276a5903dbc07e0200bb6206fb03ea67e8d8a05056426d920a781a12e0a90ac8

Analysis

max time kernel
126s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (257) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Winhost.exe

Deletes itself 1 IoCs

pid	Process
3004	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
3004	Winhost.exe
4340	Winhost.exe
4056	Winhost.exe
2312	Winhost.exe
1864	Winhost.exe
5004	Winhost.exe
4772	Winhost.exe
1064	Winhost.exe
1736	Winhost.exe
3680	Winhost.exe
4156	Winhost.exe
1256	Winhost.exe
3736	Winhost.exe
4020	Winhost.exe
4128	Winhost.exe
1376	Winhost.exe
2080	Winhost.exe
2836	Winhost.exe
3624	Winhost.exe
2664	Winhost.exe
440	Winhost.exe
3148	Winhost.exe
752	Winhost.exe
2660	Winhost.exe
4064	Winhost.exe
4164	Winhost.exe
2928	Winhost.exe
4228	Winhost.exe
2952	Winhost.exe
4696	Winhost.exe
4888	Winhost.exe
4316	Winhost.exe
4592	Winhost.exe
3196	Winhost.exe
2932	Winhost.exe
4168	Winhost.exe
4760	Winhost.exe
4600	Winhost.exe
996	Winhost.exe
2520	Winhost.exe
3996	Winhost.exe
1916	Winhost.exe
3400	Winhost.exe
4876	Winhost.exe
4500	Winhost.exe
4844	Winhost.exe
2788	Winhost.exe
4880	Winhost.exe
2816	Winhost.exe
4340	Winhost.exe
1476	Winhost.exe
5112	Winhost.exe
3564	Winhost.exe
4620	Winhost.exe
3532	Winhost.exe
4796	Winhost.exe
1740	Winhost.exe
2460	Winhost.exe
2240	Winhost.exe
4548	Winhost.exe
1728	Winhost.exe
2288	Winhost.exe
1376	Winhost.exe
1504	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1756	powershell.exe
1756	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 1756	3272	Seven.exe	86
PID 3272 wrote to memory of 1756	3272	Seven.exe	86
PID 3272 wrote to memory of 1736	3272	Seven.exe	89
PID 3272 wrote to memory of 1736	3272	Seven.exe	89
PID 3272 wrote to memory of 4992	3272	Seven.exe	90
PID 3272 wrote to memory of 4992	3272	Seven.exe	90
PID 3272 wrote to memory of 4308	3272	Seven.exe	91
PID 3272 wrote to memory of 4308	3272	Seven.exe	91
PID 3272 wrote to memory of 2664	3272	Seven.exe	92
PID 3272 wrote to memory of 2664	3272	Seven.exe	92
PID 3272 wrote to memory of 1156	3272	Seven.exe	93
PID 3272 wrote to memory of 1156	3272	Seven.exe	93
PID 3272 wrote to memory of 1112	3272	Seven.exe	94
PID 3272 wrote to memory of 1112	3272	Seven.exe	94
PID 3272 wrote to memory of 4772	3272	Seven.exe	95
PID 3272 wrote to memory of 4772	3272	Seven.exe	95
PID 3272 wrote to memory of 4128	3272	Seven.exe	96
PID 3272 wrote to memory of 4128	3272	Seven.exe	96
PID 3272 wrote to memory of 4072	3272	Seven.exe	97
PID 3272 wrote to memory of 4072	3272	Seven.exe	97
PID 3272 wrote to memory of 4192	3272	Seven.exe	98
PID 3272 wrote to memory of 4192	3272	Seven.exe	98
PID 3272 wrote to memory of 2660	3272	Seven.exe	99
PID 3272 wrote to memory of 2660	3272	Seven.exe	99
PID 3272 wrote to memory of 4956	3272	Seven.exe	100
PID 3272 wrote to memory of 4956	3272	Seven.exe	100
PID 3272 wrote to memory of 968	3272	Seven.exe	101
PID 3272 wrote to memory of 968	3272	Seven.exe	101
PID 3272 wrote to memory of 4260	3272	Seven.exe	102
PID 3272 wrote to memory of 4260	3272	Seven.exe	102
PID 4956 wrote to memory of 1688	4956	cmd.exe	103
PID 4956 wrote to memory of 1688	4956	cmd.exe	103
PID 2660 wrote to memory of 5072	2660	cmd.exe	104
PID 2660 wrote to memory of 5072	2660	cmd.exe	104
PID 968 wrote to memory of 556	968	cmd.exe	105
PID 968 wrote to memory of 556	968	cmd.exe	105
PID 4192 wrote to memory of 1720	4192	cmd.exe	107
PID 4192 wrote to memory of 1720	4192	cmd.exe	107
PID 4260 wrote to memory of 3004	4260	cmd.exe	106
PID 4260 wrote to memory of 3004	4260	cmd.exe	106
PID 1156 wrote to memory of 2828	1156	cmd.exe	108
PID 1156 wrote to memory of 2828	1156	cmd.exe	108
PID 2664 wrote to memory of 1216	2664	cmd.exe	110
PID 2664 wrote to memory of 1216	2664	cmd.exe	110
PID 3004 wrote to memory of 4340	3004	Winhost.exe	117
PID 3004 wrote to memory of 4340	3004	Winhost.exe	117
PID 4340 wrote to memory of 4056	4340	Winhost.exe	122
PID 4340 wrote to memory of 4056	4340	Winhost.exe	122
PID 4056 wrote to memory of 2312	4056	Winhost.exe	124
PID 4056 wrote to memory of 2312	4056	Winhost.exe	124
PID 2312 wrote to memory of 1864	2312	Winhost.exe	127
PID 2312 wrote to memory of 1864	2312	Winhost.exe	127
PID 1864 wrote to memory of 5004	1864	Winhost.exe	129
PID 1864 wrote to memory of 5004	1864	Winhost.exe	129
PID 5004 wrote to memory of 4772	5004	Winhost.exe	132
PID 5004 wrote to memory of 4772	5004	Winhost.exe	132
PID 4772 wrote to memory of 1064	4772	Winhost.exe	134
PID 4772 wrote to memory of 1064	4772	Winhost.exe	134
PID 1064 wrote to memory of 1736	1064	Winhost.exe	136
PID 1064 wrote to memory of 1736	1064	Winhost.exe	136
PID 1736 wrote to memory of 3680	1736	Winhost.exe	138
PID 1736 wrote to memory of 3680	1736	Winhost.exe	138
PID 3680 wrote to memory of 4156	3680	Winhost.exe	140
PID 3680 wrote to memory of 4156	3680	Winhost.exe	140

