f1662149f835cfa5fe3e22df52987ea04474a122577af31adf04223cededf43d

Analysis

max time kernel
107s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Renames multiple (261) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe

Deletes itself 1 IoCs

pid	Process
1380	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
1380	Winhost.exe
2816	Winhost.exe
4188	Winhost.exe
3392	Winhost.exe
4300	Winhost.exe
3216	Winhost.exe
2820	Winhost.exe
3132	Winhost.exe
2832	Winhost.exe
1464	Winhost.exe
2096	Winhost.exe
4812	Winhost.exe
4384	Winhost.exe
3808	Winhost.exe
4120	Winhost.exe
1784	Winhost.exe
3976	Winhost.exe
5056	Winhost.exe
4440	Winhost.exe
1704	Winhost.exe
1468	Winhost.exe
4952	Winhost.exe
1504	Winhost.exe
3172	Winhost.exe
1980	Winhost.exe
4224	Winhost.exe
1700	Winhost.exe
1908	Winhost.exe
5072	Winhost.exe
2072	Winhost.exe
3716	Winhost.exe
1468	Winhost.exe
4816	Winhost.exe
2940	Winhost.exe
1980	Winhost.exe
2820	Winhost.exe
2360	Winhost.exe
1604	Winhost.exe
4024	Winhost.exe
5012	Winhost.exe
4364	Winhost.exe
3792	Winhost.exe
2212	Winhost.exe
4232	Winhost.exe
1644	Winhost.exe
464	Winhost.exe
5060	Winhost.exe
4356	Winhost.exe
936	Winhost.exe
3160	Winhost.exe
2848	Winhost.exe
1204	Winhost.exe
2040	Winhost.exe
4512	Winhost.exe
3704	Winhost.exe
3596	Winhost.exe
3928	Winhost.exe
4308	Winhost.exe
2956	Winhost.exe
2376	Winhost.exe
4564	Winhost.exe
4364	Winhost.exe
876	Winhost.exe
2108	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Seven.dll	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe

