54189c71781c412ef7103f17df89a1bbf6e1b608b4f16479374191e3262d32ed

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zapret-win-bundle-master/blockcheck/blockcheck.cmd
Size

194B
MD5

5763cb58e6d9b26d626dc860edf2d964
SHA1

e7a90688360deae0e0f44c2541b0aa392f622766
SHA256

5a2de13b097b1ee482f02052c72c5ed29d1541e139464a98697388f4e90cd998
SHA512

339ef0a577f6f6529d36aead691afe9eede48789908cbf30036f516842d3a100599bb3992c66663b085601e5ef8a4b0179644ba7571e23936ba9f5055d308299

Score

5^/10

discovery

Malware Config

Signatures

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
940	tasklist.exe
5080	tasklist.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

ping.exe

pid	Process
448	ping.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

ping.exe

pid	Process
448	ping.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

grep.exegrep.exegrep.exegrep.exegrep.exegrep.exegrep.exe

pid	Process
1936	grep.exe
1936	grep.exe
1936	grep.exe
1936	grep.exe
2272	grep.exe
2272	grep.exe
2272	grep.exe
2272	grep.exe
2136	grep.exe
2136	grep.exe
2136	grep.exe
2136	grep.exe
2680	grep.exe
2680	grep.exe
2680	grep.exe
2680	grep.exe
3680	grep.exe
3680	grep.exe
3680	grep.exe
3680	grep.exe
2392	grep.exe
2392	grep.exe
2392	grep.exe
2392	grep.exe
2940	grep.exe
2940	grep.exe
2940	grep.exe
2940	grep.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cygpath.exebash.exebash.execygpath.exebash.execygpath.exebash.exedirname.exebash.exebash.exebash.exesh.exetee.exesh.exedirname.exe

description	pid	Process
Token: SeRestorePrivilege	5068	cygpath.exe
Token: SeBackupPrivilege	5068	cygpath.exe
Token: SeDebugPrivilege	5068	cygpath.exe
Token: SeRestorePrivilege	1436	bash.exe
Token: SeBackupPrivilege	1436	bash.exe
Token: SeDebugPrivilege	1436	bash.exe
Token: SeRestorePrivilege	3888	bash.exe
Token: SeBackupPrivilege	3888	bash.exe
Token: SeDebugPrivilege	3888	bash.exe
Token: SeRestorePrivilege	3888	bash.exe
Token: SeBackupPrivilege	3888	bash.exe
Token: SeDebugPrivilege	3888	bash.exe
Token: SeRestorePrivilege	3892	cygpath.exe
Token: SeBackupPrivilege	3892	cygpath.exe
Token: SeDebugPrivilege	3892	cygpath.exe
Token: SeRestorePrivilege	4876	bash.exe
Token: SeBackupPrivilege	4876	bash.exe
Token: SeDebugPrivilege	4876	bash.exe
Token: SeRestorePrivilege	4876	bash.exe
Token: SeBackupPrivilege	4876	bash.exe
Token: SeDebugPrivilege	4876	bash.exe
Token: SeRestorePrivilege	2128	cygpath.exe
Token: SeBackupPrivilege	2128	cygpath.exe
Token: SeDebugPrivilege	2128	cygpath.exe
Token: SeRestorePrivilege	3120	bash.exe
Token: SeBackupPrivilege	3120	bash.exe
Token: SeDebugPrivilege	3120	bash.exe
Token: SeRestorePrivilege	3120	bash.exe
Token: SeBackupPrivilege	3120	bash.exe
Token: SeDebugPrivilege	3120	bash.exe
Token: SeRestorePrivilege	4436	dirname.exe
Token: SeBackupPrivilege	4436	dirname.exe
Token: SeDebugPrivilege	4436	dirname.exe
Token: SeRestorePrivilege	2356	bash.exe
Token: SeBackupPrivilege	2356	bash.exe
Token: SeDebugPrivilege	2356	bash.exe
Token: SeRestorePrivilege	2356	bash.exe
Token: SeBackupPrivilege	2356	bash.exe
Token: SeDebugPrivilege	2356	bash.exe
Token: SeRestorePrivilege	1512	bash.exe
Token: SeBackupPrivilege	1512	bash.exe
Token: SeDebugPrivilege	1512	bash.exe
Token: SeRestorePrivilege	1512	bash.exe
Token: SeBackupPrivilege	1512	bash.exe
Token: SeDebugPrivilege	1512	bash.exe
Token: SeRestorePrivilege	3168	bash.exe
Token: SeBackupPrivilege	3168	bash.exe
Token: SeDebugPrivilege	3168	bash.exe
Token: SeRestorePrivilege	3168	bash.exe
Token: SeBackupPrivilege	3168	bash.exe
Token: SeDebugPrivilege	3168	bash.exe
Token: SeRestorePrivilege	3988	sh.exe
Token: SeBackupPrivilege	3988	sh.exe
Token: SeDebugPrivilege	3988	sh.exe
Token: SeRestorePrivilege	2012	tee.exe
Token: SeBackupPrivilege	2012	tee.exe
Token: SeDebugPrivilege	2012	tee.exe
Token: SeRestorePrivilege	3080	sh.exe
Token: SeBackupPrivilege	3080	sh.exe
Token: SeDebugPrivilege	3080	sh.exe
Token: SeRestorePrivilege	3080	sh.exe
Token: SeBackupPrivilege	3080	sh.exe
Token: SeDebugPrivilege	3080	sh.exe
Token: SeRestorePrivilege	4544	dirname.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exeelevator.exebash.exebash.exebash.exebash.exe