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1216	attrib.exe
2828	attrib.exe
1688	attrib.exe
5072	attrib.exe
556	attrib.exe
1720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:1736
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:4308
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1216
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:2828
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:1112
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:4772
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:4128
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:4072
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:1720
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:1688
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:556
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Executes dropped EXE
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        Checks computer location settings
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        Checks computer location settings
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        Checks computer location settings
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        Checks computer location settings
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        Checks computer location settings
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        Checks computer location settings
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        Checks computer location settings
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        Checks computer location settings
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        Checks computer location settings
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        Checks computer location settings
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        80⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        81⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        82⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        83⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        84⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        85⤵
        
        PID:3148

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4316
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3196
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4168
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      PID:4600
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2520
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4876
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4844
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2288
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        
        PID:3104
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4632
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2836
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3880
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        Drops file in System32 directory
        
        PID:2856
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        Drops file in System32 directory
        
        PID:3928
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3840
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        Checks computer location settings
        
        PID:4972
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        Drops file in System32 directory
        
        PID:3424
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4456
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        
        PID:4720
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        
        PID:1004
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        
        PID:1424
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        
        PID:4476
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        
        PID:3612
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        
        PID:2040
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        
        PID:2752
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:3100
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        
        PID:3128
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        48⤵
        
        PID:4324
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        49⤵
        
        PID:1372
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        50⤵
        
        PID:3684
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        51⤵
        
        PID:872
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        52⤵
        
        PID:3296
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        53⤵
        
        PID:3284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.1.filtertrie.intermediate.txt.420

Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.2.filtertrie.intermediate.txt.420

Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837687940046.txt.420

Filesize
77KB

MD5
f02236d4405a64d5d517446b74c7d9e9

SHA1
916bb004951fc6c239cc710aeceaa2230b0bf19d

SHA256
4bfc4df0bdb17685d97b9926b56ca29ed0ad4096ec9d94a6b2043e2c72a04c9b

SHA512
7717eb30b6636be3b1293449c91abdbdbff7ec7c4bf869818814dbef1d7ea74ec33ace21f3a805fa600bd1db2c1a8b5d6c4792d4f39c3061a40b3d0e0b619080

