babadeda | 1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1

Analysis

max time kernel
302s
max time network
51s
platform
windows7_x64
resource
win7-20220331-en
submitted
02-04-2022 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe
Size

8.1MB
MD5

72ad5cebf69de22b971997bb261ef519
SHA1

27aef0b7214b93b44cbeab76af1dd39db3d938fd
SHA256

1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1
SHA512

a4879dae60d580b3fad31311ae64acdc92604164cc95bd721a4a789c66791c5586eac3922e621c33aab5f919ad92e68ef6cbbc43b3d4857b547e627855bcefe8

Score

10^/10

babadeda phobos crypter evasion loader persistence ransomware spyware stealer

Malware Config

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral1/memory/1248-132-0x0000000003840000-0x0000000006A40000-memory.dmp	family_babadeda

Phobos
Phobos ransomware appeared at the beginning of 2019.
ransomware phobos
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1580	bcdedit.exe
1616	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2000	wbadmin.exe

Executes dropped EXE 2 IoCs

pid	Process
1636	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Drops startup file 1 IoCs

description	ioc	Process
File created	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\AdobeIPCBroker.exe	AdobeIPCBroker.exe

Loads dropped DLL 47 IoCs

pid	Process
2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe
2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe
2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1636	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeIPCBroker = "C:\\Users\\Admin\\AppData\\Local\\AdobeIPCBroker.exe"	AdobeIPCBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeIPCBroker = "C:\\Users\\Admin\\AppData\\Local\\AdobeIPCBroker.exe"	AdobeIPCBroker.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\$Recycle.Bin\S-1-5-21-594401021-1341801952-2355885667-1000\desktop.ini	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\desktop.ini	AdobeIPCBroker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\mip.exe.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tpcps.dll	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\mojo_core.dll	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\docs.crx	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ko_KR.jar.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msadcer.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-iio.dll	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msader15.dll	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-imageMask.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_ButtonGraphic.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Internet Explorer\DiagnosticsTap.dll	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TipRes.dll	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\mlib_image.dll.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\hi.pak	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.jpg	AdobeIPCBroker.exe
File created	C:\Program Files\desktop.ini.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tipresx.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcer.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fontconfig.properties.src	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\MSTTSLoc.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_elf.dll	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\npt.dll	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	AdobeIPCBroker.exe
File created	C:\Program Files\7-Zip\Lang\da.txt.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msdaprsr.dll	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\msdaprsr.dll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages.properties.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_CN.properties.id[99A896E1-2686].[[email protected]].Devos	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui	AdobeIPCBroker.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\oledbvbs.inc	AdobeIPCBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
880	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe
1248	AdobeIPCBroker.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1636	AdobeIPCBroker.exe
Token: SeDebugPrivilege	1248	AdobeIPCBroker.exe
Token: SeBackupPrivilege	1584	vssvc.exe
Token: SeRestorePrivilege	1584	vssvc.exe
Token: SeAuditPrivilege	1584	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: SeImpersonatePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: SeImpersonatePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: SeBackupPrivilege	1520	wbengine.exe
Token: SeRestorePrivilege	1520	wbengine.exe
Token: SeSecurityPrivilege	1520	wbengine.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1636	2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe	28
PID 2000 wrote to memory of 1636	2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe	28
PID 2000 wrote to memory of 1636	2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe	28
PID 2000 wrote to memory of 1636	2000	1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe	28
PID 1248 wrote to memory of 1692	1248	AdobeIPCBroker.exe	31
PID 1248 wrote to memory of 1692	1248	AdobeIPCBroker.exe	31
PID 1248 wrote to memory of 1692	1248	AdobeIPCBroker.exe	31
PID 1248 wrote to memory of 1692	1248	AdobeIPCBroker.exe	31
PID 1248 wrote to memory of 2028	1248	AdobeIPCBroker.exe	30
PID 1248 wrote to memory of 2028	1248	AdobeIPCBroker.exe	30
PID 1248 wrote to memory of 2028	1248	AdobeIPCBroker.exe	30
PID 1248 wrote to memory of 2028	1248	AdobeIPCBroker.exe	30
PID 1692 wrote to memory of 880	1692	cmd.exe	34
PID 1692 wrote to memory of 880	1692	cmd.exe	34
PID 1692 wrote to memory of 880	1692	cmd.exe	34
PID 2028 wrote to memory of 1472	2028	cmd.exe	35
PID 2028 wrote to memory of 1472	2028	cmd.exe	35
PID 2028 wrote to memory of 1472	2028	cmd.exe	35
PID 2028 wrote to memory of 1740	2028	cmd.exe	37
PID 2028 wrote to memory of 1740	2028	cmd.exe	37
PID 2028 wrote to memory of 1740	2028	cmd.exe	37
PID 1692 wrote to memory of 1656	1692	cmd.exe	39
PID 1692 wrote to memory of 1656	1692	cmd.exe	39
PID 1692 wrote to memory of 1656	1692	cmd.exe	39
PID 1692 wrote to memory of 1580	1692	cmd.exe	41
PID 1692 wrote to memory of 1580	1692	cmd.exe	41
PID 1692 wrote to memory of 1580	1692	cmd.exe	41
PID 1692 wrote to memory of 1616	1692	cmd.exe	42
PID 1692 wrote to memory of 1616	1692	cmd.exe	42
PID 1692 wrote to memory of 1616	1692	cmd.exe	42
PID 1692 wrote to memory of 2000	1692	cmd.exe	43
PID 1692 wrote to memory of 2000	1692	cmd.exe	43
PID 1692 wrote to memory of 2000	1692	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe
"C:\Users\Admin\AppData\Local\Temp\1b9a300d4e882a59e4bb15f7aa7069df6cc48057d1f89a71fff6df4e70d483f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
  "C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- - C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe
    C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe "-relaunchedForIntegrityLevel -launchedbyvulcan-1636 C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        5⤵
        
