c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a

Resubmissions

24-02-2022 10:10

220224-l7djracga3 10

Analysis

max time kernel
132s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
24-02-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
Size

7.6MB
MD5

33f612338b6b5e6b4fe8cbb17208795c
SHA1

66535700bbce7f90d2add7c504bc0e0523d4d71d
SHA256

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a
SHA512

7dfce042f5287858cf1d2942f6672084d01ad5677c7b47a1e9c2bcd4e0a2ea375ccd3a33676dc64dbe28edfe4fd19d25de5232c8fd23c0c7b24708c85b647fb2

Score

10^/10

ransomware spyware stealer

Malware Config

Extracted

Path

C:\re_ad_me.txt

Ransom Note

All of your files are currently encrypted by ZEON strain. As you know (if you don't - just "google it"), all of the data that has been encrypted by our software cannot be recovered by any means without contacting our team directly. If you try to use any additional recovery software - the files might be damaged, so if you are willing to try - try it on the data of the lowest value. To make sure that we REALLY CAN get your data back - we offer you to decrypt 2 random files completely free of charge. You can contact our team directly for further instructions through our website : TOR VERSION : (you should download and install TOR browser first https://torproject.org) http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/ YOU SHOULD BE AWARE! Just in case, if you try to ignore us. We've downloaded a pack of your internal data and are ready to publish it on out news website if you do not respond. So it will be better for both sides if you contact us as soon as possible. ---BEGIN ID--- FEVcmTbQIx9X2VMynNFOZ3czRBKjZat7ep8l9asewByCR7QOrnm1ktm7SRGCG3yh ---END ID---

URLs

http://zeonrefpbompx6rwdqa5hxgtp2cxgfmoymlli3azoanisze33pp3x3yd.onion/

Signatures

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ExportWrite.png.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\FormatNew.png.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\LimitPush.crw.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\PushCopy.png.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\RepairDeny.crw.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\SwitchSubmit.crw.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\BackupUnprotect.raw.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
File created	C:\Users\Admin\Pictures\EditDisable.crw.zeon	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

Loads dropped DLL 31 IoCs

Processes:

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

pid	process
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\pqBxGx.jpg"	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe

pid process

4064 c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1652 schtasks.exe
552 schtasks.exe
564 schtasks.exe