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839712016426.txt.420

Filesize
47KB

MD5
22e53dc5709ced95e3c83af5804336a6

SHA1
0163069ed72c9616e06d8997c1f5d7fba597b0e0

SHA256
a128f39f65bd1068191be32727905f92217b625bde930a65ffae3250ec557373

SHA512
ce53d6e40b75737475193824dba4026508f9315be3a79698c3f5529863fad78bec5456b7e6f5971b08d5df5d753bc3dfe83dfa0aecb180d67ce970f6f2ef8dea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846092837203.txt.420

Filesize
66KB

MD5
4a90573d4e1350bb3cb06a825fbd66de

SHA1
3f3ce3606d802cd06dda067fa2a07dfa745c90df

SHA256
5a74f880421a86087c44f74e3c105c9ec4fd4b1eae138984644c3d51d3e55242

SHA512
b09feba996e833c149a309cb45f56e79998cbdeb7fce71c15ef99a1615468aa62fd4c9b1cf3a4f802c27558a75db4c0885f84d65b1fdee979abde314d07c208c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579867951387195.txt.420

Filesize
75KB

MD5
ab69555e8ae9d8ff1de5605724761c5f

SHA1
3e09f9b5cfaf45fb19a8ff5c3ff884f570015171

SHA256
358df7dc00b3290428a7551c7ea07259efbcd6afee694654809819d1ef6604e5

SHA512
5c372847305cf5157b59e0479367560e3e36291055c93f80e41c33d2a711d35d2009cf314b06ec0c5b925d690957d14ee86218d9b4f9afb1d8883f70cd05793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
77c91d4087daf527f51d3462b8235705

SHA1
1ac9be8957feaa1353ccb06468a3c4037592122b

SHA256
3d4a7778260a02dc1a997be06ab69eb0f1d13516b485ed631f5dbf0ebcfc0f94

SHA512
1feb58d58051145772e45c4cd2f65979046dddd6128d39d3c108c60a0da138bfba5589bb26bc28071442923c0ae099188a9f6fa862d92611b27df8beb5d2c94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
ae649b0a162dafc24b88a5c5f42eddec

SHA1
77586b76849971519c8a45b8fce97ecc9aeeedcb

SHA256
abe98f0b6dd3a8cf43144e7475450f551d294ed37409573c19b0e9fa774f8549

SHA512
ba6fb3e5419f18939e5be31e7aa902fc529715ca469f5e874b1b14f0201bf92ae8451ab35cebbc99387f13b5b3bef45554b9583eea6ea2b6e807a7a88d59a9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
80B

MD5
cabf2d81a1fdd4f6ab4a462fdb59f669

SHA1
c09ac236e603fbd981b47b74417007010dfbb0eb

SHA256
833193d3bc0098b9f64207d2fc13191de355c5d691c350df657d6f788ab479e4

SHA512
8307d3d1ae7d8a3d7fad6a6b75f3f70ea0dd0f2f111ac4cfbb6738e28700accc4a28ce59eb357072d37608fdc502c3cfc3f3aa66c386ab612bab573917f55941

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
56099629156b7048571056cc70cb35af

SHA1
2f81ebbabd710a3cbff9a7f7083164708e7e2aa5

SHA256
a90ef6f8ee7fdeb156955da34e205fdbaed02ab92fdb746eb1323625c74d9183

SHA512
231387f09b86ae8207ee0063faacdd56ef4f4abb5086b00706a4dc0b12034d39692987b495d0dedc9efcbc4c76234c8eae1d545a273da2daac5216354617d2ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
d792e7641605851f59cb32c5086ff7c0

SHA1
d8d111c2e6c970d3eb579562e6302b8beab1c099

SHA256
52942eb20ef991682a823781d636dd7e36f1067aa674214f6d2c526c16747fa9

SHA512
f49dd08ffa6c1e1e47c9a95c044cd4b36ab211c0d239c5e95924c2475496814dad1371490fac8dbddd9bc6b30e1f5071102b50021b0cb1ce27becdcced926197

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2e0jwvn.tf4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Documents\Seven.dll

Filesize
1.3MB

MD5
b5354db7c3200ccec55fd08c45871d59

SHA1
ecc498dcc425d9d803dcd0eec5efba18c654fc58

SHA256
90d1ad22e058d66acca5e10b5095d857fcb295143d4538930650765eaa25367d

SHA512
58a26c369977bc4fe735dfad9abf062a16fa0f2af3decf92f71339c374751ebfc8e4760ddd01266fc70bfe4bb56b936140e776a742a2b188d7a692029ba627c7