description	pid	Process	procid_target
PID 1144 wrote to memory of 4912	1144	cmd.exe	84
PID 1144 wrote to memory of 4912	1144	cmd.exe	84
PID 4912 wrote to memory of 5068	4912	cmd.exe	85
PID 4912 wrote to memory of 5068	4912	cmd.exe	85
PID 1144 wrote to memory of 1780	1144	cmd.exe	86
PID 1144 wrote to memory of 1780	1144	cmd.exe	86
PID 1780 wrote to memory of 1436	1780	elevator.exe	87
PID 1780 wrote to memory of 1436	1780	elevator.exe	87
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 1436 wrote to memory of 3888	1436	bash.exe	90
PID 3888 wrote to memory of 3892	3888	bash.exe	91
PID 3888 wrote to memory of 3892	3888	bash.exe	91
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 1436 wrote to memory of 4876	1436	bash.exe	92
PID 4876 wrote to memory of 2128	4876	bash.exe	93
PID 4876 wrote to memory of 2128	4876	bash.exe	93
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 1436 wrote to memory of 3120	1436	bash.exe	94
PID 3120 wrote to memory of 4436	3120	bash.exe	95
PID 3120 wrote to memory of 4436	3120	bash.exe	95
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 2356	1436	bash.exe	96
PID 1436 wrote to memory of 1512	1436	bash.exe	97
PID 1436 wrote to memory of 1512	1436	bash.exe	97
PID 1436 wrote to memory of 1512	1436	bash.exe	97
PID 1436 wrote to memory of 1512	1436	bash.exe	97
PID 1436 wrote to memory of 1512	1436	bash.exe	97
PID 1436 wrote to memory of 1512	1436	bash.exe	97

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\blockcheck.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ..\cygwin\bin\cygpath -C OEM -a -m zapret\blog.sh
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cygpath.exe
    ..\cygwin\bin\cygpath -C OEM -a -m zapret\blog.sh
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5068
- C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\tools\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\..\tools\elevator" ..\cygwin\bin\bash -i "'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
    "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
      "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3888
    - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cygpath.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cygpath.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
      "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cygpath.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cygpath.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
  - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
      "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\dirname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\dirname.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
      "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
      "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\dirname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\dirname.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1916
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sleep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sleep.exe"
        7⤵
        
        PID:4780
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1660
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\uname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\uname.exe"
        7⤵
        
        PID:728
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3604
        
        C:\Windows\system32\tasklist.exe
        
        C:\Windows\system32\tasklist.exe /NH /FI "IMAGENAME eq winws.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:940
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2136
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3976
        