pid	process
1652	schtasks.exe
552	schtasks.exe
564	schtasks.exe

Kills process with taskkill 53 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2128	taskkill.exe
4396	taskkill.exe
5016	taskkill.exe
4024	taskkill.exe
908	taskkill.exe
3164	taskkill.exe
3476	taskkill.exe
2196	taskkill.exe
1564	taskkill.exe
4252	taskkill.exe
1088	taskkill.exe
2020	taskkill.exe
2272	taskkill.exe
4820	taskkill.exe
420	taskkill.exe
312	taskkill.exe
4164	taskkill.exe
1964	taskkill.exe
1424	taskkill.exe
4904	taskkill.exe
3996	taskkill.exe
1124	taskkill.exe
4608	taskkill.exe
4808	taskkill.exe
4324	taskkill.exe
1144	taskkill.exe
4892	taskkill.exe
4164	taskkill.exe
3844	taskkill.exe
1964	taskkill.exe
2944	taskkill.exe
4740	taskkill.exe
4916	taskkill.exe
624	taskkill.exe
2276	taskkill.exe
2268	taskkill.exe
4216	taskkill.exe
1224	taskkill.exe
1364	taskkill.exe
2644	taskkill.exe
1948	taskkill.exe
444	taskkill.exe
2348	taskkill.exe
4196	taskkill.exe
3400	taskkill.exe
4392	taskkill.exe
5024	taskkill.exe
4896	taskkill.exe
856	taskkill.exe
4040	taskkill.exe
4648	taskkill.exe
3080	taskkill.exe
1324	taskkill.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	1088	taskkill.exe
Token: SeDebugPrivilege	444	taskkill.exe
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	908	taskkill.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	3996	taskkill.exe
Token: SeDebugPrivilege	4648	taskkill.exe
Token: SeDebugPrivilege	4216	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	2268	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	3844	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	624	taskkill.exe
Token: SeDebugPrivilege	4608	taskkill.exe
Token: SeDebugPrivilege	4820	taskkill.exe
Token: SeDebugPrivilege	312	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	4252	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	1144	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	4196	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2644	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exec860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 3824 wrote to memory of 4064	3824	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
PID 3824 wrote to memory of 4064	3824	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
PID 3824 wrote to memory of 4064	3824	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
PID 4064 wrote to memory of 3368	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 3368	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 3368	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 3368 wrote to memory of 4888	3368	net.exe	net1.exe
PID 3368 wrote to memory of 4888	3368	net.exe	net1.exe
PID 3368 wrote to memory of 4888	3368	net.exe	net1.exe
PID 4064 wrote to memory of 3788	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 3788	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 3788	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 3788 wrote to memory of 4232	3788	net.exe	net1.exe
PID 3788 wrote to memory of 4232	3788	net.exe	net1.exe
PID 3788 wrote to memory of 4232	3788	net.exe	net1.exe
PID 4064 wrote to memory of 4224	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 4224	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 4224	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4224 wrote to memory of 1276	4224	net.exe	net1.exe
PID 4224 wrote to memory of 1276	4224	net.exe	net1.exe
PID 4224 wrote to memory of 1276	4224	net.exe	net1.exe
PID 4064 wrote to memory of 2128	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 2128	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 2128	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 3512	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 3512	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 3512	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 3512 wrote to memory of 1936	3512	net.exe	net1.exe
PID 3512 wrote to memory of 1936	3512	net.exe	net1.exe
PID 3512 wrote to memory of 1936	3512	net.exe	net1.exe
PID 4064 wrote to memory of 4988	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 4988	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 4988	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4988 wrote to memory of 2020	4988	net.exe	net1.exe
PID 4988 wrote to memory of 2020	4988	net.exe	net1.exe
PID 4988 wrote to memory of 2020	4988	net.exe	net1.exe
PID 4064 wrote to memory of 1484	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 1484	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 1484	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 1484 wrote to memory of 5016	1484	net.exe	net1.exe
PID 1484 wrote to memory of 5016	1484	net.exe	net1.exe
PID 1484 wrote to memory of 5016	1484	net.exe	net1.exe
PID 4064 wrote to memory of 4024	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 4024	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 4024	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 1308	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 1308	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 1308	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 1308 wrote to memory of 1072	1308	net.exe	net1.exe
PID 1308 wrote to memory of 1072	1308	net.exe	net1.exe
PID 1308 wrote to memory of 1072	1308	net.exe	net1.exe
PID 4064 wrote to memory of 1088	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 1088	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 1088	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	taskkill.exe
PID 4064 wrote to memory of 2140	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 2140	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 2140	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 2140 wrote to memory of 2280	2140	net.exe	net1.exe
PID 2140 wrote to memory of 2280	2140	net.exe	net1.exe
PID 2140 wrote to memory of 2280	2140	net.exe	net1.exe
PID 4064 wrote to memory of 1036	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 1036	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 4064 wrote to memory of 1036	4064	c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe	net.exe
PID 1036 wrote to memory of 548	1036	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
"C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe
  "C:\Users\Admin\AppData\Local\Temp\c860bf644bd5e3d6f4cae67848c4fc769184ae652fcb41cac670042b185d217a.exe"
  2⤵
  - Modifies extensions of user files
  - Loads dropped DLL
  - Sets desktop wallpaper using registry
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\net.exe
    net stop /y backup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y backup
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\net.exe
    net stop /y wbengine
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y wbengine
      4⤵
      PID:4232
- - C:\Windows\SysWOW64\net.exe
    net stop /y McShield
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y McShield
      4⤵
      PID:1276
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im steam.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2128
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfefire
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfefire
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\net.exe
    net stop /y EhttpSrv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EhttpSrv
      4⤵
      PID:2020
- - C:\Windows\SysWOW64\net.exe
    net stop /y KAVF
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y KAVF
      4⤵
      PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocautoupds.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4024
- - C:\Windows\SysWOW64\net.exe
    net stop /y VeeamNFSSvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y VeeamNFSSvc
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im backup.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\SysWOW64\net.exe
    net stop /y bedbg
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y bedbg
      4⤵
      PID:2280
- - C:\Windows\SysWOW64\net.exe
    net stop /y SmcService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SmcService
      4⤵
      PID:548
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im winword.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:444
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thunderbird.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4740
- - C:\Windows\SysWOW64\net.exe
    net stop /y Sophos
    3⤵
    PID:1516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Sophos
      4⤵
      PID:4972
- - C:\Windows\SysWOW64\net.exe
    net stop /y CCSF
    3⤵
    PID:2104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y CCSF
      4⤵
      PID:3060
- - C:\Windows\SysWOW64\net.exe
    net stop /y tmlisten
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y tmlisten
      4⤵
      PID:4896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbsnmp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4396
- - C:\Windows\SysWOW64\net.exe
    net stop /y ekrn
    3⤵
    PID:360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ekrn
      4⤵
      PID:4228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop /y RESvc
    3⤵
    PID:4168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y RESvc
      4⤵
      PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Raccine.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefox.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\SysWOW64\net.exe
    net stop /y EPSecurity
    3⤵
    PID:1936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EPSecurity
      4⤵
      PID:3140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im veeam.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- - C:\Windows\SysWOW64\net.exe
    net stop /y xchange
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y xchange
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\net.exe
    net stop /y TrueKey
    3⤵
    PID:1980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y TrueKey
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\net.exe
    net stop /y MsDts
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y MsDts
      4⤵
      PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im vmwp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im msaccess.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im wordpad.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im oracle.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sofos.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3996
- - C:\Windows\SysWOW64\net.exe
    net stop /y swi_
    3⤵
    PID:4088
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y swi_
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xfssvccon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4648
- - C:\Windows\SysWOW64\net.exe
    net stop /y Enterprise
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Enterprise
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im xchange.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\SysWOW64\net.exe