Sets desktop wallpaper using registry 2 TTPs 5 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmprvzlsr.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmppnxohl.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp0gelnm.tmp"	Winhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp5ke1pm.tmp"	Seven.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp3fxlvh.tmp"	Winhost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3196	powershell.exe
3196	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3196	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3196	4864	Seven.exe	87
PID 4864 wrote to memory of 3196	4864	Seven.exe	87
PID 4864 wrote to memory of 3080	4864	Seven.exe	89
PID 4864 wrote to memory of 3080	4864	Seven.exe	89
PID 4864 wrote to memory of 1912	4864	Seven.exe	90
PID 4864 wrote to memory of 1912	4864	Seven.exe	90
PID 4864 wrote to memory of 3104	4864	Seven.exe	91
PID 4864 wrote to memory of 3104	4864	Seven.exe	91
PID 4864 wrote to memory of 2536	4864	Seven.exe	92
PID 4864 wrote to memory of 2536	4864	Seven.exe	92
PID 4864 wrote to memory of 640	4864	Seven.exe	93
PID 4864 wrote to memory of 640	4864	Seven.exe	93
PID 4864 wrote to memory of 3132	4864	Seven.exe	94
PID 4864 wrote to memory of 3132	4864	Seven.exe	94
PID 4864 wrote to memory of 5004	4864	Seven.exe	95
PID 4864 wrote to memory of 5004	4864	Seven.exe	95
PID 4864 wrote to memory of 3976	4864	Seven.exe	96
PID 4864 wrote to memory of 3976	4864	Seven.exe	96
PID 4864 wrote to memory of 3868	4864	Seven.exe	97
PID 4864 wrote to memory of 3868	4864	Seven.exe	97
PID 4864 wrote to memory of 2796	4864	Seven.exe	98
PID 4864 wrote to memory of 2796	4864	Seven.exe	98
PID 4864 wrote to memory of 4240	4864	Seven.exe	99
PID 4864 wrote to memory of 4240	4864	Seven.exe	99
PID 4864 wrote to memory of 1552	4864	Seven.exe	100
PID 4864 wrote to memory of 1552	4864	Seven.exe	100
PID 4864 wrote to memory of 4880	4864	Seven.exe	101
PID 4864 wrote to memory of 4880	4864	Seven.exe	101
PID 4864 wrote to memory of 5036	4864	Seven.exe	102
PID 4864 wrote to memory of 5036	4864	Seven.exe	102
PID 1552 wrote to memory of 4260	1552	cmd.exe	103
PID 1552 wrote to memory of 4260	1552	cmd.exe	103
PID 2536 wrote to memory of 2260	2536	cmd.exe	104
PID 2536 wrote to memory of 2260	2536	cmd.exe	104
PID 4880 wrote to memory of 4924	4880	cmd.exe	105
PID 4880 wrote to memory of 4924	4880	cmd.exe	105
PID 4240 wrote to memory of 2164	4240	cmd.exe	106
PID 4240 wrote to memory of 2164	4240	cmd.exe	106
PID 5036 wrote to memory of 1380	5036	cmd.exe	107
PID 5036 wrote to memory of 1380	5036	cmd.exe	107
PID 640 wrote to memory of 3612	640	cmd.exe	109
PID 640 wrote to memory of 3612	640	cmd.exe	109
PID 2796 wrote to memory of 636	2796	cmd.exe	108
PID 2796 wrote to memory of 636	2796	cmd.exe	108
PID 1380 wrote to memory of 2816	1380	Winhost.exe	111
PID 1380 wrote to memory of 2816	1380	Winhost.exe	111
PID 2816 wrote to memory of 4188	2816	Winhost.exe	114
PID 2816 wrote to memory of 4188	2816	Winhost.exe	114
PID 4188 wrote to memory of 3392	4188	Winhost.exe	116
PID 4188 wrote to memory of 3392	4188	Winhost.exe	116
PID 3392 wrote to memory of 4300	3392	Winhost.exe	118
PID 3392 wrote to memory of 4300	3392	Winhost.exe	118
PID 4300 wrote to memory of 3216	4300	Winhost.exe	120
PID 4300 wrote to memory of 3216	4300	Winhost.exe	120
PID 3216 wrote to memory of 2820	3216	Winhost.exe	122
PID 3216 wrote to memory of 2820	3216	Winhost.exe	122
PID 2820 wrote to memory of 3132	2820	Winhost.exe	124
PID 2820 wrote to memory of 3132	2820	Winhost.exe	124
PID 3132 wrote to memory of 2832	3132	Winhost.exe	126
PID 3132 wrote to memory of 2832	3132	Winhost.exe	126
PID 2832 wrote to memory of 1464	2832	Winhost.exe	128
PID 2832 wrote to memory of 1464	2832	Winhost.exe	128
PID 1464 wrote to memory of 2096	1464	Winhost.exe	130
PID 1464 wrote to memory of 2096	1464	Winhost.exe	130

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4924	attrib.exe
2260	attrib.exe
4260	attrib.exe
3612	attrib.exe
636	attrib.exe
2164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:3080
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:1912
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:3104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2260
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:3612
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  - Drops file in System32 directory
  PID:3132
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:5004
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:3976
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:3868
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:636
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2164
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:4260
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:4924
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5036
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4188
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Executes dropped EXE
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Executes dropped EXE
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        Executes dropped EXE
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        Checks computer location settings
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        Checks computer location settings
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        Checks computer location settings
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        Checks computer location settings
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        80⤵
        Checks computer location settings
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        81⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        82⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        83⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        84⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        85⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        86⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        87⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        88⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        89⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        90⤵
        Checks computer location settings
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        91⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        92⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        93⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        94⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        95⤵
        Checks computer location settings
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        96⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        97⤵
        Checks computer location settings
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        98⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        99⤵
        Checks computer location settings
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        100⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        101⤵
        Checks computer location settings
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        102⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        103⤵
        Checks computer location settings
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        104⤵
        Checks computer location settings
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        105⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        106⤵
        Checks computer location settings
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        107⤵
        Checks computer location settings
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        108⤵
        Checks computer location settings
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        109⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        110⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        111⤵
        Checks computer location settings
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        112⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        113⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        114⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        115⤵
        Checks computer location settings
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        116⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        117⤵
        Checks computer location settings
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        118⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        119⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        120⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        121⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        122⤵
        Checks computer location settings
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        123⤵
        Checks computer location settings
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        124⤵
        Checks computer location settings
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        125⤵
        Checks computer location settings
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        126⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        127⤵
        Checks computer location settings
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        128⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        129⤵
        
