10f350621adf12dd93fbce26329e0

SHA1
2a7955f864aa9fa38ddae17049e20bc09dea1dd8

SHA256
17a825d14ebf7eb194f09560409f33edefe070b6541c3956757bf40f34a2cfee

SHA512
2eb9f55f78a2e5f73a06c62fd2e0288a2634d819df10c7007fe879c6ebaf99d63d644620df7b147b089e238ac9da11281691ff93e6a5b94c863b5a58c7db55ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\17a825d14ebf7eb194f09560409f33edefe070b6541c3956757bf40f34a2cfee\win-dpapi\build\Release\node-dpapi.pdb

Filesize
768KB

MD5
553c465ed047da80bd27f58dea68ce3b

SHA1
4e65a1d43c4f29d10f996fb537de99fe50ff9b9c

SHA256
a8b37c583dec7897a07fc9c51be6615dfba31bf90cf2a02425723f870d3f30c4

SHA512
c5757b0e4e304195f79683e75b8edf556bec059e1d3ed802075022cc31c8ffec28130ba77a6bef42ce9c2aee25a3e3767b65a3a44f14faefbfd8acdbb59cfe8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\17a825d14ebf7eb194f09560409f33edefe070b6541c3956757bf40f34a2cfee\win-dpapi\build\Release\obj\node-dpapi\src\node-dpapi.obj

Filesize
448KB

MD5
6d95420c252fc58750f38f8a1687110f

SHA1
00031c7c70e3dc28f192e4c38bc82657fb8ecb7c

SHA256
77cedbd292ed0887a30bb716fc7e14de8277ab44e537551d218794566655107c

SHA512
6e1e76edbca43fd1c639422c0eade04fe03015f6a6f8a50d64096b4789df0bf1b83e47367f44919c749d0833c38fb8b85906cfa770b3b60650c21d2340183fb8

Download Submit
C:\Users\Admin\Downloads\EveInstaller.zip.nl7o1o9.partial

Filesize
33.1MB

MD5
feb9225020a3f67352bb2981b527a444

SHA1
28926928b7f6512bef1afc316e0ea68c25fbccf4

SHA256
08e667a9d7dd883ec094b9874fb8836393baac683c85cb3d065df6d095472f5a

SHA512
e6e5602a704f72caaad3b5958252cc056ad9072fc823a45da90b4d4a73f41ecd9346f5c6e96976e9d014be01eae5f4ca0f4f5b1cfcd52e145df0b88de55c2bee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcglvct2\CSC2CF345A4E74F43EA9C1DBEF310617DB7.TMP

Filesize
652B

MD5
841f9faedec9d1710d180a8657b9f489

SHA1
7d3b8092cde1f688f2e7c045c89af30709968895

SHA256
5f376863520d2b4b1ac983a644958b1effad9024d03fb505d1978dfd9c269099

SHA512
77683404f66962660ec9357235bf45bf9725a437d273835d0cd6a474ba374804ebdc0ff2cb4c8f7f596ba0c7d7d712b3f62fe7c998a9d3a8f54f10e624161945

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcglvct2\dcglvct2.0.cs

Filesize
342B

MD5
fb818b5af427cdf4bd5e9e48265dbd9b

SHA1
4494f9fe806d3d0ec6601ab8a6bdb5ff9b37a4ed

SHA256
6914d7afe54b19a22b8dad75c0781e9dc7321bbf43d3fd8fb00179d2d6a7f3f2

SHA512
843c02c18c777ae614a49d27722c495472c2b3ed4d45dc26bbb03d009a189e7241440a77107a7f17f26d03a8771c74efb49af9c98ce83020535c9027abb64cd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dcglvct2\dcglvct2.cmdline