Download Submit
C:\Users\Public\Documents\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.420

Filesize
380KB

MD5
1eab13731e31b397c2d937bd7a4cbca7

SHA1
a82849d272c2ba666d11a38fdbaf1fdaf1a9c006

SHA256
7d893f14663588030bfc765905459a9adc35ffe649d64b16af3ce08e4f765b73

SHA512
e729445739ecb9c5d6b0dcb8df0f52286e97f28dfad9bcb36bf16b2c6fdb18c1f1ebfdfbf93cd4ddedd74d6e3fdc3254b0999023a200dae0a7b94cca2f6b2cab

Download Submit
C:\vcredist2010_x64.log.html.420

Filesize
86KB

MD5
0df794a4926931ade27e025318de71f5

SHA1
a2835d72dc2e8bc231e9b92992d6417c7dc262e4

SHA256
0bc2b4a17e5c8111db8eb34a758f418918257d70340a7fa70658bf3e7e534a05

SHA512
0e0d5be412d42f173f81865ff7453790e386e701002161cf1581d8425cb02a29eca66352820c9ccab0c33c8310356f9dc76a3e821ce7b6c14c1b3c8d0633469d

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.420

Filesize
395KB

MD5
46fd901088d544f1d677790d2eff337e

SHA1
a7ca17e9bd9bc7316e6c19d85eb7926465a6d7bb

SHA256
13ca1e522a06c072394df5b360088292a974fee6193e7188b41c51d25e53cbb2

SHA512
37bd2e5b065f7c114ca85f1f6eedc64044973c6e7d88542b27b6e48d4c5260cd2646e20bb0a306cae4a86f531dccdcbab8d16b60f58cc6b41c9dcf08c44f38bc

Download Submit
C:\vcredist2010_x86.log.html.420

Filesize
80KB

MD5
e0f2c72b44d8ddfe51d57445ee2a967f

SHA1
26cae2f90c6f94a361c36d3cf7b0d6df93b2159d

SHA256
9e223ecb362b4fe88e152ac5ec5ebce5dacb797f783d1cb21a4797223496ed7f

SHA512
dfd3f333944394c3cbba8eaea8b5364073b789fe91452ca155357e8ca3a50db7ae2c3feb9575ff01aeb9279247a1e8d1a00bcd7a0544a084ea8828417935d7c8

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.420

Filesize
167KB

MD5
20ef552c3e34590d881b2f894515cf84

SHA1
536a1b7eb37a52db846a8d59f4da7ddeec82d620

SHA256
d1c62dbefe9a66b6b56ba4fbc4f7613cd40736ceb20d41ed8e4927c6898fa01d

SHA512
09af794045f636954fd1093e741e4d6005d0910af09f0c413e62d886dc82afaab85a3f89330e96bbc419b96a4689217f623067b3f0943ef70a0600d4a546d6de

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.420

Filesize
195KB

MD5
11ddce4984daa5ad6a041c17829831f1

SHA1
867a27480967f35b013da3dd1267b252304b546e

SHA256
04412922cd7ef9a3deb60ac7e5a0e7830842de318807e7f9b2f6d360e663f740

SHA512
a9a377a0f4ccca7dc629381ffaaf36f18a85068e1b23171b04d9d7ad8501cc1af18fdfc0a2f94abfeba2e847b41ef52946000894d8babaca3e4a18db430e87d8

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
ed1fc913d119aba9804b5c4b25f7a30f

SHA1
f613d44f24a08ac91b33bd4589229016323fd525

SHA256
8f29094e27e83021294303ad35b02c28881612bd063d85583147670284bd1f13

SHA512
528e8d07728ca461a908935adbc465c08b816b3e784a2bacdd14093632589b77560f298d3068b6c32f5901600bfdefbbc2d20550cd1ad89702622f99a70a5fc1

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.420

Filesize
208KB

MD5
4a35122004a0db2c3343571f749e89f3

SHA1
88c1ea67e6e2dd7ba8dc6e11f5b7f3c64b13a8fe

SHA256
ad979399d026462bf1f7ddc8fc0713b25910b7b03c94c2e8a88771a9d6373f84

SHA512
9683b7c5024f0744c5cd13ab2c3f746072c99bc94e9013249ed830bda225906ec80f9255bd60c974004cc30fe0fdbb4da07470cc02a11eb24504b2d4ed137a45