        PID:1472
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=disable
        5⤵
        
        PID:1740
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:880
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1580
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1616
    - - C:\Windows\system32\wbadmin.exe
        
        wbadmin delete catalog -quiet
        5⤵
        Deletes backup catalog
        
        PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1540

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe

Filesize
4.6MB

MD5
25d5826c1136dde91cb8ed3b9319c50d

SHA1
627b989677c7d3d7431ca2d1c591fee095197a1e

SHA256
098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

SHA512
73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe

Filesize
4.6MB

MD5
25d5826c1136dde91cb8ed3b9319c50d

SHA1
627b989677c7d3d7431ca2d1c591fee095197a1e

SHA256
098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

SHA512
73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\CRClient.dll

Filesize
839KB

MD5
08abdf28c00df306cb339fc1324f2f43

SHA1
e54e1a1c009b3f6d94c0a9731ab3a1b54e8d50c6

SHA256
874f47e7f82114b68f443ef80a0188553dcba74356ccc579ffb41ecea606dde8

SHA512
e14e83356dc5f4c741d9479b33abac65dd365865605973c5b10b477bccab89b836bd41677e015c894c81c642ab582bb3f75e85374b44efde0f4acacbbb848027

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\MSVCP140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\StartupOptions.xml

Filesize
1KB

MD5
dcd02122ff75c24cee25500ad3a3d812

SHA1
76e733331554e9aaff6ccf0df22931db9ca852a4

SHA256
059280e2b72f31d15fe6b83b9362be359ebd2f16a5de4763a21d0885183854ba

SHA512
e7fb7605a3d46b302a977b21e14743a5d367ffd50a9ab339108a356894b5d75c7c2693609c9aed84cb8aeaddeb041dc018428ce20f7bc9bbc984b431db58ff21

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\TmEvent.dll

Filesize
196KB

MD5
5766b7a2fd2431d5fd95e7dfe53e9059

SHA1
d59d571b7ea52a1cc08d734794825e19bbb8c5da

SHA256
58e6af41baa0b14777ee3daa03e1ed021e80c8a7b773efebb532b1225bf821b9

SHA512
6ddae690f205b81e58eab38a93c504ff18903bc58e10620f8a8ef2d17a862cded1f6654ffbd8803f1473a265a10b3b1f5ae2b80c39b4542fe428a914f8a5b017

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\VCRUNTIME140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
75614f411dec3bff7a4c3443fb06eebe

SHA1
bb77b493f3329284437f2173e5031908f080d68f

SHA256
196c741e12fe57d9fd3c274af8a93d95e148ac91ada451b31b78923bcea77b17

SHA512
f03b71cee885140edc53463132e1d736978ebb0c5e76f2db8c1f7cfd61afa1bf925109f2721cc796ffad4619ca69605c37db496d444c9d34616de5f95c7c9623