        C:\Windows\system32\tasklist.exe
        
        C:\Windows\system32\tasklist.exe /NH /FI "IMAGENAME eq goodbyedpi.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:5080
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4540
        
        C:\Windows\system32\nslookup.exe
        
        C:\Windows\system32\nslookup.exe iana.org
        7⤵
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2720
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2716
        
        C:\Windows\system32\ping.exe
        
        C:\Windows\system32\ping.exe -4 -n 1 -w 1000 8.8.8.8
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4820
        
        C:\Windows\system32\nslookup.exe
        
        C:\Windows\system32\nslookup.exe iana.org 8.8.8.8
        7⤵
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe --family=4
        7⤵
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tr.exe"
        7⤵
        
        PID:1312
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:1812
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:2100
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:3716
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:4960
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3044
        
        C:\Windows\system32\nslookup.exe
        
        C:\Windows\system32\nslookup.exe pornhub.com 8.8.8.8
        7⤵
        
        PID:1292
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sed.exe"
        7⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3680
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe"
        7⤵
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3088
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe --family=4
        7⤵
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tr.exe"
        7⤵
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:4532
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:516
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:3080
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:1192
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:1720
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:716
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4204
        
        C:\Windows\system32\nslookup.exe
        
        C:\Windows\system32\nslookup.exe ntc.party 8.8.8.8
        7⤵
        
        PID:1580
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sed.exe"
        7⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2392
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe"
        7⤵
        
        PID:1036
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3044
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe --family=4
        7⤵
        
        PID:868
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tr.exe"
        7⤵
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:2540
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:752
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\readlink.exe"
        7⤵
        
        PID:2976
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4988
        
        C:\Windows\system32\nslookup.exe
        
        C:\Windows\system32\nslookup.exe rutracker.org 8.8.8.8
        7⤵
        
        PID:1188
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sed.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sed.exe"
        7⤵
        
        PID:2420
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\grep.exe"
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe"
        7⤵
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\cat.exe"
        7⤵
        
        PID:2780
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\rm.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\rm.exe"
        7⤵
        
        PID:4640
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe --family=4 --dns-make-query=iana.org
        7⤵
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\usr\local\bin\curl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\usr\local\bin\curl.exe"
        7⤵
        
        PID:1704
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\blockcheck\zapret\mdig\mdig.exe --dns-parse-query
        7⤵
        
        PID:1800
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        7⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\uname.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\uname.exe"
        8⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        7⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        7⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        8⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\gawk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\gawk.exe"
        9⤵
        
        PID:4796
      - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\sh.exe"
        6⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\usr\local\bin\curl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\usr\local\bin\curl.exe"
        7⤵
        
        PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe
      "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\bash.exe" -i 'C:/Users/Admin/AppData/Local/Temp/zapret-win-bundle-master/blockcheck/zapret/blog.sh'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\bin\tee.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\tmp\dig1.txt

Filesize
14B

MD5
33f60dd6ef06bce06340797778c148ae

SHA1
5a5c11a86f5ef0e603a15bc41ad146d583a60a63

SHA256
f9d879ff5b7a606aaff0e6d8f44007b10decd918495ecc688d885d9fe27774af

SHA512
5e3983736a186607fb6a672ce904f7a0184a596ee11bb14d7909f33954d4621e2ef184718a207da3426511ce595e93c392714319c89368a77db651eac6dfc69f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\tmp\dig1.txt

Filesize
14B

MD5
84233515f8c3dfb3d3c8104583d3d22a

SHA1
e9049ef4bac7a3bf8847d418784356e6d1b09f02

SHA256
b361db25fd46ea38eca0669ec2326b298a30fed89947303b96d734eb02e08343

SHA512
6174b8aa3a0c314eaee8b20a9483a0462c1f0b74d004f122be4ca52b171c59397713e1d2720947314c52d49f89f72088e60999ed8addd56252c3ab342def29b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\tmp\dig1.txt