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
170KB

MD5
2d3cd09bd5b403a7b26e9476e016b9bc

SHA1
3ed7cf525c2e6378f47c260c72e6258247fec6ad

SHA256
2b07b427082d60b7ba4547a1d7f1764df7ce6b5faadeb2e6345daade01de9783

SHA512
b38d494f6a7e525f9e3183aeb5274a924400aed281681e3c25ad310d7fb9af8e6072ca43caf8b60210b7cda978081374ce6b0fda49e59c1c574d13fea7c4e9c4

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
190KB

MD5
f1333dc20e7118023b30b47b575e9382

SHA1
902d7f284488f18950584fd7a17dfdac1a97679c

SHA256
11acf9980340cc4a5fa04eea4d9690543bbb5c3ca9e11b07a51ff5af268d8ec8

SHA512
49505bb5c95eef1b3fb79bff97ed254701d817588ae72ee59868f4d0ebc717cf3a0f3609c60d50ee03cf1ff82914157640b177a99d0eb0b7723784aba14fb624

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
a3ffac93565245bf6f535f980b22851c

SHA1
f5a2a32dd47b546ff513d24bd1e36c725d27b4ae

SHA256
f1cb125df6358219543782c010ad0ff22d092390c69976798b7470306e2d9656

SHA512
ddfdb05c201151e259744dd9d533bf7b2a72187c5be5a5e7e6b2d002b83b2dda3df23b14a63a06101fc46f9a5d51687d3d5ca5afa18286e4fef4b39aba1222ef

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
198KB

MD5
014ee7e6219ad61a714d6e16e4951eac

SHA1
d1ccf4c3e736e26460f52b1587c989c6b5d4e9f4

SHA256
332a7b3c1228d696a273faa1e220f9a8804797e2313284095a467d313b4c0937

SHA512
5fa738cc61c86761285c12bbaecb4e16770470fdf78142ee6c398c63eb346fb21a53b181ebf7714a0c3ca0fa6661abbb1c094076e856084e43580f034d3bffa7

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
123KB

MD5
f00b588084b82344029a8c10cfef0d99

SHA1
a50a35ac336f79d92cd7e46e5e46a87f8ef91945

SHA256
fb996e57ba745d86f5264185176cc74a26b5eb8eab24c5f65d7c456868ab117a

SHA512
90b00fae82d767a8ee4a852ce1c161e5a8c20cf31a8b8432378af3fa29b5c41bcb2b19ac49474ac444fb82c766518726d713d0a50565174e5d9f5fcc93bef0ba

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
129KB

MD5
a17f1d3ea333dc60f6c44255e58c721a

SHA1
d36df335c4da633c07788464cbec98aaa312613f

SHA256
894129381bca7500557cb0afc542c06ecbea35a4ad688ba4ef85cd65bea8a94f

SHA512
5e9ab9b3fd7421ba172a04618ae272ebf51b3b22927613074ca7cd0c289a41b57e1c3bdab0c87bbabd20a39f40a4677fa902516867eeb4227de88b4284577680

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
123KB

MD5
6223046c6df678974c0e0daa79821614

SHA1
8963fc2d4e2118ac02eadd5ebce612850a61f0a0

SHA256
9cc37cf23bbf4f3b956e78765151f10fa7a8b6c299ebee6675ad897a1e8ef5d9

SHA512
bd9760e7e160a1b4ce5cbc3e294f622c77e27dd998e6a01e17374f64baf1f73f694a3abe156a0043dd0e1ddb8e9651468401df4be37721eb752619c647c99d30

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
135KB

MD5
d87ec8ed93d8cecc7a960a2d5e8f8800

SHA1
29c41dc3fda19ccbcbc24c29bae6e1e115a3261a

SHA256
1bcbd86f4ede4b59b2c9cda9e1dbd9a28effe807c21b7cf0caeaf9e6be6ed5ed

SHA512
36cee6f4866101db865af6f78742480c316aa63127df510ca25e9ed361689f37ada6ed38160b3a6d30d521cc055f5825aeda8274f030dcb517eadd2ffbdf1810

Download Submit
memory/1756-15-0x00007FFDBAB20000-0x00007FFDBB5E1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-11-0x000001833F310000-0x000001833F320000-memory.dmp

Filesize
64KB

Download
memory/1756-12-0x000001833F310000-0x000001833F320000-memory.dmp

Filesize
64KB

Download
memory/1756-10-0x00007FFDBAB20000-0x00007FFDBB5E1000-memory.dmp

Filesize
10.8MB

Download
memory/1756-5-0x000001833F220000-0x000001833F242000-memory.dmp

Filesize
136KB

Download