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
4f361342b691aedc577e1bbbd16a14ae

SHA1
b249050dc506fd4199bc2d6a00b2fac61e13842b

SHA256
2eb1e71d1112913f09cb372eaaeb19c0b849c81a50649da0e4a66b2c83ad9f32

SHA512
4efd2c4ca0e9a7e38c59d9ca797b0efecbf3d8f33e83f3b49b81f5a2b47fdfcc494abc88c634660783861d50087a106ffc713f19d7cc609e9be38e2250e2940a

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
a5ef3ecb8ece8f31bfe429316281d64b

SHA1
13b0679242a262ecbda857b163c7db5a4b473c5b

SHA256
8678396666040b289999e82d1a0bb2175a6b5543922f05394252f7b3e986d0e7

SHA512
6f8da1d0c0122c10051a699cd77c1a21864ab14ba1cd485bd6d4c041e45591024254e642d0ae6310a9e1d1ad32e77183a62dab9dfc8ff050cce9e96d398e7ec2

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a37708eae8e652d16c4af5895cdd3a3d

SHA1
94e478d6568f07603e4d509e374b72a5c8b5ec7c

SHA256
abe2a6d988bfabb567874495f7fce79878967ccc00fea759597861f3fc73e349

SHA512
aa63684bc29bc4eb16a024944a02f4a55a595d7a651f56716ebc635d91474dcf1ed758a9218401ec1ea6610aa881036c3675909f14a37bcc4bd7157da44e21fc

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
14d9b19e5b801439fe7f34e195b30306

SHA1
8e3c156e9c2fa7054d0456ff8f7e3104fb2694fe

SHA256
2004a8a13c016c92b63404b882ad945f21a86e36000b9cb5ba24cf3acedb0de3

SHA512
1bb0d5eb3a8fd3173da0f5df1f8d9ae045ce2a21dc73bb2af4b57e537d0b8761711527fedcbc2378b8df300baa317ed2608952de0cad3eb37a9886645f6d94db

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
755d68cb04411f8c6f86842484b6e38b

SHA1
60fc150591e644eaa14d77e6bdedf125f94c14fd

SHA256
7e659c94c28f575d8ac20add7cecf421136ff19ce91916d255dc98b5ba16d57b

SHA512
b0cc16effb8fbc26bf58e121836e1d95d25e0438b16a21001e6e61173108d206355145d7ac005fd40e40a2ae3bccf24685844322af667754e6d057ba073d5b61

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
b3b04c457159e1a174eee384eb8deec7

SHA1
09971b91bf45ae9f84475c6565aaf1c40b34079d

SHA256
59d0de4eecdb196d8be3856894967f38fea60d3afdd2d42ee7dd61d4638680fd

SHA512
e28bdd2a889110e6235f02eb50ee7da2c49dc7dd8373077518f82bc9fd42bf915fedac9ba0dd2b702879da2e8ab99840b7c65011d66a4a296eb8afc3930531c0

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
a18e20d0362d9da9a4ed8038938c5d74

SHA1
bb07e6e5149ec644eedb850f41039c558c670e4c

SHA256
6f7d536bc81d5a395d8b52f4bd448e36349b8ad4854df5e90e55700487ffaf92

SHA512
dbf8eb5a2069d248305f0c4e61bf1d718b47dfff539cae37ceb47ad73dae431c96d705fa1b17d85cdb984de89c01e38c12e9e7454519f5723550d2af5e4110f6

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
f575a0246f350985fa8f320c1fb988e4

SHA1
a3673d65222205372abcd05bfc1c660d704a16dd

SHA256
49fc5116b92695b2437c36d17ffdc5fbde99cf3e48ddc9c1a4beb0e396f0d950

SHA512
4b06e54d83e5b42761d16c26a6c19a8a611ae165de94d9d2b8d98915030c0512b068e5c08fcc78cea6fae71d16d29b45bb9a248adf88f5132cea6bed062ed60e

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\libcui40.dll

Filesize
125KB

MD5
a43453dc3f04860653ff23db54f91f0d

SHA1
17877adc35e03eb2e7f7a90281a97067a839b70d

SHA256
55135de67a5816c6622ae671c934d5a2bfac1b8f3f09083f64a3ae5997bfbfdf

SHA512
8b97417f00175408eaf348cd2315f954609b98434337c2d822b9e0f11d2d249c584ef8e58fc33ffbd107ef56581964735a62801096779a9f43899e69fd8d9a66