    net stop /y AVP
    3⤵
    PID:4236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y AVP
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im isqlplussvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im notepad.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\SysWOW64\net.exe
    net stop /y Exchange
    3⤵
    PID:4272
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Exchange
      4⤵
      PID:5064
- - C:\Windows\SysWOW64\net.exe
    net stop /y Smcinst
    3⤵
    PID:1936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Smcinst
      4⤵
      PID:5004
- - C:\Windows\SysWOW64\net.exe
    net stop /y Antivirus
    3⤵
    PID:4060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Antivirus
      4⤵
      PID:4492
- - C:\Windows\SysWOW64\net.exe
    net stop /y NetMsmq
    3⤵
    PID:5016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y NetMsmq
      4⤵
      PID:3624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocomm.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ocssd.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1124
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng50.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im firefoxconfig.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im synctime.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:624
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfemms
    3⤵
    PID:444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfemms
      4⤵
      PID:3576
- - C:\Windows\SysWOW64\net.exe
    net stop /y Monitor
    3⤵
    PID:2944
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Monitor
      4⤵
      PID:1948
- - C:\Windows\SysWOW64\net.exe
    net stop /y WRSVC
    3⤵
    PID:4328
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y WRSVC
      4⤵
      PID:4648
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im calc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4608
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im powerpnt.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4820
- - C:\Windows\SysWOW64\net.exe
    net stop /y veeam
    3⤵
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y veeam
      4⤵
      PID:2364
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im encsvc.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:312
- - C:\Windows\SysWOW64\net.exe
    net stop /y Veeam
    3⤵
    PID:3952
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Veeam
      4⤵
      PID:4012
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im virtual.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- - C:\Windows\SysWOW64\net.exe
    net stop /y vmcomp
    3⤵
    PID:3512
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vmcomp
      4⤵
      PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im raccine.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\SysWOW64\net.exe
    net stop /y SMTP
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SMTP
      4⤵
      PID:4760
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mbamtray.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5016
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im vmcomp.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\SysWOW64\net.exe
    net stop /y W3S
    3⤵
    PID:4112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y W3S
      4⤵
      PID:2060
- - C:\Windows\SysWOW64\net.exe
    net stop /y vss
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vss
      4⤵
      PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Ntrtscan.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop /y EsgShKernel
    3⤵
    PID:4644
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EsgShKernel
      4⤵
      PID:3936
- - C:\Windows\SysWOW64\net.exe
    net stop /y ntrt
    3⤵
    PID:444
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ntrt
      4⤵
      PID:2104
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqlbcoreservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\SysWOW64\net.exe
    net stop /y Eraser
    3⤵
    PID:796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Eraser
      4⤵
      PID:860
- - C:\Windows\SysWOW64\net.exe
    net stop /y task
    3⤵
    PID:4812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y task
      4⤵
      PID:2840
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im dbeng.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im word.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im PccNTMon.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4196
- - C:\Windows\SysWOW64\net.exe
    net stop /y IMAP4
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y IMAP4
      4⤵
      PID:3440
- - C:\Windows\SysWOW64\net.exe
    net stop /y klnagent
    3⤵
    PID:4916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y klnagent
      4⤵
      PID:4988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mspub.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tmlisten.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im ekrn.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktop.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sqbcoreservice.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- - C:\Windows\SysWOW64\net.exe
    net stop /y FA_Scheduler
    3⤵
    PID:4008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y FA_Scheduler
      4⤵
      PID:1072
- - C:\Windows\SysWOW64\net.exe
    net stop /y VeeamTransportSvc
    3⤵
    PID:2712
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y VeeamTransportSvc
      4⤵
      PID:2140
- - C:\Windows\SysWOW64\net.exe
    net stop /y sql
    3⤵
    PID:4112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y sql
      4⤵
      PID:3864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im infopath.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im tbirdconfig.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- - C:\Windows\SysWOW64\net.exe
    net stop /y EPUpdate
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y EPUpdate
      4⤵
      PID:4596
- - C:\Windows\SysWOW64\net.exe
    net stop /y Back
    3⤵
    PID:2844
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Back
      4⤵
      PID:2944
- - C:\Windows\SysWOW64\net.exe
    net stop /y UIODetect
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y UIODetect
      4⤵
      PID:796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im visio.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4896
- - C:\Windows\SysWOW64\net.exe
    net stop /y ESHASRV
    3⤵
    PID:4316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y ESHASRV
      4⤵
      PID:1684
- - C:\Windows\SysWOW64\net.exe
    net stop /y vmwp
    3⤵
    PID:2364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y vmwp
      4⤵
      PID:4816
- - C:\Windows\SysWOW64\net.exe
    net stop /y acronis
    3⤵
    PID:1868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y acronis
      4⤵
      PID:1496
- - C:\Windows\SysWOW64\net.exe
    net stop /y POP3
    3⤵
    PID:4472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y POP3
      4⤵
      PID:2348
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im zoolz.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\SysWOW64\net.exe
    net stop /y mms
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mms
      4⤵
      PID:1736
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im mydesktopqos.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2644
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im thebat.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\SysWOW64\net.exe
    net stop /y Endpoint
    3⤵
    PID:5044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Endpoint
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\net.exe
    net stop /y Afee
    3⤵
    PID:1308
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Afee
      4⤵
      PID:1144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im CNTAoSMgr.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\net.exe
    net stop /y Report
    3⤵
    PID:4748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Report
      4⤵
      PID:4872
- - C:\Windows\SysWOW64\net.exe
    net stop /y IISAdmin
    3⤵
    PID:1916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y IISAdmin
      4⤵
      PID:3332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im sql.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:856
- - C:\Windows\SysWOW64\net.exe
    net stop /y DCAgent
    3⤵
    PID:3908
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y DCAgent
      4⤵
      PID:2256
- - C:\Windows\SysWOW64\net.exe
    net stop /y MBAM
    3⤵
    PID:4948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y MBAM
      4⤵
      PID:4744
- - C:\Windows\SysWOW64\net.exe
    net stop /y PDVF
    3⤵
    PID:3060
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y PDVF
      4⤵
      PID:3424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im onenote.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im outlook.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- - C:\Windows\SysWOW64\net.exe
    net stop /y mfevtp
    3⤵
    PID:4812
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y mfevtp
      4⤵
      PID:3708
- - C:\Windows\SysWOW64\net.exe
    net stop /y AcrSch
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y AcrSch
      4⤵
      PID:1580
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im Backup.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- - C:\Windows\SysWOW64\net.exe
    net stop /y SNAC
    3⤵
    PID:1364
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y SNAC
      4⤵
      PID:4912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im excel.exe /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- - C:\Windows\SysWOW64\net.exe
    net stop /y Backup
    3⤵
    PID:5012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop /y Backup
      4⤵
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6us /TR "CMD.EXE DEL /F /Q "{DNAME}\{PRNAME}" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6tMpus /TR "CMD.EXE DEL /F /Q "{PATHIM}" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST
    3⤵
    PID:3844
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN zE0xO6bGus /TR "CMD.EXE DEL /F /Q "C:\ProgramData\pqBxGx.jpg" >> NUL" /sc once /st 00:00 /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6us
    3⤵
    PID:4984
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6us
      4⤵
      PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6tMpus
    3⤵
    PID:4884
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6tMpus
      4⤵
      PID:3788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks.exe /Run /TN zE0xO6bGus
    3⤵
    PID:3648
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Run /TN zE0xO6bGus
      4⤵
      PID:2880