Filesize
28B

MD5
2bca117c7ca80d5951636483b6fe1a6b

SHA1
53311b733b86d547c4cd2808c1506b7d1c2e2280

SHA256
a17d0f85df96c0dec8ca5934347045292cb2c3ff090fdb5e081f2a26b6a1d076

SHA512
035be0f5c36235019e182c8c8cd05b5fbabd6b85e8931b579dd0ce65ba6aba35992cf61a603caa738ac8e55fe681fb6504332f8fae7f9be5a2e04d503056a21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zapret-win-bundle-master\cygwin\tmp\digs.txt

Filesize
28B

MD5
34728dcc159b2b3157d88bda83f39f7e

SHA1
39c35b23a489137fac8022572581e5b8dba8aa9e

SHA256
42a50a19f3d726050777cb2f4d684b1c08774873348b035254d628d8a01c1be6

SHA512
f73a8677edbae31e12d991ced857c4968b9ec5ebffda46f0bd9a3e3fe6487971830104001660a8686148a8a0857bc3537893cff38219442daf45e94a68f5b6cc

Download Submit
memory/728-219-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/728-227-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1436-8-0x00000003FF430000-0x00000003FF48C000-memory.dmp

Filesize
368KB

Download
memory/1436-9-0x00000003FF140000-0x00000003FF187000-memory.dmp

Filesize
284KB

Download
memory/1436-10-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/1436-7-0x00000003FF640000-0x00000003FF663000-memory.dmp

Filesize
140KB

Download
memory/1436-6-0x00000003FF670000-0x00000003FF782000-memory.dmp

Filesize
1.1MB

Download
memory/1436-11-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/1436-5-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1436-110-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1512-98-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1512-124-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1660-161-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1660-388-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1660-256-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1684-217-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1684-210-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1704-239-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1780-4-0x00007FF7AA0C0000-0x00007FF7AA0CD000-memory.dmp

Filesize
52KB

Download
memory/1916-144-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1936-170-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/1936-181-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2012-111-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2012-218-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2128-49-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2128-50-0x0000000100400000-0x000000010040F000-memory.dmp

Filesize
60KB

Download
memory/2128-51-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2136-238-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2136-253-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2144-163-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2144-174-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2272-207-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2272-192-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2356-85-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/2356-91-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2356-82-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2368-151-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2680-266-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2680-282-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2724-187-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/2724-186-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3080-229-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3080-553-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3080-138-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3120-58-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3120-69-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3120-63-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/3120-66-0x00000003FF140000-0x00000003FF187000-memory.dmp

Filesize
284KB

Download
memory/3168-125-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3168-106-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3516-262-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3516-270-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3604-235-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3604-244-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3888-28-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3888-26-0x00000003FF430000-0x00000003FF48C000-memory.dmp

Filesize
368KB

Download
memory/3888-13-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/3888-25-0x00000003FF140000-0x00000003FF187000-memory.dmp

Filesize
284KB

Download
memory/3888-12-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/3888-24-0x00000003FF640000-0x00000003FF663000-memory.dmp

Filesize
140KB

Download
memory/3888-21-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/3888-18-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3888-23-0x00000003FF670000-0x00000003FF782000-memory.dmp

Filesize
1.1MB

Download
memory/3892-31-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3892-29-0x0000000100400000-0x000000010040F000-memory.dmp

Filesize
60KB

Download
memory/3892-27-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3976-276-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3976-255-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3988-216-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/3988-127-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4436-75-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4436-71-0x0000000100400000-0x0000000100412000-memory.dmp

Filesize
72KB

Download
memory/4436-70-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4436-73-0x00000003FF640000-0x00000003FF663000-memory.dmp

Filesize
140KB

Download
memory/4484-200-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4484-189-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4540-294-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4540-299-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4544-139-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4780-234-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4780-156-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4876-38-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/4876-42-0x0000000100400000-0x00000001004E3000-memory.dmp

Filesize
908KB

Download
memory/4876-48-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/5068-0-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/5068-3-0x00007FFBC5400000-0x00007FFBC5702000-memory.dmp

Filesize
3.0MB

Download
memory/5068-1-0x0000000100400000-0x000000010040F000-memory.dmp

Filesize
60KB

Download