Download Submit
C:\Users\Admin\AppData\Roaming\GreatSim\Milling\ucrtbase.DLL

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Local\Temp\pbBFBF67D0\PB3Dll.dll

Filesize
202KB

MD5
142bc2bb269b896cc0f11f9021dcbc52

SHA1
75b09b25f8f6b3b0fc94fcdcc61d932f303ac418

SHA256
5da7da9abb77790ddbb87d86b9ea4b01a4f375035827e30fa879dab8c2a737db

SHA512
150ffd4e66ee126912c6a5071bec750e4b5e603af9cc79b26c63e482f7d5d0aafcae1c995f10b60ba2da138effb19c668e1515f35db3b8b7a508ef34f59d134a

Download Submit
\Users\Admin\AppData\Local\Temp\pbBFBF67D0\PBCore.dll

Filesize
444KB

MD5
bf34ceda78a3ff4016e8eca82337ec06

SHA1
38966df0f48da3ee15e2a44545c982693d6f552a

SHA256
3b4e89de9ccb5b1beba22030e29e921460b375bcbe5364115cc093f329596889

SHA512
b5d4af43a78e8c061c823778786fa53db2736543ed2513a033b93302328f4af10d565a7ce4116ee6580400a02e23694eb2183ccfbc9c3d8132fef3e63ae58cae

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\AdobeIPCBroker.exe

Filesize
4.6MB

MD5
25d5826c1136dde91cb8ed3b9319c50d

SHA1
627b989677c7d3d7431ca2d1c591fee095197a1e

SHA256
098467cdf594b08bd6643592f24745f6f37132ab794da2d0263919d5d131bc81

SHA512
73bf5a1b8371bd70df4fb40ed1c08e2ad0db72722634de0167c8bcca7423b0f7fec9fa20bea66521aa051d842442432c623d440873d448af07b85914dbdf532e

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\CRClient.dll

Filesize
839KB

MD5
08abdf28c00df306cb339fc1324f2f43

SHA1
e54e1a1c009b3f6d94c0a9731ab3a1b54e8d50c6

SHA256
874f47e7f82114b68f443ef80a0188553dcba74356ccc579ffb41ecea606dde8

SHA512
e14e83356dc5f4c741d9479b33abac65dd365865605973c5b10b477bccab89b836bd41677e015c894c81c642ab582bb3f75e85374b44efde0f4acacbbb848027

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\CRClient.dll

Filesize
839KB

MD5
08abdf28c00df306cb339fc1324f2f43

SHA1
e54e1a1c009b3f6d94c0a9731ab3a1b54e8d50c6

SHA256
874f47e7f82114b68f443ef80a0188553dcba74356ccc579ffb41ecea606dde8

SHA512
e14e83356dc5f4c741d9479b33abac65dd365865605973c5b10b477bccab89b836bd41677e015c894c81c642ab582bb3f75e85374b44efde0f4acacbbb848027

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\TmEvent.dll

Filesize
196KB

MD5
5766b7a2fd2431d5fd95e7dfe53e9059

SHA1
d59d571b7ea52a1cc08d734794825e19bbb8c5da

SHA256
58e6af41baa0b14777ee3daa03e1ed021e80c8a7b773efebb532b1225bf821b9

SHA512
6ddae690f205b81e58eab38a93c504ff18903bc58e10620f8a8ef2d17a862cded1f6654ffbd8803f1473a265a10b3b1f5ae2b80c39b4542fe428a914f8a5b017

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\TmEvent.dll

Filesize
196KB

MD5
5766b7a2fd2431d5fd95e7dfe53e9059

SHA1
d59d571b7ea52a1cc08d734794825e19bbb8c5da

SHA256
58e6af41baa0b14777ee3daa03e1ed021e80c8a7b773efebb532b1225bf821b9

SHA512
6ddae690f205b81e58eab38a93c504ff18903bc58e10620f8a8ef2d17a862cded1f6654ffbd8803f1473a265a10b3b1f5ae2b80c39b4542fe428a914f8a5b017

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
75614f411dec3bff7a4c3443fb06eebe