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q {DNAME}\{PRNAME} >> NUL
1⤵
PID:3700

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q {PATHIM} >> NUL
1⤵
PID:2840

C:\Windows\system32\CMD.EXE
CMD.EXE DEL /F /Q C:\ProgramData\pqBxGx.jpg >> NUL
1⤵
PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_Salsa20.pyd

MD5
ddbd242c046e6f339adcec3b26660006

SHA1
82acc4665101fc344eec7b8a965aa920c6293310

SHA256
f34ce0dfa4b81f566b51b3cb384ad21b0f81c36069c045287807278f4dfd76fa

SHA512
8ca9496297a297b8a54763365786aaaf25fec72cfc83e792f7498c0c809c52c6b9552f9eb5334b124a9afa6215806c2439cfcbd9759df2662a544e63d06488d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_Salsa20.pyd

MD5
ddbd242c046e6f339adcec3b26660006

SHA1
82acc4665101fc344eec7b8a965aa920c6293310

SHA256
f34ce0dfa4b81f566b51b3cb384ad21b0f81c36069c045287807278f4dfd76fa

SHA512
8ca9496297a297b8a54763365786aaaf25fec72cfc83e792f7498c0c809c52c6b9552f9eb5334b124a9afa6215806c2439cfcbd9759df2662a544e63d06488d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_aes.pyd

MD5
39345a5d7496eb3fef372d893c32e324

SHA1
a90d2c69edc58d2a222553911edbe700be32f0ee

SHA256
f8e64eab899c3f8ce30f2ca0835d4ebdd2707e4591553ac5114b2edfd14ed510

SHA512
cffbff16587c27936a0add35a131def7f4371f9c72b1a049f6a4dd69ed5164fc4f368c19d3e6655dc02154888699a87404532c1e73dd3f405e519132c388d756

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_aes.pyd

MD5
39345a5d7496eb3fef372d893c32e324

SHA1
a90d2c69edc58d2a222553911edbe700be32f0ee

SHA256
f8e64eab899c3f8ce30f2ca0835d4ebdd2707e4591553ac5114b2edfd14ed510

SHA512
cffbff16587c27936a0add35a131def7f4371f9c72b1a049f6a4dd69ed5164fc4f368c19d3e6655dc02154888699a87404532c1e73dd3f405e519132c388d756

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_aesni.pyd

MD5
add4de8ac56c96b135b4d281648a5924

SHA1
c9e9709f22557bf85102902b2f6e873831192135

SHA256
3a29bcfb18adff15daf7b1d8dfbab372be324a1fd5f20a2f4224929af3a03e0f

SHA512
65a43bf46c36e1f31371c5443daf7b88efe285dc7a82f5e8e49558070522bd9bfa62f02022b50d1d72e55d66420bce0d7a5e621c308aeaf6ec51b4d18c87c833

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_aesni.pyd

MD5
add4de8ac56c96b135b4d281648a5924

SHA1
c9e9709f22557bf85102902b2f6e873831192135

SHA256
3a29bcfb18adff15daf7b1d8dfbab372be324a1fd5f20a2f4224929af3a03e0f

SHA512
65a43bf46c36e1f31371c5443daf7b88efe285dc7a82f5e8e49558070522bd9bfa62f02022b50d1d72e55d66420bce0d7a5e621c308aeaf6ec51b4d18c87c833

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_cbc.pyd

MD5
1b15377994b7f1880b397c4060bf6ed2

SHA1
2e0771da29c6a3f31c9a87d6f9d17740275715da

SHA256
1bed49d92baeeba20c5d6e7baf2b9287672932edd3b0b9354e9cd39f87902120

SHA512
1080159eb82585852e27b9cd3ed0b4a6cdd10973f3a611b420b1920fd193c143ced843014aa8de14ac8cf06353c58ef2fbbc4717e18bb9b4bdcda7fc15b86801

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_cbc.pyd

MD5
1b15377994b7f1880b397c4060bf6ed2

SHA1
2e0771da29c6a3f31c9a87d6f9d17740275715da

SHA256
1bed49d92baeeba20c5d6e7baf2b9287672932edd3b0b9354e9cd39f87902120

SHA512
1080159eb82585852e27b9cd3ed0b4a6cdd10973f3a611b420b1920fd193c143ced843014aa8de14ac8cf06353c58ef2fbbc4717e18bb9b4bdcda7fc15b86801

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_cfb.pyd

MD5
ffaae5a56ccd4ff6869cf16a36532cf5

SHA1
9fd0f35d4519e94f768287bfd27c2bfdef75f1b9

SHA256
79213b7e9f85931b424c818ccecdf9b06cf6abdf091ac0de3e3e5751145193b2

SHA512
15a5b5f7e6c2cebb7f6f56b3e881a96d63ae9595573c15b8afe8a4029679b07f511966bf84fe89e1efda44d83d3178c1e9879ff41e3ff4e3491910e28f78d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_cfb.pyd

MD5
ffaae5a56ccd4ff6869cf16a36532cf5

SHA1
9fd0f35d4519e94f768287bfd27c2bfdef75f1b9

SHA256
79213b7e9f85931b424c818ccecdf9b06cf6abdf091ac0de3e3e5751145193b2

SHA512
15a5b5f7e6c2cebb7f6f56b3e881a96d63ae9595573c15b8afe8a4029679b07f511966bf84fe89e1efda44d83d3178c1e9879ff41e3ff4e3491910e28f78d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ctr.pyd

MD5
d01b5c0cedae84707903f9660aae2f31

SHA1
c86c9c156bc56ed2ee8d0e4b1d8a5d9ba04968d8

SHA256
d08caad9eeae42266fba08936450462a69db4b96365d792e3529c1aa7ff6db6d

SHA512
1b99a3d5a4085da07f188c63575a59343ed3e938990e3c96116bb8b6ed0cef3e53493c313157cfa51e76b64a8a9e08950dc418650a16351dd54704d860ff7b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ctr.pyd