        PID:4924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        130⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        130⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        131⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        132⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        133⤵
        Checks computer location settings
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        134⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        135⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        136⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        137⤵
        Checks computer location settings
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        138⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        139⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        140⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        141⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        142⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        143⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        144⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        145⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        146⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        147⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        148⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        148⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        149⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        150⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        151⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        152⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        153⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        154⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        155⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        156⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        157⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        158⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        159⤵
        
        PID:4240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        160⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        160⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        161⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        162⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        163⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        164⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        165⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        166⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        167⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        168⤵
        
        PID:4860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        169⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        170⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        171⤵
        
        PID:3624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        172⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        172⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        173⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        174⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        175⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        176⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        177⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        178⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        179⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        180⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        181⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        182⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        183⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        184⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        185⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        186⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        187⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        188⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        189⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        190⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        191⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        192⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        193⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        194⤵
        
        PID:468

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Drops file in System32 directory
PID:2248
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Drops file in System32 directory
  PID:1068
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    - Drops file in System32 directory
    PID:3612
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      Drops file in System32 directory
      PID:2596
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        Drops file in System32 directory
        
        PID:1136
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:428
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        Drops file in System32 directory
        
        PID:3636
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        Drops file in System32 directory
        
        PID:1776
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        
        PID:1176
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        
        PID:1808
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        
        PID:5020
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        
        PID:4712
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        
        PID:3128
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        
        PID:208
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        
        PID:3512
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        
        PID:3904
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        
        PID:1412
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        
        PID:4392
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        
        PID:1136
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        
        PID:2928
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        
        PID:1264
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        
        PID:1616
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        
        PID:4396
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        
        PID:4940
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        
        PID:3944
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        
        PID:1988
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        
        PID:368
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        
        PID:3408
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        
        PID:5056
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:376
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        
        PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.1.filtertrie.intermediate.txt.420

Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.2.filtertrie.intermediate.txt.420

Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086555234279.txt.420

Filesize
77KB

MD5
77f02ab082cfb1f17d0e0e2a8165366c

SHA1
53f28b5730d27ed820dd574427ebef84ce1b9a18

SHA256
deb45be1066c15a749e55a6b7fea077dd996192bcc2e59460180f8dc0627b4ac

SHA512
6f268b7558b260128277f1ed4ac610138820b6ad3620e7738693fa61d863549cf0c0b57652ab9ca9fbed6516ea4d550b3b210ef3f073de79f40aafdb3b4c1a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092054450232.txt.420

Filesize
48KB

MD5
d2d98991640f351111e835d43a2aa274

SHA1
e16657b9474a518cf5e2cc6b2bc1c52763a54f2b

SHA256
5ad85386a3c6dc1cf4c48ddca9151b221d2673f79c2fb3e12fa93042dded0e36

SHA512
75f2a271f29ad3cd9681e1cf773ed469dfe19194bd9f40837897e2fffe45579b132b9f114aa55d5fd42df15a8937a00e92e3fad7257ad408a162e7eb785a39f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094898087075.txt.420

Filesize
66KB

MD5
49decfe81666667c457426ab0aaef75f

SHA1
acc34ab1529ea7dd693f03363c142bdef769a7cd

SHA256
a43dba137e9a0e50daf794f7b2969acd3dd4232f05736aa7112ef57b86216de4

SHA512
bd0dd2daf63f9deddca74b6ee2f36c54efe05f920a33af26b14609850e87f9743169c6f7f5552bd38a3bc5257a29b5fe16950bba31ec1f62d56c5fff3ec5b302

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589193787380275.txt.420

Filesize
62KB

MD5
fa857eda8e8755189415dbd365022f7f

SHA1
4c99d5630a26cecebe8068b15d3b98e3e686b28a

SHA256
f9cdd6248aea0dbffd41e7b1289044158625d67867fe16a054fe130fac09beb3

SHA512
176f663e422a715c760a8eb587fe7bb2cf673f488c5f3eed2c673261246b0d7aa4c31f9d63e84d0a67011878d8618cb682e4fb4a0347a5b2a5b782cd32286325