SHA1
bb77b493f3329284437f2173e5031908f080d68f

SHA256
196c741e12fe57d9fd3c274af8a93d95e148ac91ada451b31b78923bcea77b17

SHA512
f03b71cee885140edc53463132e1d736978ebb0c5e76f2db8c1f7cfd61afa1bf925109f2721cc796ffad4619ca69605c37db496d444c9d34616de5f95c7c9623

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
75614f411dec3bff7a4c3443fb06eebe

SHA1
bb77b493f3329284437f2173e5031908f080d68f

SHA256
196c741e12fe57d9fd3c274af8a93d95e148ac91ada451b31b78923bcea77b17

SHA512
f03b71cee885140edc53463132e1d736978ebb0c5e76f2db8c1f7cfd61afa1bf925109f2721cc796ffad4619ca69605c37db496d444c9d34616de5f95c7c9623

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
4f361342b691aedc577e1bbbd16a14ae

SHA1
b249050dc506fd4199bc2d6a00b2fac61e13842b

SHA256
2eb1e71d1112913f09cb372eaaeb19c0b849c81a50649da0e4a66b2c83ad9f32

SHA512
4efd2c4ca0e9a7e38c59d9ca797b0efecbf3d8f33e83f3b49b81f5a2b47fdfcc494abc88c634660783861d50087a106ffc713f19d7cc609e9be38e2250e2940a

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
4f361342b691aedc577e1bbbd16a14ae

SHA1
b249050dc506fd4199bc2d6a00b2fac61e13842b

SHA256
2eb1e71d1112913f09cb372eaaeb19c0b849c81a50649da0e4a66b2c83ad9f32

SHA512
4efd2c4ca0e9a7e38c59d9ca797b0efecbf3d8f33e83f3b49b81f5a2b47fdfcc494abc88c634660783861d50087a106ffc713f19d7cc609e9be38e2250e2940a

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
a5ef3ecb8ece8f31bfe429316281d64b

SHA1
13b0679242a262ecbda857b163c7db5a4b473c5b

SHA256
8678396666040b289999e82d1a0bb2175a6b5543922f05394252f7b3e986d0e7

SHA512
6f8da1d0c0122c10051a699cd77c1a21864ab14ba1cd485bd6d4c041e45591024254e642d0ae6310a9e1d1ad32e77183a62dab9dfc8ff050cce9e96d398e7ec2

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
a5ef3ecb8ece8f31bfe429316281d64b

SHA1
13b0679242a262ecbda857b163c7db5a4b473c5b

SHA256
8678396666040b289999e82d1a0bb2175a6b5543922f05394252f7b3e986d0e7

SHA512
6f8da1d0c0122c10051a699cd77c1a21864ab14ba1cd485bd6d4c041e45591024254e642d0ae6310a9e1d1ad32e77183a62dab9dfc8ff050cce9e96d398e7ec2

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a37708eae8e652d16c4af5895cdd3a3d

SHA1
94e478d6568f07603e4d509e374b72a5c8b5ec7c

SHA256
abe2a6d988bfabb567874495f7fce79878967ccc00fea759597861f3fc73e349

SHA512
aa63684bc29bc4eb16a024944a02f4a55a595d7a651f56716ebc635d91474dcf1ed758a9218401ec1ea6610aa881036c3675909f14a37bcc4bd7157da44e21fc

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
a37708eae8e652d16c4af5895cdd3a3d

SHA1
94e478d6568f07603e4d509e374b72a5c8b5ec7c

SHA256
abe2a6d988bfabb567874495f7fce79878967ccc00fea759597861f3fc73e349

SHA512
aa63684bc29bc4eb16a024944a02f4a55a595d7a651f56716ebc635d91474dcf1ed758a9218401ec1ea6610aa881036c3675909f14a37bcc4bd7157da44e21fc

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
14d9b19e5b801439fe7f34e195b30306

SHA1
8e3c156e9c2fa7054d0456ff8f7e3104fb2694fe

SHA256
2004a8a13c016c92b63404b882ad945f21a86e36000b9cb5ba24cf3acedb0de3

SHA512
1bb0d5eb3a8fd3173da0f5df1f8d9ae045ce2a21dc73bb2af4b57e537d0b8761711527fedcbc2378b8df300baa317ed2608952de0cad3eb37a9886645f6d94db

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
14d9b19e5b801439fe7f34e195b30306