MD5
d01b5c0cedae84707903f9660aae2f31

SHA1
c86c9c156bc56ed2ee8d0e4b1d8a5d9ba04968d8

SHA256
d08caad9eeae42266fba08936450462a69db4b96365d792e3529c1aa7ff6db6d

SHA512
1b99a3d5a4085da07f188c63575a59343ed3e938990e3c96116bb8b6ed0cef3e53493c313157cfa51e76b64a8a9e08950dc418650a16351dd54704d860ff7b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_des.pyd

MD5
d9ac60737322166ac2aa4abdbb5bf8d1

SHA1
48ddfb12db35ceecaadfd29cb434c323298d2bd7

SHA256
2d0334905a6aab7504352bcf7e6d1457398d801253c4f0b4a298f4f12ab7c579

SHA512
c8148a1baf2d1c59c844f231467d3133dd9c160c90e0a53caaf76906b8c4e977ea2754451f8e3f2e8cbfdba9b7b8f97402f6d49b047d6673aaad346c5622a34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_des.pyd

MD5
d9ac60737322166ac2aa4abdbb5bf8d1

SHA1
48ddfb12db35ceecaadfd29cb434c323298d2bd7

SHA256
2d0334905a6aab7504352bcf7e6d1457398d801253c4f0b4a298f4f12ab7c579

SHA512
c8148a1baf2d1c59c844f231467d3133dd9c160c90e0a53caaf76906b8c4e977ea2754451f8e3f2e8cbfdba9b7b8f97402f6d49b047d6673aaad346c5622a34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_des3.pyd

MD5
0cac4561a1240e1bde27decac1017a8d

SHA1
47c0c38007f7b07af6cfc10c4554af8430ada7e8

SHA256
d043db2c5f626c65a91197088a08cc30c707e3fd59bd1e1e46b485520a980529

SHA512
25dfa7134b70d8d78345486c229c2f07770c2c235cf906e8e7d0e710582dd53b7e0a3d7e8371c1a33cb896c23fd49a7a4faf7ddc7d620f8b5feb093932f35c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_des3.pyd

MD5
0cac4561a1240e1bde27decac1017a8d

SHA1
47c0c38007f7b07af6cfc10c4554af8430ada7e8

SHA256
d043db2c5f626c65a91197088a08cc30c707e3fd59bd1e1e46b485520a980529

SHA512
25dfa7134b70d8d78345486c229c2f07770c2c235cf906e8e7d0e710582dd53b7e0a3d7e8371c1a33cb896c23fd49a7a4faf7ddc7d620f8b5feb093932f35c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ecb.pyd

MD5
c7fe7cae847d9cc7ffb20ff218a5e0b9

SHA1
158f29ee4698a228da98418f9583b768211b2dfc

SHA256
4c30627081ef86f23c3292d28ea8beae9d32f63e4664e6799924032ba584ba72

SHA512
e2a795a76d83d10df4e9df46f763a8b208f06c1fb5c8fe0bb080fcb66cbbd6ac0a9b8d6ea4d1aa58928ce8905d5e44c953846a05927feac0455a1e4920a30690

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ecb.pyd

MD5
c7fe7cae847d9cc7ffb20ff218a5e0b9

SHA1
158f29ee4698a228da98418f9583b768211b2dfc

SHA256
4c30627081ef86f23c3292d28ea8beae9d32f63e4664e6799924032ba584ba72

SHA512
e2a795a76d83d10df4e9df46f763a8b208f06c1fb5c8fe0bb080fcb66cbbd6ac0a9b8d6ea4d1aa58928ce8905d5e44c953846a05927feac0455a1e4920a30690

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ocb.pyd

MD5
001afd2cf3631fba20c0ea51915cb269

SHA1
ec4250ea47640ce1d1dcd1dec9f7c3ea17a77d29

SHA256
1deb00c3e0f17b86e912cb8ea05a6575d97b1aed9b9e4b06a5f4bacc9c828278

SHA512
2083d762877943b9ced28b97763750d24e6a56f607538545850429410c9ab79052734f06c16556b565e566a25ef0fa99b598b9deb32735fbed0cffc4898b4639

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ocb.pyd

MD5
001afd2cf3631fba20c0ea51915cb269

SHA1
ec4250ea47640ce1d1dcd1dec9f7c3ea17a77d29

SHA256
1deb00c3e0f17b86e912cb8ea05a6575d97b1aed9b9e4b06a5f4bacc9c828278

SHA512
2083d762877943b9ced28b97763750d24e6a56f607538545850429410c9ab79052734f06c16556b565e566a25ef0fa99b598b9deb32735fbed0cffc4898b4639

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ofb.pyd

MD5
caab7ca0a1bc6554c275300c18c3047b

SHA1
b1ed17a2af6941545e59cb0c5864af76fc706ccb

SHA256
701cbde9ce6fb828c46a19202ae63674670a61c9a4381bc49017cfb3ce1ced81

SHA512
563613ff5263f0469786816376e83dca44a8b5e2d0322f74ea57f9c4a6f29a19cc061f4db59971330696d510621b4b12a275d66b7ff5d1905867b6447c5ff952

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Cipher\_raw_ofb.pyd

MD5
caab7ca0a1bc6554c275300c18c3047b

SHA1
b1ed17a2af6941545e59cb0c5864af76fc706ccb

SHA256
701cbde9ce6fb828c46a19202ae63674670a61c9a4381bc49017cfb3ce1ced81

SHA512
563613ff5263f0469786816376e83dca44a8b5e2d0322f74ea57f9c4a6f29a19cc061f4db59971330696d510621b4b12a275d66b7ff5d1905867b6447c5ff952

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_BLAKE2s.pyd

MD5
c64058302e86dc35c79429084d38c9f5

SHA1
14b6fd0c4f41a3b668eab47344cd89168705971d

SHA256
2700b50ff4f23506c6ef48100860cb00610ec78c8da20233c195362139c95cf6

SHA512
87eda9d845ffaad6e938786381d1c32763940f8bb33108c0bcf595da5c0072fb179b521ea2888ec2759a6c5d68c1ea63b8f1eed3c14d8aa8a9c655cde900d717