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
147B

MD5
ad8076b56c2646e1a032ce3bcfa4cd36

SHA1
2bfc3462a478da0481d3e3761eb6f0763b66659f

SHA256
a61fd5a27c3e6e4707b8999e5a51b0b0d3c3a44f00dfe978b2af5cff4ff5bb74

SHA512
333f667d5d8f77108d30c84a654fc7f31459b6b371919da895496a75a08ece59d9fa2fc8b6ca5afaeaba0b5c09730d067af332a4207b0c974eabc578e1358141

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
64B

MD5
76454eaa9a92ea0ec20c75bed1a04379

SHA1
7a2cbdb0d1905871402e3295d56707d22d435a39

SHA256
dc2c35f48cdb33d230069b08b6e82e4dbf6099683041f983aab0f34d5593e811

SHA512
7b8360530fb19859cb31c149c9bb3ae0e1931645f09ffae050d210d8c82c803f3e4c5c9e2cda5cff3b046e2ff0c436ba08a71b18321667ec95b07fa732d4a8b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
64B

MD5
48bcc0763691bfda239c7d7e291292e1

SHA1
0a13f394dae9f2a0a281f2733ee96d3718a1d8a7

SHA256
17857219bf74cf54c38663c3c37328ab9eb3e295df760b66ddd8d2b054d43746

SHA512
c5df2c005845cef1f5d3accc5c6ca617679480aef1aefc8ecfb2912f23ec8fd7dcf3ce266fa42e8433b9fe492160a9b4978a0612a115db6f703bb2ff1b973763

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
a75413dd151a0b6898ac72f5af10abba

SHA1
af1bd0dbde96cd8128a6ce61532290b75e7556ea

SHA256
36b7580dc19e2d6c7d50ea92c99c4827026b9d981816d3535cde8901d3a22ac4

SHA512
9b664a2e4b8f31ce9282933530f47cec6e806d77992ba7b3f2986231ef3601e451f1b6c4603a20439b606fe57ac7b6c842fd3b141dfd90a4998e0f0a3204290d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
e26a194cfb44ea9fd8bc3c43bad68198

SHA1
890cc6b90161311f84a2cf4af65e2c3f4fb94ddb

SHA256
69b6971938a5e499308e9f5d3ce0759af1277ff4174c34830338bb4ac9b4dc11

SHA512
b7483dc49a99d52917c3875c5cfc30ef9c2dfe343fceed0945e7632cecb278c80b0a3a4ac9fc0e946d935f809147930bd4a8b783967299e8b1bf2939559eab1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5e1oe2t.rjb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp0gelnm.tmp

Filesize
187KB

MD5
893b1b77cb2fab0d42b0ce43d30a1d67

SHA1
3b18999fbd622e364f9f1de33ae5a120ad1df3fb

SHA256
a8b9c649d5d7217bd3249433a9d67162bcc9c1cf4b7a71dffa2fe773c4307d07

SHA512
073a99535e8aa3cec853ada0f8f14ffb4fe9d7d9175b77f3db569471953c8afbec58a57d3ee613959e188d337fedb4cc7ec2310977da8210eea1dab1658ea6c9

Download Submit
C:\Users\Public\Documents\Seven.dll

Filesize
1.3MB

MD5
c911e21fe70e167d8f9bee1703415553

SHA1
c892220ff96d2d5816a3c3e6a0247620450fa7ed

SHA256
03a644a944153208259729776d6a0b32cd9016d8a8087757430c6c8f32865af5

SHA512
784790551beccdf1db88ddcb7e7bd59a6d796742f753e69e4125698a09f60f0af64918a3746f714aa9f506ab276a50bdbe492e458481f2c9d7925dfea57dfbd7

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.420

Filesize
379KB

MD5
ec627c580b4798ee47f5957a2751cab7

SHA1
62c47f6aea3b228dbd1ceaa8839626866babbbb6

SHA256
4251f26e935f39748713aec792b3e1f5998c22bfba2fdcc85703a9fe049a9ce6

SHA512
ae9ab8f31a679cf35e61ff989185723957785febc460903297ec757c1baa0de9e0b00c20efef5d0a4d9c165b6fee7acd94813a2c06b22a96be6cbba9f6e222e9