Filesize
369B

MD5
8e67c4b93a868141b5f6b2f81ea12390

SHA1
58f4a12b847fe8d5112dbd203e26bfaee6740f93

SHA256
7879808a2d6e34d102c082645cfd7ac41129a284157adcafa5593a25ef76ec94

SHA512
2982761ddfbfe183f8c0a1a46f3f44350a965c105c40cfbe2155f2efee3f542466bd8f41b0e35cb263355e4614a978f345afb28ec58ab305449309ca1ac7ce14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\is2prf5k\CSCA7AA3014AA6F4145B01658937F22A4B.TMP

Filesize
652B

MD5
259e0a9ada0730297c385dc302bbacb4

SHA1
dd87867dcf22e1f4001580af4d26e5066c7ea35a

SHA256
34cb87f6b8d7cc09b969b81e103a0e5312d7fed1bd84bfee51e2c38953abcdd1

SHA512
c4416b38ef78d25b91f29fec4c756ad240390ffaff071a8e053af93a112f54b9a734f163da47cb20b6570c9caf064740c77f4d2bafcd4c39ad795a0cc01141dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\is2prf5k\is2prf5k.0.cs

Filesize
342B

MD5
fb818b5af427cdf4bd5e9e48265dbd9b

SHA1
4494f9fe806d3d0ec6601ab8a6bdb5ff9b37a4ed

SHA256
6914d7afe54b19a22b8dad75c0781e9dc7321bbf43d3fd8fb00179d2d6a7f3f2

SHA512
843c02c18c777ae614a49d27722c495472c2b3ed4d45dc26bbb03d009a189e7241440a77107a7f17f26d03a8771c74efb49af9c98ce83020535c9027abb64cd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\is2prf5k\is2prf5k.cmdline

Filesize
369B

MD5
5b74553dcc8ebfa5ee5529c08e72ba81

SHA1
ec2ac2a18f3c8a8fcff7ccfbc8157f699ec6b2f4

SHA256
75ea60be39f1aa2453a8c2a17dfc34a035f9fe9aac6aa0405d953d7acde49457

SHA512
f280ea6bf113c2b85f462fb005c2ee344f6469c64108cd7c0eef1d8f6a3e6dec82a06d9750740f12e6ab479e1c84039387a878f2fadb2331ce7fbda35385ef3a

Download Submit
memory/744-251-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/744-241-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1420-243-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1420-226-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1588-199-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1588-248-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1588-207-0x00000190FF5C0000-0x00000190FF636000-memory.dmp

Filesize
472KB

Download
memory/1596-206-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1676-182-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/1676-278-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2092-186-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2092-267-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2240-242-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2240-260-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2584-141-0x00007FFB90180000-0x00007FFB90C41000-memory.dmp

Filesize
10.8MB

Download
memory/2584-149-0x00007FFB90180000-0x00007FFB90C41000-memory.dmp

Filesize
10.8MB

Download
memory/2584-140-0x000001E3A8320000-0x000001E3A8848000-memory.dmp

Filesize
5.2MB

Download
memory/2584-139-0x000001E3A7C20000-0x000001E3A7DE2000-memory.dmp

Filesize
1.8MB

Download
memory/2584-138-0x000001E3A66C0000-0x000001E3A66E2000-memory.dmp

Filesize
136KB

Download
memory/2708-172-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2916-271-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2916-184-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2992-244-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/2992-252-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/3484-193-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/3484-205-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/3620-263-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/3620-189-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4300-188-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4300-276-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4392-202-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4392-268-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-247-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4656-237-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4836-264-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/4836-246-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5076-274-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5076-179-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5076-197-0x000001FA77A70000-0x000001FA77AB4000-memory.dmp

Filesize
272KB

Download
memory/5312-215-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5312-209-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5620-224-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5620-216-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5860-218-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/5860-240-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6268-272-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6268-255-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6612-269-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6612-279-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6640-280-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6640-266-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6940-284-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/6940-265-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/7108-281-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download
memory/7108-315-0x00007FFB901A0000-0x00007FFB90C61000-memory.dmp

Filesize
10.8MB

Download