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_BLAKE2s.pyd

MD5
c64058302e86dc35c79429084d38c9f5

SHA1
14b6fd0c4f41a3b668eab47344cd89168705971d

SHA256
2700b50ff4f23506c6ef48100860cb00610ec78c8da20233c195362139c95cf6

SHA512
87eda9d845ffaad6e938786381d1c32763940f8bb33108c0bcf595da5c0072fb179b521ea2888ec2759a6c5d68c1ea63b8f1eed3c14d8aa8a9c655cde900d717

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_MD5.pyd

MD5
9c1d023df1ebd7283fad0ac51c56a2ea

SHA1
13be52fb274d94f9f418cf0f4c763d966d60ddf2

SHA256
3c61c844bc8d8229f029ac45f54c6d6a4b6e0cf321f70df14540f6349e0ea360

SHA512
c868b5a8c10da7d0699a05d04ea8dfa10029056ad8bd0a957d2704c2ec7cffbf568e1e10e99d009ddaf31c603180bb2e495501ed0c4a6fa46a79a2605e4041c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_MD5.pyd

MD5
9c1d023df1ebd7283fad0ac51c56a2ea

SHA1
13be52fb274d94f9f418cf0f4c763d966d60ddf2

SHA256
3c61c844bc8d8229f029ac45f54c6d6a4b6e0cf321f70df14540f6349e0ea360

SHA512
c868b5a8c10da7d0699a05d04ea8dfa10029056ad8bd0a957d2704c2ec7cffbf568e1e10e99d009ddaf31c603180bb2e495501ed0c4a6fa46a79a2605e4041c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_SHA1.pyd

MD5
402ee9711aa64d5a01f7e45037b5280f

SHA1
862a2c9252a3eb3e07eda4fc7ddcf818f7c57a47

SHA256
1fa13a0054b541ce3220dd858ea140068904c08641e32dbbe888f785ccf1555b

SHA512
f338080c949b54589a9abdfd762b71a5a19a04e343425ffaf7b0ae1577e63cfa3bd92e2a060928def7e1c7f844a2526b5b3554c8d597ecaf79b4d152ae405e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_SHA1.pyd

MD5
402ee9711aa64d5a01f7e45037b5280f

SHA1
862a2c9252a3eb3e07eda4fc7ddcf818f7c57a47

SHA256
1fa13a0054b541ce3220dd858ea140068904c08641e32dbbe888f785ccf1555b

SHA512
f338080c949b54589a9abdfd762b71a5a19a04e343425ffaf7b0ae1577e63cfa3bd92e2a060928def7e1c7f844a2526b5b3554c8d597ecaf79b4d152ae405e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_SHA256.pyd

MD5
e3c65ee7c914c17b71659168425ad0ba

SHA1
a4b12e0f5eb73e280723dca2a477c9fe217ddc46

SHA256
8b9e0af341677ef6a709113ac7ffaa29f27688895df2420d0ffecfda87cf7291

SHA512
a27885823244f396f1338fa2314e1179fec11ef9ba3511463c171c9acc9274bebc431505909172e9a6a7741fc5ab902b5066466f8c7a24ac23d254536d122014

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_SHA256.pyd

MD5
e3c65ee7c914c17b71659168425ad0ba

SHA1
a4b12e0f5eb73e280723dca2a477c9fe217ddc46

SHA256
8b9e0af341677ef6a709113ac7ffaa29f27688895df2420d0ffecfda87cf7291

SHA512
a27885823244f396f1338fa2314e1179fec11ef9ba3511463c171c9acc9274bebc431505909172e9a6a7741fc5ab902b5066466f8c7a24ac23d254536d122014

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_ghash_clmul.pyd

MD5
56d68daf3061e0d460990ab6a6c2ca91

SHA1
e3d4cf490e33a7141f1b604a682a45224f675d4f

SHA256
2fd296768e5d13d935fe785a58a0081a44c1c59a90b4ab4d3247ed9f2c3928ff

SHA512
297e8c2de26057edf0f0f549987060bdb8dd89a6c15a613897d0c526d820cd9ccdba14a12331c7138d728edb6c9b24248ebf0264894348e607123c7596033c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_ghash_clmul.pyd

MD5
56d68daf3061e0d460990ab6a6c2ca91

SHA1
e3d4cf490e33a7141f1b604a682a45224f675d4f

SHA256
2fd296768e5d13d935fe785a58a0081a44c1c59a90b4ab4d3247ed9f2c3928ff

SHA512
297e8c2de26057edf0f0f549987060bdb8dd89a6c15a613897d0c526d820cd9ccdba14a12331c7138d728edb6c9b24248ebf0264894348e607123c7596033c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_ghash_portable.pyd

MD5
4e0c3350e5341e717a99ef3fd8a08dc5

SHA1
ce20e5d219d16d6a0639a45bf430137aed9554e6

SHA256
66187f12635ccd6f4e66a412f8ac63f5e2ed94c39775f9feebb1eef06a20360e

SHA512
6ee1c236925ac5c4f47c5c7ae0e53ddf6d5ab04c9026ea020162993f37e7a684782bdc8acd7e7f44af5942436fcae55e3921b560152f47dd930a1b353d30247c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Hash\_ghash_portable.pyd

MD5
4e0c3350e5341e717a99ef3fd8a08dc5

SHA1
ce20e5d219d16d6a0639a45bf430137aed9554e6

SHA256
66187f12635ccd6f4e66a412f8ac63f5e2ed94c39775f9feebb1eef06a20360e

SHA512
6ee1c236925ac5c4f47c5c7ae0e53ddf6d5ab04c9026ea020162993f37e7a684782bdc8acd7e7f44af5942436fcae55e3921b560152f47dd930a1b353d30247c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Math\_modexp.pyd