SHA1
8e3c156e9c2fa7054d0456ff8f7e3104fb2694fe

SHA256
2004a8a13c016c92b63404b882ad945f21a86e36000b9cb5ba24cf3acedb0de3

SHA512
1bb0d5eb3a8fd3173da0f5df1f8d9ae045ce2a21dc73bb2af4b57e537d0b8761711527fedcbc2378b8df300baa317ed2608952de0cad3eb37a9886645f6d94db

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
88f89d0f2bd5748ed1af75889e715e6a

SHA1
8ada489b9ff33530a3fb7161cc07b5b11dfb8909

SHA256
02c78781bf6cc5f22a0ecedc3847bfd20bed4065ac028c386d063dc2318c33cc

SHA512
1f5a00284ca1d6dc6ae2dfce306febfa6d7d71d421583e4ce6890389334c2d98291e98e992b58136f5d1a41590553e3ad42fb362247ae8adf60e33397afbb5df

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
0979785e3ef8137cdd47c797adcb96e3

SHA1
4051c6eb37a4c0dba47b58301e63df76bff347dd

SHA256
d5164aecde4523ffa2dcfd0315b49428ac220013132ad48422a8ea4ca2361257

SHA512
e369bc53babd327f5d1b9833c0b8d6c7e121072ad81d4ba1fb3e2679f161fb6a9fa2fca0df0bac532fd439beb0d754583582d1dbfeccf2d38cc4f3bdca39b52d

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
a1b6cebd3d7a8b25b9a9cbc18d03a00c

SHA1
5516de099c49e0e6d1224286c3dc9b4d7985e913

SHA256
162ccf78fa5a4a2ee380f72fbd54d17a73c929a76f6e3659f537fa8f42602362

SHA512
a322fb09e6faaff0daabb4f0284e4e90ccacff27161dbfd77d39a9a93dbf30069b9d86bf15a07fc2006a55af2c35cd8ea544895c93e2e1697c51f2dafad5a9d7

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
a6a9dfb31be2510f6dbfedd476c6d15a

SHA1
cdb6d8bd1fbd1c71d85437cff55ddeb76139dbe7

SHA256
150d32b77b2d7f49c8d4f44b64a90d7a0f9df0874a80fc925daf298b038a8e4c

SHA512
b4f0e8fa148fac8a94e04bf4b44f2a26221d943cc399e7f48745ed46e8b58c52d9126110cdf868ebb723423fb0e304983d24fe6608d3757a43ad741bddb3b7ec

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
755d68cb04411f8c6f86842484b6e38b

SHA1
60fc150591e644eaa14d77e6bdedf125f94c14fd

SHA256
7e659c94c28f575d8ac20add7cecf421136ff19ce91916d255dc98b5ba16d57b

SHA512
b0cc16effb8fbc26bf58e121836e1d95d25e0438b16a21001e6e61173108d206355145d7ac005fd40e40a2ae3bccf24685844322af667754e6d057ba073d5b61

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
461d5af3277efb5f000b9df826581b80

SHA1
935b00c88c2065f98746e2b4353d4369216f1812

SHA256
f9ce464b89dd8ea1d5e0b852369fe3a8322b4b9860e5ae401c9a3b797aed17bf

SHA512
229bf31a1de1e84cf238a0dfe0c3a13fee86da94d611fbc8fdb65086dee6a8b1a6ba37c44c5826c3d8cfa120d0fba9e690d31c5b4e73f98c8362b98be1ee9600

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
b3b04c457159e1a174eee384eb8deec7

SHA1
09971b91bf45ae9f84475c6565aaf1c40b34079d

SHA256
59d0de4eecdb196d8be3856894967f38fea60d3afdd2d42ee7dd61d4638680fd

SHA512
e28bdd2a889110e6235f02eb50ee7da2c49dc7dd8373077518f82bc9fd42bf915fedac9ba0dd2b702879da2e8ab99840b7c65011d66a4a296eb8afc3930531c0

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
b3b04c457159e1a174eee384eb8deec7

SHA1
09971b91bf45ae9f84475c6565aaf1c40b34079d

SHA256
59d0de4eecdb196d8be3856894967f38fea60d3afdd2d42ee7dd61d4638680fd

SHA512
e28bdd2a889110e6235f02eb50ee7da2c49dc7dd8373077518f82bc9fd42bf915fedac9ba0dd2b702879da2e8ab99840b7c65011d66a4a296eb8afc3930531c0