Download Submit
C:\vcredist2010_x64.log.html.420

Filesize
86KB

MD5
1a60c926be271d19cc352facd78bf9b6

SHA1
efbdd406a718c7a96d9cf5646fb0255ec0c92d3d

SHA256
6c553389c919872c7c8a9a0ba6e49b1bc0b3d5c1cabb85d5ba33e1630d093922

SHA512
c1befc20a1fbb7aab77066a3c7a56520fc60682b18721bb780e16a58b8e1218ff01c4482661043ae676021d82ce783e994691d9be92a52c3180fdb05467e6878

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt.420

Filesize
395KB

MD5
4570ffab32baaaaf96ee2a20ed3bff61

SHA1
50e4de459344e8eabc97f516e5c70fbba80b5703

SHA256
5568e3df438dcedd8c2dc5a4b9d53ea5e0ff80cae38bd5d3542b5e2bab883e42

SHA512
844f5048e0414da1d23b59244f4c2fde2d6ce9177a497bbdc217816ada6166de973d5008c0da25885150a8132f1b7fabd0ef30504992e7e559781239bfa97c12

Download Submit
C:\vcredist2010_x86.log.html.420

Filesize
81KB

MD5
f52ddddf5fc4a6c396f76201c5744ea1

SHA1
20e58c28cf3694386c5557b2e4a30b0471c00aef

SHA256
b76f68ae65773137b8222988c6cb479ea37de8da1b3298bc01fe160aa0a235e8

SHA512
46124cdc6be83a96d38b5c65558dafbf57260114fcd6d54a895e498c02820e34d6d7c6f0c67c5ed9afc6f23f1896d1c54396e9683783e5e21884471ac237dae3

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.420

Filesize
168KB

MD5
0dde2ba76ec28c7bbcf22d2fb7990b31

SHA1
cab9ecac1e99705e91224d73fc9d997848ae7400

SHA256
dd708a4b70291e50693dde7579311e5af7c165a4d2005c706dc4780bba697706

SHA512
58cb4f4ad1123786d7f52e9210b59ea881365f913076309503fa7d33e26020de7a6e262cfde827e74ff584d216054e8dc3d2cbb5257f9c917f2426074cc80716

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.420

Filesize
195KB

MD5
8a699be27ca3f4134eecfdfa80b17226

SHA1
28550d35cd340e27cd5dcb41296f270693663f56

SHA256
6cda699bdf332067e9e182fd723376caa30c493decd3e2eca0aa4fe63af7cf1a

SHA512
8a054445dee60f3275a4b9cd19f9685715c95bc09e5eb8505e4eb91073098a1aca745fc35a0d7b84addeb5afbb963e50af70367e25a15d5133179c5da9cae9a2

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log.420

Filesize
171KB

MD5
4070dfb8f5bbe25743395765be1acb55

SHA1
258bc6c51599ca851b85465f739384bd1552d92a

SHA256
512f59ca0233bc872205d04dec068449b43a2294b320355b0f457109f4a8718d

SHA512
665a1ed2e9e0af0c72c3d9f3037091c162c4d594094205e0047b6c3eb7b292044f2bd823141511104d4fcff7f3fdca460f665179fff3cda114a82112f1fdbcdf

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log.420

Filesize
208KB

MD5
04c367f03dce65540a22457efc110deb

SHA1
fa709489ff08a99fd43db9b2eeb82688d755e4f9

SHA256
c7357a870c4e99a38e5114b408ff2eeb7830263b9785643312453e57308a60d4

SHA512
33ca0cb225935d5f6d7f8e8c458147608028ca4cda2c45c25de3adf5e600a5c032f5e7c03a6bff4d7d5a502a44b4d6ad3a6f0ae81f8c6f5df179ad20bdcfeacf

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
170KB

MD5
e5b76d3369fbe2e85f036553558dedaa

SHA1
7e71ef7fe838477c8cea67d4b413871145959f56

SHA256
aad733b3f9bec9f516f9505840393e6fb6f4ce1264ed8f5b17ac13188915f46c

SHA512
db0593dcde846edeac938f4232cb41e0a4e4bf5d03f53acbf0ae954054f14fa98564c0360b2694be29f497836ff532227f4a1be02d00ed8c2b7360dc5180d341