MD5
9679c229d04bda9e908bd7cbb82bc559

SHA1
a103cc2a23e49abf8a824c7f381cf4b319fe7ab7

SHA256
4e7e18bb452f1ef4abfe6d498d143eb76b0b6b61c9b6580e883e6d33041d66ec

SHA512
82de9e6d430d3615968d480a6f897d1a6aa8c0c16011995a8fe5a52ba93ec69fb87004cc4b4ea64d5ab40cfbf82eb9eafc9f51c5793c0a44c7caecf54ed30a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Math\_modexp.pyd

MD5
9679c229d04bda9e908bd7cbb82bc559

SHA1
a103cc2a23e49abf8a824c7f381cf4b319fe7ab7

SHA256
4e7e18bb452f1ef4abfe6d498d143eb76b0b6b61c9b6580e883e6d33041d66ec

SHA512
82de9e6d430d3615968d480a6f897d1a6aa8c0c16011995a8fe5a52ba93ec69fb87004cc4b4ea64d5ab40cfbf82eb9eafc9f51c5793c0a44c7caecf54ed30a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Protocol\_scrypt.pyd

MD5
928dacff8c4ffbaefaed750f5e194c56

SHA1
a745e2fa252486b2749f3f021ba1276bb15842ec

SHA256
2651a730e2e54c263e8ccf98035d2d4e0e2087a33d6179785fe815281b3f5db7

SHA512
cba420b4bdf830b7079709f6ee27d2f583b360389637f7c118c25abb7c4c5afdb207287c331747d18e147d4d2d20aa6ab8f1c275a5fbc616c48463abb8e8c1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Protocol\_scrypt.pyd

MD5
928dacff8c4ffbaefaed750f5e194c56

SHA1
a745e2fa252486b2749f3f021ba1276bb15842ec

SHA256
2651a730e2e54c263e8ccf98035d2d4e0e2087a33d6179785fe815281b3f5db7

SHA512
cba420b4bdf830b7079709f6ee27d2f583b360389637f7c118c25abb7c4c5afdb207287c331747d18e147d4d2d20aa6ab8f1c275a5fbc616c48463abb8e8c1c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Util\_cpuid_c.pyd

MD5
ddd51457ec06e8df96fa9c6fe3366357

SHA1
f62a75feda74970db00a0b8ba3fbe55919d5b477

SHA256
5012c198825652b9af8d8349ea06fc4d25b70accc9373fcc16674f068154a06f

SHA512
74afb380610a9cfc9474ca31dbdfc5dccb3e0c1bbf00dacf51d3dcb3c2f473cc5c76299233b1cb419ff4e84d93c9ee56e7bd9f0de261b5381b407e8a619d4195

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Util\_cpuid_c.pyd

MD5
ddd51457ec06e8df96fa9c6fe3366357

SHA1
f62a75feda74970db00a0b8ba3fbe55919d5b477

SHA256
5012c198825652b9af8d8349ea06fc4d25b70accc9373fcc16674f068154a06f

SHA512
74afb380610a9cfc9474ca31dbdfc5dccb3e0c1bbf00dacf51d3dcb3c2f473cc5c76299233b1cb419ff4e84d93c9ee56e7bd9f0de261b5381b407e8a619d4195

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Util\_strxor.pyd

MD5
1db8fde2e2bfc341e1f856e50d41c39d

SHA1
748d8fa9c747fc2de5ef64537dd87219292a3f46

SHA256
44abba55c306c418da1b72f4664a486795e7e7467a848360de0248e402107145

SHA512
a17ebc16d03ab9daadff0a3727ef1802c2d956f763059a3b1e05d39cdbc5432e08d773d16823553111c669a64beb291938a26af6dedf7c2b6c644064fa6b5c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\Crypto\Util\_strxor.pyd

MD5
1db8fde2e2bfc341e1f856e50d41c39d

SHA1
748d8fa9c747fc2de5ef64537dd87219292a3f46

SHA256
44abba55c306c418da1b72f4664a486795e7e7467a848360de0248e402107145

SHA512
a17ebc16d03ab9daadff0a3727ef1802c2d956f763059a3b1e05d39cdbc5432e08d773d16823553111c669a64beb291938a26af6dedf7c2b6c644064fa6b5c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\VCRUNTIME140.dll

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\VCRUNTIME140.dll

MD5
afa8fb684eded0d4ca6aa03aebea446f

SHA1
98bbb8543d4b3fbecebb952037adb0f9869a63a5

SHA256
44de8d0dc9994bff357344c44f12e8bfff8150442f7ca313298b98e6c23a588e

SHA512
6669eec07269002c881467d4f4af82e5510928ea32ce79a7b1f51a71ba9567e8d99605c5bc86f940a7b70231d70638aeb2f6c2397ef197bd4c28f5e9fad40312

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_bz2.pyd

MD5
ca6b245fecc69cad34201edd4be8cc3a

SHA1
c9954f6254130a6615375cc2540f0c4680665f4b

SHA256
e445fc0acf42299f4d5fe25d7fac76f14635ce0cd980dffc528924e59aa5c4f8

SHA512
805a4a53f0425e9083499d95793cb1c6aa590d8bdc2603c7562714198bd968e194f220e56c33633fb65dcb4881877339428fe9166ceb48a3035ddf469fe4d843

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_bz2.pyd

MD5
ca6b245fecc69cad34201edd4be8cc3a

SHA1
c9954f6254130a6615375cc2540f0c4680665f4b

SHA256
e445fc0acf42299f4d5fe25d7fac76f14635ce0cd980dffc528924e59aa5c4f8

SHA512
805a4a53f0425e9083499d95793cb1c6aa590d8bdc2603c7562714198bd968e194f220e56c33633fb65dcb4881877339428fe9166ceb48a3035ddf469fe4d843