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
5765103e1f5412c43295bd752ccaea03

SHA1
6913bf1624599e55680a0292e22c89cab559db81

SHA256
8f7ace43040fa86e972cc74649d3e643d21e4cad6cb86ba78d4c059ed35d95e4

SHA512
5844ac30bc73b7ffba75016abefb8a339e2f2822fc6e1441f33f70b6eb7114f828167dfc34527b0fb5460768c4de7250c655bc56efd8ba03115cd2dd6f6c91c0

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
a18e20d0362d9da9a4ed8038938c5d74

SHA1
bb07e6e5149ec644eedb850f41039c558c670e4c

SHA256
6f7d536bc81d5a395d8b52f4bd448e36349b8ad4854df5e90e55700487ffaf92

SHA512
dbf8eb5a2069d248305f0c4e61bf1d718b47dfff539cae37ceb47ad73dae431c96d705fa1b17d85cdb984de89c01e38c12e9e7454519f5723550d2af5e4110f6

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
a18e20d0362d9da9a4ed8038938c5d74

SHA1
bb07e6e5149ec644eedb850f41039c558c670e4c

SHA256
6f7d536bc81d5a395d8b52f4bd448e36349b8ad4854df5e90e55700487ffaf92

SHA512
dbf8eb5a2069d248305f0c4e61bf1d718b47dfff539cae37ceb47ad73dae431c96d705fa1b17d85cdb984de89c01e38c12e9e7454519f5723550d2af5e4110f6

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
f575a0246f350985fa8f320c1fb988e4

SHA1
a3673d65222205372abcd05bfc1c660d704a16dd

SHA256
49fc5116b92695b2437c36d17ffdc5fbde99cf3e48ddc9c1a4beb0e396f0d950

SHA512
4b06e54d83e5b42761d16c26a6c19a8a611ae165de94d9d2b8d98915030c0512b068e5c08fcc78cea6fae71d16d29b45bb9a248adf88f5132cea6bed062ed60e

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
3dfb82541979a23a9deb5fd4dcfb6b22

SHA1
5da1d02b764917b38fdc34f4b41fb9a599105dd9

SHA256
0cd6d0ff0ff5ecf973f545e98b68ac6038db5494a8990c3b77b8a95b664b6feb

SHA512
f9a20b3d44d39d941fa131c3a1db37614a2f9b2af7260981a0f72c69f82a5326901f70a56b5f7ad65862630fce59b02f650a132ee7ecfe2e4fc80f694483ca82

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\libcui40.dll

Filesize
125KB

MD5
a43453dc3f04860653ff23db54f91f0d

SHA1
17877adc35e03eb2e7f7a90281a97067a839b70d

SHA256
55135de67a5816c6622ae671c934d5a2bfac1b8f3f09083f64a3ae5997bfbfdf

SHA512
8b97417f00175408eaf348cd2315f954609b98434337c2d822b9e0f11d2d249c584ef8e58fc33ffbd107ef56581964735a62801096779a9f43899e69fd8d9a66

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\libcui40.dll

Filesize
125KB

MD5
a43453dc3f04860653ff23db54f91f0d

SHA1
17877adc35e03eb2e7f7a90281a97067a839b70d

SHA256
55135de67a5816c6622ae671c934d5a2bfac1b8f3f09083f64a3ae5997bfbfdf

SHA512
8b97417f00175408eaf348cd2315f954609b98434337c2d822b9e0f11d2d249c584ef8e58fc33ffbd107ef56581964735a62801096779a9f43899e69fd8d9a66

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\ucrtbase.dll

Filesize
1.1MB

MD5
2040cdcd779bbebad36d36035c675d99

SHA1
918bc19f55e656f6d6b1e4713604483eb997ea15

SHA256
2ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359

SHA512
83dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
\Users\Admin\AppData\Roaming\GreatSim\Milling\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
memory/1248-122-0x0000000000530000-0x0000000000543000-memory.dmp

Filesize
76KB

Download
memory/1248-132-0x0000000003840000-0x0000000006A40000-memory.dmp

Filesize
50.0MB

Download
memory/1472-133-0x000007FEFBDF1000-0x000007FEFBDF3000-memory.dmp

Filesize
8KB

Download
memory/2000-54-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download