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
191KB

MD5
d528c8dc914dcf15da7083b6f125cb23

SHA1
43cf4de78e17596d1b4fdb43a707648d49fb73b2

SHA256
ab6fa2ed58479f9875b85e83edbffb30fff56837c50925e6e013b4bce4da6093

SHA512
83e080933420cc9e1bb6a3e6f21c21fb10b1afa71bfb949061e0748a40d7ae7521823a6ab5b5febca966829f4ab647c3e00da57bce211c4a6f021d91d6cac80e

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
170KB

MD5
07597ed5cfb65e1bb3766af611e2a61f

SHA1
35371690c06d393e018566bf0feeacc04456d668

SHA256
a7b8b692cf818a2227e15665306d561d74180ae1b41e6076748828155ce617af

SHA512
41457191bd79b25f6015ab3d46159e378b741b8e602263a94a11b3a2d31888b0864f86a9912a27d33a80ccbe2f2a5fc8948d6de8709965999623a6f7779bba55

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
198KB

MD5
ad34df0bebc53d6be537c6944ee88c05

SHA1
4d6fe2e138e2606457f0e959d8f3fbdf940697ca

SHA256
caaab5a1efca26f90ec898edd427e25b73684d23819458722f67f7e9714f01ce

SHA512
2ef78f20b7ddd51407b7ed682d4163a904c73a24b084c005d09050c56e425d218ce25700ece2335f714be3fa3ec93dbb2dd5e4123e806fce46c6b2e1688211d1

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log.420

Filesize
123KB

MD5
747d2069b15988798c1bc481e4c55944

SHA1
8dc9b8d598dde8f7e3a9efae99b1f7a937697c87

SHA256
9ed139b9a36c404285429a47ecc1d8d08a0d966ed7cacd54f87abe738e09949c

SHA512
cae19f483c0e9de5282960ba1728bd88a09c78c01fb9f9f87c0581483bb07e84e296eac72de161d67bbb0a16a48927ff658d3ec3917c59ffc33368c696e61ea3

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log.420

Filesize
129KB

MD5
39f18b054bbc6f180e3e422546ffbde2

SHA1
929d7e7ecba538053d1184d2ad6fe3521190c76d

SHA256
de293fef70ec40f557ff91ba891237e2b5d2e7efe4ec511504186b04c5c00932

SHA512
c16f08b271c697dc369cc6ef0bf5d4a5cb8bdd01a208165650aea4dcf54bd1bbfe8203ebec8ed2c61a34196242f7604acbb3ceefd7eb25ac0678b67340414870

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log.420

Filesize
123KB

MD5
e2067f0387ff733b290070707b3eee1b

SHA1
7b738b8d77e4a33b076132aa32b8f05d02b07e80

SHA256
b3be683582f8fd21adae20557dc80e06a45b555e4f68feeab55752d47d111c81

SHA512
b753ca2ed377e0f6faed66d40425dc416e351cf8fdfba555a06e7aacb1ad2b76e1d8866cfc208b2383f284cb4e4a8e23072db57dc3e30351ecde571ebf151f59

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log.420

Filesize
135KB

MD5
65edfa37071a564dd763a819743f84c3

SHA1
c17a24691cbf5174252d2324dceb449e0b12c8f4

SHA256
17f20e2e7021a7ae16c6ef17e256fd3403f710a40a337860f59e2125c0e95587

SHA512
40df56e774bf51bb164dc81af8496b6091eadf60029a63b13eb8d80f48630478b51da588fc1e48936c4c40f6dcd64383cc4df88e28c7480518c82b253784b07b

Download Submit
memory/3196-16-0x00007FFB1C150000-0x00007FFB1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3196-12-0x00000262FCEA0000-0x00000262FCEB0000-memory.dmp

Filesize
64KB

Download
memory/3196-13-0x00000262FCEA0000-0x00000262FCEB0000-memory.dmp

Filesize
64KB

Download
memory/3196-11-0x00007FFB1C150000-0x00007FFB1CC11000-memory.dmp

Filesize
10.8MB

Download
memory/3196-6-0x00000262FCE30000-0x00000262FCE52000-memory.dmp

Filesize
136KB

Download