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_ctypes.pyd

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_ctypes.pyd

MD5
21e301d58c481660af1efdebc4ad63fe

SHA1
ec10719afcbd6317355bbe0de04beb3d5c067651

SHA256
003429b4e119dc08798aada64c13002b210507291afae8cace5eb0032754e78e

SHA512
fe06fcb3f6f3f76b7de0ea92ea4fb286c6f8643cbe0f34a9df9b354434aabe3941a3bf2028f3a2e61183f4c39ee2f80ec5dfdcd9854416423142142508a71493

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_lzma.pyd

MD5
a8b44e968ad48a7931e6121ce8b7ebf3

SHA1
26ea3b101f72c9e1ef376e9339a309cf62c662ca

SHA256
49a7db86b3b500a5d45c6c6c97a7d019f6e44c8b862d24fa4347e4e0aa06c5e1

SHA512
7b0ff7c257d5b5d658b4dcee3ee6e1aab83d11cc0fe8159685a9a9cb301a91e9071d3951ec64a879eb7ff81228f1ae70a75c88a9e481a5d00f17fdc73389ca8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_lzma.pyd

MD5
a8b44e968ad48a7931e6121ce8b7ebf3

SHA1
26ea3b101f72c9e1ef376e9339a309cf62c662ca

SHA256
49a7db86b3b500a5d45c6c6c97a7d019f6e44c8b862d24fa4347e4e0aa06c5e1

SHA512
7b0ff7c257d5b5d658b4dcee3ee6e1aab83d11cc0fe8159685a9a9cb301a91e9071d3951ec64a879eb7ff81228f1ae70a75c88a9e481a5d00f17fdc73389ca8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_socket.pyd

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\_socket.pyd

MD5
2df573607b053e4d8ba0eba9be96541c

SHA1
d41b40c468898c9a2e4d6be434c7eea57724b546

SHA256
a591d3054c741496889e1a427516d8aab89bb94636b96467213fa6449df9eb26

SHA512
21fb191b49092abf5bc0ab029fdff0a63b7b77ed4edbf13b0c74eb8d3e5a9ebd5ba8314c0f8293ad5c922c5ad0849a23d1fa05e1c6e3104c23aab85dcd095e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\base_library.zip

MD5
29ed38d37f51d143ce49e29460f22cb5

SHA1
4c0fd208b88ce7ac66497c966e8a049e5daa383c

SHA256
3377e3349f83ee34f1aca1244951580d675ba57b886a7c71781b67e8fd2a0b70

SHA512
5c4e6b75fa01e6ae3f936393c069394ea2c9ca153061dff61b8c11b83be1339ed73b4a2653c347580217e094b60a6a10a7c909384bc92d8b0844ba7037a79cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\libffi-7.dll

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\libffi-7.dll

MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\python39.dll

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\python39.dll

MD5
84741db3367d6998108d22e03eaf2a71

SHA1
6564ab918223d0074dfbf9bc5d062fd3a2003079

SHA256
3e0c22d1451c3f3578850990f54916eb276bb45b951649d6478523566dfa8059

SHA512
1a6aa94ec97df73b23b0d5079bafa92c13f9786f5c488046e95804f4701baeecb1beb9fd96824a6009355321adb7319ac643af40ff0c6b01733050dab2b648c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\pytransform.pyd

MD5
17c338f19037c2ff5c8b6e34a7710985

SHA1
362f14d39ba2518ad50970eddfd0f9f12ea97f84

SHA256
3e6988e591bdd8a67006d458e8a58fa7eb3ab212437bf00917b38b9ac4d492ea

SHA512
7aab66b9edfd26dd883fbc52c158410e7826234a7272371769c6a5542dd1b9eb135a8cad43f895f0af31b59705fbcbbd0551196bab8ba59f01a80b72415ab4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\pytransform.pyd

MD5
17c338f19037c2ff5c8b6e34a7710985

SHA1
362f14d39ba2518ad50970eddfd0f9f12ea97f84

SHA256
3e6988e591bdd8a67006d458e8a58fa7eb3ab212437bf00917b38b9ac4d492ea

SHA512
7aab66b9edfd26dd883fbc52c158410e7826234a7272371769c6a5542dd1b9eb135a8cad43f895f0af31b59705fbcbbd0551196bab8ba59f01a80b72415ab4eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\select.pyd

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\select.pyd

MD5
e2642d30be324bd86d711ada36797b85

SHA1
c474699a4853f0157708901213d3165530c45a69

SHA256
bb87be114067ab856067dbe74ba421c21cb0f36ad1960af0f5d61bda2e753fa2

SHA512
b2bb79f229d86e74d04bae5ef4813909afeaac530ce71f384c2ce1e1c690d792b413255c35e97b0ef9ff72c68d779dc044a03646d35777a40f1a427eafc14666

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\tinyaes.cp39-win32.pyd

MD5
8c4a64f321707eac9ac3501199801460

SHA1
eef5ce1e30b6e5b72794609c8244b7500f03486f

SHA256
700a523d573d040566935b7e60b086d21edfbc537cc562e1e6041cc9bd72edd4

SHA512
1a01a355d23381b745bdaa1c9e2162b8a028fc31cf3ccca128e2be17a5ceda6c44efe298789c00a5cdc8498f5d83a380a83022bcaaeb9dcd46219fcb15f4cfe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zXnVhmx\_MEI38242\tinyaes.cp39-win32.pyd

MD5
8c4a64f321707eac9ac3501199801460

SHA1
eef5ce1e30b6e5b72794609c8244b7500f03486f

SHA256
700a523d573d040566935b7e60b086d21edfbc537cc562e1e6041cc9bd72edd4

SHA512
1a01a355d23381b745bdaa1c9e2162b8a028fc31cf3ccca128e2be17a5ceda6c44efe298789c00a5cdc8498f5d83a380a83022bcaaeb9dcd46219fcb15f4cfe3

Download Submit